The new National Cybersecurity Strategy vows to build “a more defensible and resilient digital ecosystem” through “generational investments” in cyber infrastructure, increased digital diplomacy and private-sector partnerships, regulation of critical sectors, and allowing software firms to be held liable if their products hold the door open for hackers.
“This National Cybersecurity Strategy establishes a clear vision for a secure cyberspace,” Homeland Security Secretary Alejandro Mayorkas said. “The Department of Homeland Security continuously evolves to counter emerging threats and protect Americans in our modern world. We will implement the president’s vision outlined in this strategy, working with partners across sectors and around the globe to provide cybersecurity tools and resources, protect critical infrastructure, respond to and recover from cyber incidents, and pave the way for a more secure future.”
The new long-anticipated strategy, which builds on previous cybersecurity executive orders and replaces the 2018 National Cyber Strategy, was expected to be more aggressive on regulations to better protect vulnerable sectors as well as on offensive actions to go after independent and nation-state hackers.
“We must make fundamental changes to the underlying dynamics of the digital ecosystem, shifting the advantage to its defenders and perpetually frustrating the forces that would threaten it,” the strategy states. “Our goal is a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”
The strategy says it is driven by “a new phase of deepening digital dependencies,” growing complexity of software and systems, artificial intelligence “which can act in ways unexpected to even their own creators,” accelerating global interconnectivity, digital operational technology, and advanced wireless technologies, Internet of Things (IoT), and space-based assets that make “cyberattacks inherently more destructive and impactful to our daily lives.”
Offensive hacking tools and services are more widely accessible and “enable a growing threat from organized criminal syndicates” as well as empowering China, Russia, Iran, North Korea, “and other autocratic states with revisionist intent.”
“The People’s Republic of China (PRC) now presents the broadest, most active, and most persistent threat to both government and private sector networks and is the only country with both the intent to reshape the international order and, increasingly, the economic diplomatic, military, and technological power to do so,” the strategy notes.
The National Cybersecurity Strategy is built on five pillars: defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships to pursue shared goals.
“Each effort requires unprecedented levels of collaboration across its respective stakeholder communities, including the public sector, private industry, civil society, and international allies and partners,” the strategy says, stressing that “two fundamental shifts” need to occur in “how the United States allocates roles, responsibilities, and resources in cyberspace.”
Noting that individuals, small businesses, state and local governments, and infrastructure operators have limited resources for digital defense but can adversely impact national security if they fall victim to a cyber attack, the strategy emphasizes that “across both the public and private sectors, we must ask more of the most capable and best-positioned actors to make our digital ecosystem secure and resilient… together, industry and government must drive effective and equitable collaboration to correct market failures, minimize the harms from cyber incidents to society’s most vulnerable, and defend our shared digital ecosystem.”
The second shift involves realigning incentives to favor long-term investments in cybersecurity and “achieve unity of effort in a collaborative, equitable, and mutually beneficial manner” in which “the Federal Government will focus on points of leverage, where minimally invasive actions will produce the greatest gains in defensibility and systemic resilience.”
“Building security into the product from the beginning, rather than a bolt-on after the fact is a more secure and cost-conscious approach,” former DHS Assistant Secretary for Infrastructure Protection Brian Harrell told HSToday. “Of course, it’s not possible to eliminate all defects, but right now there’s little incentive — beyond just general market reputation — to invest in a dramatic reduction of cyber vulnerabilities.”
To focus on the critical infrastructure pillar, the strategy calls for building “new and innovative capabilities that allow owners and operators of critical infrastructure, Federal agencies, product vendors and service providers, and other stakeholders to effectively collaborate with each other at speed and scale.” This includes establishing cybersecurity regulations in critical sectors, harmonizing and streamlining new and existing regulations, helping regulated entities absorb cybersecurity costs, enhancing public-private collaboration including data sharing, strengthening and improving integration of Federal Cybersecurity Centers, updating the National Cyber Incident Response Plan (led by CISA), and modernizing federal systems while developing a plan through NSA to enhance defense of national security systems.
“If the government is going to put regulatory mandates for cybersecurity on private entities, it should start with the most critical entities,” Bob Kolasky, who led the Cybersecurity and Infrastructure Security Agency’s National Risk Management Center as one of CISA’s assistant directors, told HSToday. “A key element of this, however, is not just requirements on entities themselves but also the technologies that underpin critical infrastructure – such as cloud service providers and industrial control systems as well as critical software.”
The second strategy pillar is centered on using “all instruments of national power to disrupt and dismantle threat actors,” including diplomatic, information, military (kinetic and cyber), financial, intelligence, and law enforcement capabilities. This includes integration and increased volume and speed of “sustained and targeted” disruption campaigns, strengthening partnerships with and within the private sector, increasing the “speed and scale of intelligence sharing and victim notification” including a federal review of declassification policies and processes, working with cloud and other internet infrastructure providers “to quickly identify malicious use of U.S.-based infrastructure” and share reports, and countering ransomware by “mounting disruption campaigns and other efforts that are so sustained, coordinated, and targeted that they render ransomware no longer profitable,” including targeting illicit cryptocurrency exchanges.
The third pillar, shaping market forces to drive security and resilience, includes goals to “drive the development of more secure connected devices,” “reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks,” and using federal purchasing power and grant-making “to incentivize security.” To reach these goals, the strategy says it “supports legislative efforts” to limit personal data collection, will “continue to improve IoT cybersecurity through Federal research and development (R&D), procurement, and risk management efforts,” will work with Congress and the private sector “to develop legislation establishing liability for software products and services” and “shape standards of care for secure software development,” will use federal grants and other incentives to build in security, ensure that “contract requirements for cybersecurity are strengthened and standardized across Federal agencies,” and explore “the need for and possible structures of a Federal insurance response to catastrophic cyber events that would support the existing cyber insurance market.”
“What the strategy is trying to do is build the foundation for that shared accountability where the end user, the product developer, and the customer all play a role with government mandating and incentivizing better performance,” Kolasky said.
A senior administration official told reporters Wednesday that shifting liability is seen “as a long-term process” in which they need to begin by “working with industry to really establish what better software development practices look like, work to implement those, work to articulate those, and then work with industry and Congress to establish what some kind of liability shield for the adoption of those practices would look like — but we don’t anticipate that this is something where we’re going to see a new law on the books within the next year.”
Stressing the decades-long history of “adversaries and malicious actors weaponizing our technology and innovation against us,” the fourth pillar of the strategy aims to ensure that “resilience is not a discretionary element of new technical capabilities but a commercially viable element of the innovation and deployment process.” Getting there, the strategy says, will include securing the technical foundation of the Internet in collaboration with private-sector partners, reinvigorating research and development to proactively prevent and mitigate cyber risks in existing and upcoming technologies, preparing government and private-sector systems for a post-quantum future, encouraging and enabling investments “in strong, verifiable digital identity solutions,” and developing a National Cyber Workforce and Education Strategy.
The fifth pillar of the strategy involves continuing “to engage with countries working in opposition to our larger agenda on common problems while we build a broad coalition of nations working to maintain an open, free, global, interoperable, reliable, and secure Internet.” This digital diplomacy will include building coalitions to counter threats to the digital ecosystem, strengthening the cyber capacity of international partners, expanding the ability of the U.S. to assist allies and partners and “accelerate efforts to expose counter-normative state behavior and impose consequences,” building coalitions to reinforce global norms of responsible state behavior, and securing global supply chains for information, communications, and operational technology products and services.
“Harmonizing the regulatory landscape to encourage security over compliance is a must,” Harrell said. “The current patchwork of regulations is lacking, but significant investments have been made across industry. While a rising tide lifts all boats, we need to ensure acknowledgement of existing robust standards, and not layer more on top.”
The Office of the National Cyber Director is tasked with coordinating implementation of the National Cybersecurity Strategy under the oversight of the National Security Council and working with interagency partners to develop and publish an implementation plan. ONCD and the Office of Management and Budget will also jointly release annual guidance on cybersecurity budget priorities to departments and agencies in support of the strategy’s targeted investment goals.
A senior administration official said they have “begun to implement aspects of the strategy over the last few months” and “anticipate that we will have a public snapshot of the strategy of the implementation plan out in the coming months.”
“Implementation of the strategy can’t just be a U.S. government exercise,” Kolasky said. “I am very interested to see how the administration drives that collaboration on implementation effectively at the same time that it is pushing for additional regulation.”