New National Cyber Strategy Asks 'More' from Industry and Government
The new National Cyber Security Strategy focuses on more international partnerships, enhanced baseline regulations and stronger cyberthreat policing.
The federal government aims to fortify the country’s cybersecurity posture across critical infrastructures, outlining its chief policy objectives in the Biden administration’s first National Cybersecurity Strategy expected to be released Thursday.
Previewed in a press call Wednesday, senior administration officials discussed the White House’s goals to protect U.S digital networks from malicious cyberattacks and ransomware. A major feature of the strategy is raising the minimum requirements for all critical sectors to reduce security risks and harmonize compliance.
Years of escalating severe cyberattacks against U.S. and global private and public digital networks over the last two years prompted objectives in the framework.
“This strategy sets forth a bold new vision for the future of cyberspace and the wider digital ecosystem,” said acting National Cyber Director Kemba Walden. “The president's strategy fundamentally reimagines America's cyber social contract. It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it.”
The five pillars composing the strategy include defending critical infrastructure, disrupting threat actors, promoting data privacy in technology development stages, increasing federal investments in cyber research and development, and fostering more international partnerships to promote global cyber defense.
Within the strategy's five priority areas, the largest emphasis was placed on protecting critical infrastructure systems, which have been prime targets for malicious cyber actors. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said that the Biden administration has focused on codifying the minimum cybersecurity mandates for this sector, building atop the emphasis for more private sector partnerships and information sharing.
“The Biden administration's fundamental commitment is that Americans must be able to have confidence that they can rely on critical services, hospitals, gas pipelines, air water services, even if they are being targeted by our adversaries,” she said.
Harmonizing cybersecurity regulations across each individual critical infrastructure sector––along with new designations for what qualifies as critical infrastructure––is a key part of the strategy’s bid to improve the U.S.’s overall cyber defense posture. A senior administration official at the press briefing said some sectors, such as the electrical grid and nuclear facilities, are more regulated when it comes to implementing cyber protocols. Water management entities, by contrast, currently have fewer cybersecurity mandates to protect their systems.
“There are other sectors where we're looking at similar things and finding ways to close gaps,” the administration official said.
In the coming months, the Environmental Protection Agency will help launch this endeavor by offering a new interpretation of an existing rule requiring water facility owners and operators to incorporate basic cybersecurity protocols into their sanitation surveys.
Beyond critical infrastructure security, the strategy will also change how law enforcement handles cybersecurity breaches.
Neuberger said that part of dismantling organized threat actors will involve treating cybersecurity breaches as national security issues, rather than simply criminal activity. She cited the Federal Bureau of Investigation as a leader in this arena.
The increased intersection of diplomacy and cybersecurity spurred the Biden administration to prioritize collaborations with “like-minded” nations to help counter cyber threats in the current geopolitical arena. Neuberger cited adversary nations—such as Russia and its war on Ukraine, as well as continued tensions between the U.S. and Iran—as backdrops for an increase in malicious cyber activity.
“Cyber threats are fundamentally transnational threats; they cross borders,” she said.
The National Cyber Strategy is the latest major regulatory document issued from the new Office of the National Cyber Director, building atop President Joe Biden’s previous executive order that called for more regulations and vigilance surrounding national cybersecurity.
Matt Hayden, the vice president of General Dynamics Information Technology and former senior advisor to the Director at the Cybersecurity and Infrastructure Security Agency, told Nextgov that the strategy designates leadership from the federal government, it will also work to safeguard and regulate some private sector entities upon which the American public depend.
“They're going to use existing regulatory options to move the ball on pressuring agencies, and to regulate agencies and organizations in the private sector, to move forward on this safer platform and better controls across the board,” Hayden said. “They are going to use every lever they can pull to get as many private sector organizations that the American people rely on to be more secure from a cyber perspective.”
Walden echoed this, saying that the strategy will look at existing gaps in private industries to help reduce burdens of cybersecurity compliance, such as cost.
“This strategy asks more of industry, but also commits more from the federal government,” Walden said.