3 Key Difference Makers in the New National Cybersecurity Strategy

by John Fraser, Director of Federal Business, Trinity Cyber

In the nearly two months since the Office of the National Cyber Director (ONCD) released the U.S. National Cybersecurity Strategy, the Biden administration has begun to map out the comprehensive blueprint that was promised in order to hold software developers and critical infrastructure to tougher security standards while applying more pressure on bad cyber threat actors. 

This blueprint was intended to “mobilize all of us,” recently departed National Cyber Director (NCD) Chris Inglis has said. By “all of us,” he means all levels of government – federal along with state, local and education (SLED) – and private industry.

Inglis, along with acting national cyber director Kemba Walden, have also made it clear that this strategy needs to work for everyone, and not just those with a cybersecurity or IT job title. To reach this level of consensus, ONCD has engaged with 300 contacts, with about two-thirds of them in the private sector.

As the dust has begun to settle, the road ahead for implementing this strategy has gotten clearer, showing the way forward to enact new laws and regulations aimed at helping our Nation prepare for and fight emerging cyber threats in the years to come.

Throughout my career, I have acted as a trusted advisor to numerous Federal Government agencies, providing pragmatic guidance on how to modernize their security posture and protect their organization from evolving cyber threats. 

Viewing this strategy through that lens of experience, it is encouraging to see federal agencies and critical infrastructure sectors given actionable instruction by way of newly minted requirements regarding measures they must have in place to defend their networks and systems. Where this strategy differs from those that have preceded it over the course of previous administrations is in its targeted and increased emphasis on regulation, actionable defense, and accountability. 

A push for more comprehensive and assertive regulations.

With the release of this strategy, the administration has called for mandatory regulations aimed at three distinct targets in particular: (1) critical infrastructure as defined by CISA; (2) federal agencies; (3) and software providers who support them both. The overlapping objective in doing this is to clean up areas including controls, processes, and vulnerabilities through regulations issued by agency leaders with the authority to do so. And if they don’t have the authority, then they can go to Congress to get it. 

Expanding a Defend Forward Cyber Strategy.

Not only does it impose mandatory regulations on a wide array of U.S. industries; it seeks to clarify the processes for private industry to work with the federal government so that it might better operate against our collective adversaries as they seek to do us harm. It invokes the idea of “persistent engagement”—informing both allies and partners about cyber threats in an effort to help reduce them moving forward through increased transparency. It involves attributing attacks directly to those malicious actors responsible bringing them into the light and out of the shadows of nation state actors and foreign adversaries.

Risk Transfer.

The combination of imposed controls and more active partnership with U.S. private companies will not fully suffice. The strategy recognizes this point by starting an important dialogue on the insurability of the cyber risk, and the idea that the federal taxpayer might have to bear the costs of attacks that we are unable to prevent, or adequately, affordably insure in the free market.

What’s next?

As we await the details of this strategy to take shape, we can look to the specific, actionable direction the Administration has already imposed on itself and some of our critical infrastructure sectors and software vendors. One of the earliest and most basic forms of online security entailed switching to HTTPS and SSL encryption. Much like the required transition in 2016 to migrate federal web domains from ‘HTTP’ to ‘HTTPS’ hosting, the ONCD strategy likely will lead to regulations mandating certain cyber security protocols are implemented across regulated industries and within the software vendors serving them. This is likely to include multi-factor authentication (MFA), data encryption, restricting access to high-privilege credentials, securing and segregating sensitive data, data logging, and likely decryption and more careful, contextual content inspection—much like recent mandates did for federal government.

It should be emphasized that the overall impact of the latest National Cybersecurity Strategy will depend upon how efficiently and effectively the current administration can provide the clear, actionable direction it purports within this strategy to hold federal agencies, critical infrastructure, and software vendors accountable.

This summer, the issuance of an official NCS Implementation Plan is anticipated, with the White House targeting June 2023. From there, the ONCD is expected to issue further updates in the months and years ahead to track the strategy’s progress and efficacy.

For certain, this will be a long journey. But, the ONCD is making a statement: We need to be more aggressive in going after our enemies, while better protecting our businesses and people. It’s always a good idea to get in front of these issues – because we all know our cyber foes here and abroad are doing all they can to stay in front of us.

John Fraser, Trinity Cyber

John Fraser, Director of Federal Business, Trinity Cyber