“We must make fundamental changes to the underlying dynamics of the digital ecosystem,” the document states.
The strategy would wield new regulations and incentives to push tech companies to create secure products; establish laws limiting data collection and use and strive to build the cybersecurity workforce.
It would also remove adversary countries from the U.S. technology supply chain; promote a more secure Internet and digital identity efforts; and encourage deeper international collaboration on enforcing norms of good cyber behavior, including by disrupting and pursuing cyber attack perpetrators.
The efforts will require international collaboration and close work with the private sector, per the strategy.
Strong cybersecurity is essential to ensuring the continued availability of vital services residents rely on — from clean water to power, said Anne Neuberger, deputy assistant to the president and deputy national security adviser for Cyber and Emerging Technology, speaking during a Center for Strategic and International Studies (CSIS) event yesterday.
SHIFTING CYBER RESPONSIBILITY
The Colonial Pipeline hack that sparked a multistate panic stemmed from attackers obtaining one employee’s password. A single person’s mistake shouldn’t be able to spiral into a crisis of that scale, said Acting National Cyber Director Kemba Walden, during the event. Nor should small entities like individual school districts have to negotiate with sophisticated cyber crime syndicates.
“We expect school districts to go toe to toe with transnational criminal organizations largely by themselves,” Walden said. “This isn't just unfair, it's ineffective.”
Today’s software security environment often expects end users — like state and local government — to shoulder most of the responsibility for evading phishing attempts and otherwise prevent cyber incidents.
Instead, the bulk of the cybersecurity burden should fall on entities with the most resources and influence: the federal government, the tech companies building and maintaining IT systems, and the owners and operators of critical systems and data, per the strategy.
That shift could entail a variety of measures including new regulations; laws holding software companies liable for irresponsible security flaws while offering liability shields to responsible companies; taking civil action against federal contractors that knowingly fail to fulfill cybersecurity obligations and laws curbing how data can be collected, used, transferred and maintained.
Market forces continue to reward companies that introduce products quickly over those that wait to release products only once they’re secure.
In this environment, asking companies to voluntarily improve isn’t good enough — they need to be regulated, per the strategy.
The White House aims to minimize any compliance burdens on industry from forthcoming rules. Walden said the goal is to create light-touch, “narrowly targeted” cybersecurity regulations that would be harmonized across sectors and which ask all companies to meet the same level of security. Ideally, companies won’t have to spend much time and money juggling compliance with different sets of regulations and can channel those funds into cybersecurity.
“What we're trying to achieve is a competitive advantage for those that build in security by design,” Walden said. “Right now, we live in the context of ‘first-to-market’ not ‘secure-to-market.’”
Neuberger said the White House has been working to review and pass cybersecurity regulations on each critical infrastructure sector under its authority. It may ask Congress to give it new authorities over other areas, like education and critical manufacturing.
The White House will also encourage state governments and independent regulators to set cybersecurity requirements where they can, “in a deliberate and coordinated manner,” per the strategy.
And regulators will look for ways to help resource-constrained entities comply with new cybersecurity expectations, including considering tax incentives.
Screenshot
DISCOURAGING AND DISRUPTING ATTACKERS
The U.S. aims to use many avenues to put continued pressure on cyber attackers, hoping to make attacks too costly and difficult for perpetrators to want to bother with.
That means everything from seizing illicit cryptocurrency payments and taking down malicious botnets to warning potential victims, and arresting and issuing travel bans on perpetrators.
“We arrest our way out, we pull down the infrastructure and we take money off the table — let’s do that,” Walden said.
Public-private collaborations and international partnerships are key to carrying out such work.
On the international stage, the U.S. aims to work with partners to call out countries that violate cyber norms, and collaborate on law enforcement efforts. The U.S. also will craft policies determining when it will support ally and partner nations that have been hit by significant cyber attacks and to prepare mechanisms for delivering such support.
Screenshot
SECURING AND GUIDING THE INTERNET
The infrastructure underpinning the Internet has weaknesses, and the federal government intends to promote Internet security measures, in part through adopting security improvements to its own network, partnering to develop new solutions and conducting research.
“Many of the technical foundations of the digital ecosystem are inherently vulnerable,” the strategy states. “Every time we build something new on top of this foundation, we add new vulnerabilities and increase our collective risk exposure.”
The White House also aims to play an active role in developing international standards for the Internet, to support U.S. values. Lack of action means authoritarian countries may push their own objectives, potentially leading toward an Internet that better enables “government control, censorship and surveillance,” per the strategy.
Another digital ecosystem goal is investment in secure digital identity solutions to reduce risks of fraudsters abusing digital public services or otherwise carrying out identity thefts. The White House is focused on solutions that promote goals like interoperability, privacy and accessibility, and it gave a nod to states’ efforts to pilot mobile IDs.
As the federal government looks ahead, it also intends to invest in researching potential risks in newer technologies and into plans for mitigating them. It will focus on biotech and biomanufacturing; clean energy; and computing-related technologies like quantum information systems, microelectronics and AI.
WORKFORCE AND NEXT STEPS
Cyber hiring shortages remain a pressing issue and Walden’s Office of the National Cyber Director (ONCD) will lead development — and implementation — of a separate National Cyber Workforce and Education Strategy. That plan will look at ways to improve training opportunities and grow the size and diversity of the cyber workforce.
With the freshly issued cyber strategy in hand, the White House now looks to put it into action.
The strategy calls for meeting its goals by the end of the decade, and Walden said many initiatives for changing the broader landscape — like creating and harmonizing regulations and shifting cybersecurity liability — are multiyear efforts.
Work to enact the strategy is already underway.
“A strategy is only as good as its implementation,” Walden said. “ONCD was built … with the intent of implementing a strategy as robust and as forward leaning as this one.”
