The US government plans to support laws imposing “clear and robust” limits on the use of personal data under its newly released National Cybersecurity Strategy. The administration also plans to address exploring the “abuse” of virtual currencies to launder ransom payments under the strategy, while further pledging support for “strong, verifiable digital identity solutions that promote security, accessibility and interoperability, financial and social inclusion, consumer privacy, and economic growth”.
Tell me about this strategy: Released on March 2nd, it aims “to secure the full benefits of a safe and secure digital ecosystem for all Americans”. This will be done by coordinating around five pillars: defending critical infrastructure, disrupting threat actors, creating market incentives for cyber resilience, boosting government investments in cybersecurity, and leveraging international collaborations to achieve cybersecurity goals.
Why does it matter?: The strategy signals how one of the world’s most powerful countries is preparing for a future filled with cyberattacks. The US’ multi-pronged approach highlights how investments, research, diplomacy, and legislation will come together to support its security goals. This is a useful blueprint to have—especially given that the release of India’s own national cybersecurity strategy has been pending for three years despite a flurry of serious cyberattacks on government infrastructure.
How do you achieve all of that?: The US government says two shifts need to happen for this cybersecurity strategy to work. First, the burden of defending cyberspace needs to be rebalanced. That means the responsibility of protecting cybersecurity should shift away from individuals, small businesses, and local governments to organisations that are able to mitigate cyber risks at scale, be they private or Federal government agencies. Secondly, the government should favour long-term investments in cybersecurity. Investing in a cyber-resilient future is as important as mitigating cyber risks today.
Is there more to this than meets the eye?: It wouldn’t be a government policy document if questions about “values” weren’t raised. As President Joe Biden noted in his opening remarks to the strategy:
“We must ensure the Internet remains open, free, global, interoperable, reliable, and secure—anchored in universal values that respect human rights and fundamental freedoms. Digital connectivity should be a tool that uplifts and empowers people everywhere, not one used for repression and coercion. As this strategy details, the United States is prepared to meet this challenge from a position of strength, leading in lockstep with our closest allies and working with partners everywhere who share our vision for a brighter digital future.”
The document also notes that offensive cyberattacks are no longer perpetuated by “a small handful of well-resourced countries”.
“The governments of China, Russia, Iran, North Korea, and other autocratic states with revisionist intent are aggressively using advanced cyber capabilities to pursue objectives that run counter to our interests and broadly accepted international norms. Their reckless disregard for the rule of law and human rights in cyberspace is threatening U.S. national security and economic prosperity.”
STAY ON TOP OF TECH POLICY: Our daily newsletter with top stories from MediaNama and around the world, delivered to your inbox before 9 AM. Click here to sign up today!
Pillar 1: Defending critical infrastructure
Establishing cybersecurity regulations that support national security: Voluntary approaches to securing critical infrastructure have led to “inadequate and inconsistent” cybersecurity outcomes. Those proactively investing in cybersecurity are insufficiently rewarded by the markets. “Regulation can level the playing field, enabling healthy competition without sacrificing cybersecurity or operational resilience,” the US government notes.
- Some basic principles: Regulations should leverage existing cybersecurity frameworks, and be adaptable to adversaries increasing their cyberattack capabilities. Regulators should prioritise adopting secure-by-design principles and define minimum cybersecurity standards, among other factors.
- Harmonising laws: Regulators must work together if cybersecurity regulations conflict with each other or pose too many burdens on cyber defenders. For example, “when necessary, the United States will pursue cross-border regulatory harmonization to prevent cybersecurity requirements from impeding digital trade flows”.
- Taking stock of cybersecurity costs: Some critical infrastructure sectors can afford to absorb cybersecurity costs. Others can’t without support. The US government encourages regulators to consult with companies on how they’ll resource cybersecurity requirements. The government will also work with Congress on building regulations that account for the costs of cybersecurity implementation.
Deepening public-private collaborations: Defending critical infrastructure from cyber attacks requires a model “that emulates the distributed structure of the Internet”, the government notes. “We will realize this distributed, networked model by developing and strengthening collaboration between defenders through structured roles and responsibilities and increased connectivity enabled by the automated exchange of data, information, and knowledge.”
Integrating Federal cybersecurity centres: The US government must coordinate the departments and agencies collectively in charge of defending critical infrastructure. “Federal Cybersecurity Centers” will drive “intragovernmental coordination” on cybersecurity while also supporting non-federal entities. This collaborative approach should be balanced against the cybersecurity capabilities of other branches of the executive too.
Knowing who’s who: The private sector should know which government agencies to contact and when in the event of a cyber incident. The US government must provide clear guidance on how private sector entities can reach out to Federal agencies and the types of support that can be provided.
Modernising Federal defence systems: The US government will undertake long-term plans to defend and modernise federal systems. This will be done according to the “zero trust principles”—which note that threats have to be countered both within and outside of “traditional network boundaries”. Systems that are indefensible against sophisticated attacks must be replaced or updated. National security systems that store highly sensitive data should also be secured against a wide range of sophisticated threats.
Pillar 2: Disrupting and dismantling actors threatening the US’ interests
Integrating federal disruption efforts: The government’s efforts to target criminal cyber activity should be so “sustained and targeted” that behaving badly becomes unprofitable. What’s more: foreign governments engaging in cyber attacks should no longer see it as an effective way to achieve their “goals”.
Leveraging public-private partnerships: The private sector’s visibility on adversarial activity is often broader than the government’s due to its scale of operations and the rapid “innovation in tooling and capabilities”. Disrupting malicious actors will require more “routine” public-private cooperation between relevant organisations.
Speeding up intelligence sharing: The US government will shore up the “speed and scale” of cyber intelligence sharing to proactively warn cyber defenders and victims that an organisation is being targeted or is already compromised.
Protecting the US’ infrastructure: The government will work with cloud and other Internet infrastructure providers to identify any malicious use of the US’ technology infrastructure. Theses actors will also work on sharing reports on these events with the government, making it difficult for malicious actors to gain access to US infrastructure, and easier for victims to report abuse. The government’s subtext here: “often, these services are leased through foreign resellers who have multiple degrees of separation from their U.S.-based providers, hindering the ability of those providers to address abuse complaints or respond to legal process from U.S. authorities”.
Defeating ransomware: Ransomware attacks carried out from “safe havens” like Russia, Iran, and North Korea exploit lacklustre cybersecurity practices to extort funds through tools like cryptocurrency, claims the US government. It’ll “employ all elements of national power” to counter this threat using four prongs. First, international cooperation will be leveraged to disrupt the “ransomware ecosystem” and isolate countries providing “safe havens” to criminals. Second, it’ll investigate ransomware crimes and use law enforcement agencies (among others) to disrupt the ecosystem. Third, it’ll bolster the resilience of critical infrastructure. Fourth, it’ll address the abuse of virtual currency to launder ransom payments. The government will also target “the illicit cryptocurrency exchanges on which ransomware operators rely and improve international implementation of standards for combatting virtual asset illicit finance”.
Pillar 3: Creating market incentives for cybersecurity and resilience
Holding data stewards accountable: If organisations don’t responsibly protect data, then those costs are externalised onto “everyday Americans”, the US government argues. It will support legislative efforts imposing clear and robust limits on “the ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data like geolocation and health information”.
Securing the Internet of Things (IoT): IoT devices are insufficiently protected against cyber threats, and often come with advanced capabilities that enable cyberattacks on “critical physical and digital systems”, the US government conclusively notes. It will address these issues through federal R&D on IoT, procurement, and risk mitigation efforts. The government will also advance the idea of “IoT security labels” so that consumers can compare the cybersecurity protections for different products. This may create market incentives to improve cybersecurity practices across the IoT ecosystem.
Shifting liability for insecure technology: While companies making software should be free to innovate, they should also be held liable if they fail to provide the “duty of care” owed to consumers, businesses, or critical infrastructure providers. Shifting liability may drive the market towards producing safer products.
Incentivising cybersecurity through Federal grants: The US government is keen on investing in critical infrastructure that improves the country’s collective cyber resilience. “Federal grant programs offer strategic opportunities to make investments in critical infrastructure that are designed, developed, fielded, and maintained with cybersecurity and all-hazards resilience in mind,” it adds.
Leveraging federal procurement to “improve accountability”: Contracts for vendors selling to the US government can be used to improve cybersecurity. In short: companies will have to follow cybersecurity best practices if they’re contractually bound to them.
Exploring Federal cyber insurance: If a “catastrophic” cyber incident occurs, the US government will have to corral economic aid. Instead of waiting for the ball to drop, the government can consider a “Federal insurance response to catastrophic cyber events that would support the existing cyber insurance market”.
Pillar 4: Investing in a resilient future
Securing the Internet’s foundations: The Internet’s foundations are already vulnerable—building on top of this only increases risk exposure. Current concerns for the government include “Border Gateway Protocol vulnerabilities, unencrypted Domain Name System requests, and the slow adoption of IPv6,” among others. The US government will ensure that its networks have implemented these (and other) pressing security issues. It will also partner with other stakeholders to develop solutions that improve the overall security of the Internet, and unpack why there’s been slow adoption of cybersecurity practices.
Prioritising cybersecurity R&D: Research and development investments aim to secure three technologies that “will prove decisive for US leadership in the coming decade”: clean energy technologies, biotechnologies and biomanufacturing, and computing-related technologies (which includes microelectronics, quantum computing, and artificial intelligence). The government aims to proactively identify potential cyber vulnerabilities and risk-mitigating strategies.
Preparing for a post-quantum future: “Quantum computing has the potential to break some of the most ubiquitous encryption standards deployed today,” the US government warns. In order to protect information from potential quantum attacks, the government will prioritise replacing hardware, services, and software that can be “easily compromised by quantum computers”.
Securing a green future: More interconnected hardware and software solutions are being used as the US transitions towards cleaner energy models. They have the potential to “strengthen the resiliency, safety, and efficiency of the U.S. electric grid”. The government will use this period to proactively integrate cybersecurity into these technologies.
Developing a digital identity ecosystem: The lack of privacy-preserving, secure, and consent-based digital identity solutions is what allows fraud, inequity, and inefficiency to flourish, the US government argues. “Enhanced digital identity solutions” can solve this by making it easier to securely access government benefits and trusted communication networks. They also bring about the possibility of new types of digital contracts and payment systems. The US government will “encourage and enable” investments in such systems.
Strengthening the cyber workforce: The government will expand the national cyber workforce, improve access to cyber education and training, and ensure greater diversity. “the strategy will strengthen and diversify the Federal cyber workforce, addressing the unique challenges the public sector faces in recruiting, retaining, and developing the talent and capacity needed to protect Federal data and IT infrastructure,” the US government argues.
Pillar 5: Leveraging international partnerships to achieve cybersecurity goals
Coalition building: The country will work with allies to develop collaborative law enforcement mechanisms. An example cited: the cybersecurity work undertaken by the “Quad” alliance comprising the US, India, Japan, and Australia. Initiatives include improving sharing of information between emergency response teams and developing a digital ecosystem based on “shared values”.
Strengthening partner capacity: The US will help strengthen the cybersecurity capacities of “like-minded states” globally. Areas of cooperation include securing critical infrastructure, building effective detection and response capabilities, sharing information on cyber threats, diplomatic collaborations, and strengthening law enforcement capacities.
Assist allies during cyberattacks: The US will create policies on when it is in its national interest to support allies and partners targeted by a cyberattack. It’ll develop mechanisms for deploying appropriate resources, and if needed, “rapidly seek to remove existing financial and procedural barriers to provide such operational support”. Better cooperation can also help advance the US’ goals for foreign policy and cybersecurity.
Reinforcing responsible state behaviour through coalitions: Under a renewed diplomatic push, the US plans to hold states accountable if they fail to uphold their commitments towards responsible behaviour. The government will work closely with allies to draft “statements of condemnation with the imposition of strong consequences” to constrain “malicious activities below the threshold of armed conflict”. Examples of these consequences include diplomatic isolation, counter-cyber and law enforcement operations, legal sanctions, and economic costs.
Securing global technology supply chains: The US depends on a network of foreign suppliers for technological equipment, be it raw materials or foreign goods. Depending on “untrusted suppliers” can pose systemic risks to its digital ecosystem. Mitigating this requires long-term public-private collaborations to make global supply chains more trustworthy, secure, resilient, and transparent. These implements should either be developed “at home”, or in collaboration with allies who share the US’ vision of “an open, free, global, interoperable, reliable, and secure Internet”.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.Read more
- What Was The Extent Of Damage In A Recent Cyber Attack On India’s Top Medical Institute In Delhi?
- 50 Indian Government Websites Hacked In 2022, No Update On National Cybersecurity Policy: IT Ministry
- What’s The Price Of Your Stolen Digital Identity? A New Report Claims It’s Rs 490
- EPFO Denies Any Data Breach Took Place In July Or August 2022: RTI