The New National Cybersecurity Strategy: A Pivot from Market to Government-Driven Forces

The New National Cybersecurity Strategy: A Pivot from Market to Government-Driven Forces

By Alison King, VP of Government Affairs

The Biden Administration's long-awaited National Cybersecurity Strategy has arrived. It represents a sea change: while it doesn’t abandon voluntarism and market forces to secure critical networks, it looks to replace cyber risk with resilience across critical infrastructure sectors by wielding the federal government's regulatory power. What can those sectors – and individual organizations within them – expect next?

While the strategy seeks new authorities to fill the regulatory gaps across critical infrastructure sectors, given the divided 118th Congress, we’ll likely only see Executive Orders for the remainder of President Biden’s term. However, it would be a mistake for organizations to assume a pause in congressional action provides them with solace. In advance of new mandates, there are many things that impacted organizations can start doing now to prepare. They include engaging in the rule-making process to avoid conflicting regulations, adjusting their staffing model to acknowledge the persistent cyber talent shortage, and evaluating their tools to ensure they adhere to security frameworks, industry standards, and regulations.

What Does the Strategy Get Right?

Given the national damage that resulted from the one-two-three punch of the SolarWinds breach, the Colonial Pipeline attack, and the proliferation of ransomware as a service (which ripped through hospitals, school systems, and municipalities during the COVID-19 pandemic) no one should be surprised that regulation is the soupe du jour. While expanding cybersecurity regulations will invite opposition, it's essential to recognize that the five pillars are designed to produce resilience through a data-driven approach.

The Office of the National Cyber Director deserves credit for collaborating with industry leaders to capture the foundational elements required to make the nation more resilient to cyberattacks. The pivot from a market-driven to a government-driven approach built on working closely with industry partners to develop real solutions is much more conducive to establishing resilience at the national level. The strategy’s pillars lay the foundation for increased public-private collaboration by embracing cybersecurity as a team sport. It's not something that only a few sectors or the government can provide independently.

Acknowledging that the federal government needs to get its “regulatory house” in order is a necessary first step, which requires industry partners have a seat at the table to ensure compliance moving forward. The Bipartisan Policy Center’s Top Risks in Cybersecurity 2023 report identifies conflicting cybersecurity regulations as one of their top “macro risks.” Given the maze of regulatory requirements, companies must be careful not to inadvertently overshare their intellectual property when looking to comply with rules across multiple jurisdictions. A big test for the federal government will take place when the Cybersecurity Infrastructure Security Agency (CISA) issues its Final Rule containing the regulatory requirements for The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCA) in the fall of 2025.

Critical Next Steps

People

Recruiting, developing, and retaining a cyber workforce capable of defending our digital ecosystem takes time and resources. According to data from CyberSeek’s “Cybersecurity Supply/Demand Heat Map," the U.S. has a real-time deficit of over 700,000 cyber professionals. While the cybersecurity workforce shortfall isn't a new problem, it's a serious one that has impacted organizations for over a decade. In June 2022, the Cyberspace Solarium Commission 2.0 released a report titled Workforce Development Agenda for the National Cyber Director. "The pervasiveness of avoidable cyber problems such as misconfigured systems, slow patching, and insufficient attention to risk management can frequently be directed to cyber staffing shortages.”

Hiring managers need to revise their approach by identifying and removing arbitrary hiring barriers, such as requiring entry-level cyber professionals to have a four-year degree. In the same Cyberspace Solarium report cited above, the authors observed, “There are simply not enough people graduating with ‘conventional’ educations from four-year computer science and engineering degree programs to fill the gap need to secure our nation in cyberspace.” Bringing on entry-level talent through apprenticeships with a high school or GED-equivariant degree and a foundational cybersecurity professional certification should be the standard for entry-level employment.

Policy

The White House is determined to safeguard the essential national functions that Americans rely on (16 critical infrastructure sectors) by leveraging existing authorities, issuing new Executive Orders, or asking Congress for new authorities. Recalling the early resistance to seatbelt legislation, James Lewis, a Senior Vice President and director of the Technology and Public Policy Program at the Center for Strategic International Studies (CSIS), captures the White House’s position best in his article from July 2021:

Remember that when Congress passed laws mandating seatbelts, the CEOs of the largest U.S. car companies testified before the Senate that requiring seatbelts would kill the U.S. car industry. They were wrong, and those who oppose cybersecurity regulation are similarly in error.

As the new strategy becomes reality, the private sector must push to ensure that all national cyber regulations include the following:

• A vendor-agnostic approach to ensure the harmonization of rules across federal and state jurisdictions.
• Performance-based standards are incorporated into cybersecurity requirements. Recall when the Transportation Security Agency (TSA) issued its mandatory cybersecurity requirements for pipeline operators that were overly prescriptive, and it didn’t work.
• An understanding that information sharing must be based on courses of action with respect to active threats.
• The ability to apply tailored compliance standards at machine speed.

Tools

While these changes won’t happen overnight, the release of the National Cybersecurity Strategy suggests that the cyber community should expect the list of federal reporting and auditing requirements – such as Command Cyber Readiness Inspections, the Federal Information Security Modernization Act (FISMA), CISA Emergency and Binding Operational Directives, IRS Publication 1075, or CMS MARS-E – will grow. Meeting these compliance standards will raise security across critical networks and make responding to malicious activity from criminals or state actors easier to contain and remediate. When networks meet equivalent standards, security administrators can identify and remediate anomalous activity more quickly, making web operations more resilient to the public that depends on its service.

Compliance does not have to be a four-letter word – if you have the right tools that make keeping a real-time automated reality. Administrators have a lot on their plates, from maintaining a high level of compliance, and security, with the requirement to responding quickly to malicious behavior and limiting damage across critical networks. Tools available today make a discovery, categorization, and cybersecurity posture assessment of devices an automated policy-based process. Administrators no longer must address each device independently – a process that took a tremendous workforce – but can create a policy to find non-compliant assets and orchestrate remediation without human intervention.