On March 2, the Biden administration released the much anticipated National Cybersecurity Strategy, aimed at protecting the nation’s critical infrastructure, businesses, and citizens from the evolving cyber threat landscape.
With the increasing reliance on technology in every aspect of our lives, and the exponential growth in digital data, cybersecurity has become a national security priority. The new strategy is a call to action and will help foster collaboration between the government and industry to build a more resilient and secure digital ecosystem to address the evolving nature of cyber threats and strengthen the country’s cybersecurity defenses.
A strategic complement to federal IT modernization efforts
The strategy outlines several key objectives that will advance the cybersecurity posture at federal agencies, many of which complement ongoing work stemming from the Cybersecurity Executive Order released in May 2021. We encourage the administration to seize on the momentum and fully fund these shared federal IT modernization efforts – such as expanding and modernizing security logging tools and deploying zero-trust architecture throughout federal agencies.
The strategy outlines several important priorities that industry can collaborate on, including:
- Defend U.S. Critical Infrastructure
- Dismantle + Disrupt Threat Actors
- Shape Market Forces to Drive Security + Resilience
- Invest in a Resilient Future
- Forge International Partnerships to Pursue Shared Goals
While each pillar is distinct and important, the core and most novel parts of the strategy call for a new approach to protecting our vulnerable critical infrastructure sectors. The strategy calls for industry and government to collaborate in developing regulatory requirements that are both “operationally and commercially viable.” Of course, some agencies already have the ability and existing legal authority to regulate cybersecurity, while others need an act of Congress. Harmonizing these existing frameworks and understanding how the existing voluntary public-private partnership model changes will be a challenge for both industry and government alike.
The shifting role of software companies in U.S. cybersecurity strategy
Another significant policy push, and an area likely to invite robust debate, will be how the government plans to “shape market forces” to help drive security and resilience. Holding software makers accountable for the security of their products is a fundamental shift. As Acting National Cyber Director Kemba Walden said during a press briefing, “The president’s strategy fundamentally reimagines America’s cyber social contract. It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it.” In exchange for this shift, the strategy describes a “safe harbor” provision for software makers that meet certain security requirements.
As with many things in Washington, the devil is in the details. As this high-level strategy takes shape in the future, it will rely on a host of others to refine, codify, and implement. In such a closely divided Congress, even routine legislation will prove difficult. Fortunately, cybersecurity remains an issue where both sides can often find common ground.
Can CISA harmonize reporting requirements across critical infrastructure sectors?
The government would be the first to admit that there are a lot of challenges around the patchwork of cyber incident reporting requirements that are being imposed on industry. Today, there are nearly two dozen federal agencies that have their own proposed or codified cyber incident and reporting requirements. In addition, new proposals keep surfacing at the federal level, while most U.S. states have individual breach-reporting requirements as well.
Overall, harmonizing cyber incident notification requirements is a complex task that will require close collaboration between the government and industry stakeholders. Fortunately, CISA has managed to build a lot of trust and goodwill with industry over the years through close public-private partnerships – such as the Joint Cyber Defense Collaborative. CISA has already begun work on the rulemaking process to implement the Cyber Incident Reporting for the Critical Infrastructure Act of 2022, which was signed into law in March of last year. This requires CISA to work closely with various entities, including Sector Risk Management Agencies, the Department of Justice, other appropriate federal agencies, and a Cyber Incident Reporting Council to be chaired by DHS.
Where federal regulations are in conflict, duplicative, or overly burdensome, this group should work together to minimize these challenges. CISA will also need to work hard to be able to strike the right balance between shoring up reporting requirements and reducing the burden it places on industry.
Looking toward a coordinated government and industry approach
The new National Cybersecurity Strategy is a positive step toward strengthening the nation’s cybersecurity defenses and protecting critical infrastructure from growing cyber threats. However, the strategy’s success will depend on the government’s ability to pass constructive laws and implement the proposed initiatives effectively and in a timely manner. Cybersecurity is a complex and evolving threat that requires a comprehensive and coordinated approach. It’s important for industry to assist in safeguarding the nation’s security and prosperity in the digital age.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected].
