National Cybersecurity Strategy sets its eyes on improving security, resilience across critical infrastructure

Reactions to the National Cybersecurity Strategy issued by the U.S. administration have continued to come in, outlining how the government should approach cybercrime, its own defenses, and the private sector’s responsibility for security over the next several years. Charting a roadmap for defending the U.S. from the ever-growing number of cyber threats, the strategy document provides a pivotal approach of the need to shift the burden of cybersecurity to the software and technology developers and away from people, SMBs, and local governments that deploy these technologies. 

Laying down five pillars that seek to build and enhance collaboration, the National Cybersecurity Strategy is set to work on defending critical infrastructure, disrupting and dismantling threat actors, shaping market forces to drive security and resilience, investing in a resilient future, and forging international partnerships to pursue shared goals. Each effort requires greater levels of collaboration across stakeholder communities, including the public sector, private industry, civil society, and international allies and partners.

The National Cybersecurity Strategy calls for two fundamental shifts: rebalancing the responsibility to defend cyberspace and realigning incentives to favor long-term investments. The digital ecosystem’s biggest, most capable, and best-positioned actors – be they in the public or private sectors – can and should assume a greater share of the burden for mitigating cyber risk. When entities across the public and private sectors face trade-offs between temporary fixes and long-term solutions, they must have the resources, capabilities, and incentives to choose the latter.

“The release of the National Cybersecurity Strategy represents a starting point: a launch pad for a digital, interconnected future within the energy sector, and across many other sectors, that is secure, reliable, and resilient,” Puesh Kumar, director at the Office of Cybersecurity, Energy Security, and Emergency Response of the Department of Energy, wrote in a blog post. “CESER is committed to supporting the long-term implementation of this Strategy in partnership with the private sector, academia, State, local, Tribal, and territorial (SLTT) communities, and our international partners. It will take all of us coming together to raise the bar for cybersecurity across the U.S. energy sector.”

Kumar assessed that in the energy sector, “we see an incredible transition taking place: a transition that involves new sources of generation such as wind and solar; new architectures and systems to operate electricity, oil, and natural gas systems more reliably, safely, and efficiently; and new market players to help us charge our electric vehicles, control our thermostats remotely, and move energy from one place to another.”

“The American Hospital Association commends the Biden Administration on this comprehensive National Cybersecurity Strategy, which acknowledges that private sector efforts alone are insufficient to counter the significant cyberthreats we face as a nation,” John Riggi, AHA’s national advisor for cybersecurity and risk, wrote in a LinkedIn post. 

Riggi also said that the “AHA has worked closely with Congress and the Administration, including the FBI, Cybersecurity & Infrastructure Security Agency, and Department of Health and Human Services to underscore the magnitude of the national security threat and public health and safety impact of ransomware attacks on hospitals and health systems. Health care cyberattacks are threat-to-life crimes that disrupt and delay health care delivery, and cybersecurity is a top priority.” 

Riggi added that since 2020, the AHA has urged the federal government to adopt policies similar to those used in the fight against terrorism — utilizing all elements of national power to disrupt and dismantle foreign-based bad actors. “We are pleased that the strategy includes several important ideas such as declaring ransomware attacks as a national security threat; conducting more offensive operations against cyberthreat actors; and implementing software security requirements for software developers.” 

The AHA will continue to work with the hospital field, Congress and the Administration, and other stakeholders to advance and adopt cyber policies that are streamlined, effective, and feasible to implement, Riggi added.

Brian Harrell, former assistant secretary for infrastructure protection at the Department of Homeland Security (DHS), wrote in a statement that the Strategy is informed by events such as the SolarWinds, Log4J, and the shutdown of Colonial Pipeline due to a ransomware attack, but also the tactics and techniques of adversarial-nations such as China and Russia.

“The Strategy shifts the burden from end users to the Tech Sector and manufacturers, requiring that hardware and software makes devices more secure by design,” according to Harrell. “Building security into the product from the beginning, rather than a bolt-on after the fact is a more secure and cost-conscious approach. Of course, it’s not possible to eliminate all defects, but right now there’s little incentive—beyond just general market reputation—to invest in a dramatic reduction of cyber vulnerabilities.”

Harmonizing the regulatory landscape to encourage security over compliance is a must. The current patchwork of regulations is lacking, but significant investments have been made across the industry, Harrell said. “The Biden strategy is only as good as the implementation plan, wish is presumably forthcoming. My hope is the Strategy urges conversation at the industry board level and emphasizes cybersecurity as a critical business risk,” he added.

Bob Kolasky, senior vice president for critical infrastructure at Exiger, wrote in a post that “my read of the Strategy is that it is a muscular one and puts a marker down for a busy policy and legislative agenda going forward. There has been a lot of talk of cybersecurity being a shared responsibility over the past several years, but there has not always been a lot of talk about a ‘shared accountability’ model. 

Kolasky added that what the Strategy is trying to do is build the foundation for that shared accountability where the product developer, the end user, and the financial marketplace play a role with the government mandating and incentivizing better performance in a harmonized manner.

Patrick Miller, president and CEO at Ampere Industrial Security, wrote in a company blog post that “probably my favorite thing in the strategy was that OT [operational technology] gets the attention it deserves. OT was mentioned more than once in different areas and was recognized as a very significant weakness if unaddressed.” 

“The strategy also includes elements such as getting rid of legacy technologies (because they can’t apply things like zero trust and modern security controls). Granted, it’s a primarily directive for the federal space, but what’s done there will bleed over into the private sector, and usually fairly quickly,” he added.

Miller also pointed out that software companies would have to institute things like the software bill of materials, or SBOM. “They would have to be able to prove that their software came from where they said it came from. Things like code signing, digital certificates, very strong practices around software development life cycles. Those exist, they’re just not usually being followed well.”

Miller also pointed out that “it would be enforcement of existing software development standards and then provenance software validation standards that are also already out there. The strategy isn’t inventing anything, it’s just enforcing good practice that’s known – and then making the manufacturer liable in the event they are negligent.”

“It’s unlikely that there will be immediate impacts. In 2023, you’ll start seeing the government move in this direction in its usual slow pace,” Miller said. “You’ll begin to see the machinery moving to align with the strategy. We’ll likely see some supporting executive orders, maybe even some other regulatory bodies starting to propose that they get authority. You’ll see some bills, some motions in committees in Congress.”

The National Cybersecurity Strategy sets out a direction to coordinate the alphabet soup of diverse public sector organizations with diverse and overlapping authorities, Juan Andres Guerrero-Saade, senior director of SentinelOne’s threat intelligence and research arm SentinelLabs, wrote in a company blog post. “The strategy emphasizes the need for a cohesive approach to cybersecurity across federal agencies, partnerships with the private sector, and international collaboration to enhance cybersecurity capabilities. By coordinating the resources of the U.S. government, the strategy aims to create a more effective defense against cyber threats,” he added.

Identifying the National Cybersecurity Strategy as ‘represents a sea change,’ Alison King, vice president of government affairs at Forescout Technologies, wrote in a LinkedIn post that while it doesn’t abandon voluntarism and market forces to secure critical networks, it looks to replace cyber risk with resilience across critical infrastructure sectors by wielding the federal government’s regulatory power. 

“While the strategy seeks new authorities to fill the regulatory gaps across critical infrastructure sectors, given the divided 118th Congress, we’ll likely only see Executive Orders for the remainder of President Biden’s term,” King assesses. “However, it would be a mistake for organizations to assume a pause in congressional action provides them with solace.”

“After the formation of CISA, Colonial Pipeline, and Shields Up many in the community saw this coming,” Ronnie Fabela, co-founder and CTO at SynSaber, wrote in a LinkedIn post. “There may even be fatigue out there amongst asset owners, technicians, vendors and advisors around this very statement in Strategic Objective 1.1: ‘While voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.’”

Fabela said it’s been a warning for over a decade: “Establish standards and controls before the government does it for you. While ‘critical infrastructure’ is still widely/poorly defined it’s clear from the document that the government feels forced to do something about cybersecurity in CI. Prepare now, w̶i̶n̶t̶e̶r̶ regulations are coming,” he added.

Debbie Gordon, founder and CEO for live-fire OT/ICS cyberattack simulation training company Cloud Range, wrote in an emailed statement that “while we applaud the administration’s goal to build out our national cyber workforce under Strategic Objective 4.6 and develop our nation’s next generation of cyber talent, it unfortunately doesn’t move the needle on what needs to be done to strengthen the workforce we have today.”

“In any type of life safety field—and that is exactly what cyber security of critical infrastructure represents—the need for ongoing training and readiness is integral. The cyber threat landscape changes daily, with critical infrastructure sectors being the targets of the most advanced, nation-state backed APTs, so we can’t depend on a yearly training certificate to be confident that our infrastructure is being protected,” Gordon said. “Requirements for ongoing training that can measured against industry standard frameworks to validate their effectiveness can not only help organizations ensure they have the right people with the right skills to prevent and respond to attacks in place, they can also provide cybersecurity professionals with a clear pathway to expand their careers with the cyberskills that are unique to OT cybersecurity.”

The newly released National Cyber Strategy is a huge step in the right direction for the world in the fight against cybercrime and state-driven adversaries, Moty Kanias, vice president for cyber strategy and alliances for industrial device cybersecurity company NanoLock, wrote in an emailed statement. “We commend the work done by the agencies involved and hope that they will continue to prioritize the security of the nation’s critical infrastructure. It is crucial for allied countries to work together towards cyber supremacy, to fight cyber criminals and to create new cyber security solutions that will tilt the equation.”

Kanias added that adversaries in cyberspace are evolving at an alarming rate and are always looking for new markets to attack. “In fact, manufacturing has become the number one target in the past year, according to reports from leading companies. Protecting critical infrastructure and production lines at the industrial device level is an essential next step beyond today’s requirements for common detection, monitoring and segmentation solutions to address a problem that is becoming increasingly more complex,” he added. 

Robert Booker, chief strategy officer for cybersecurity risk and compliance framework alliance HITRUST said that the publication of the Biden administration’s national cybersecurity strategy acknowledges the critical and growing importance of digital services across critical infrastructure and is pervasive in both government and the private sector.

“The use of market forces to support and sustain a safe and secure ecosystem is critical to accelerate innovation and consumer engagement in key areas including healthcare, commerce, and financial services,” he said. “All industries including critical infrastructure exist in a complex threat environment which is dynamic and where security requires collaboration and innovation jointly across and between the government and the private sector.”

“The National Cybersecurity Strategy is an ambitious undertaking focused on cyber defense, resiliency, and defensibility among other outcomes,” according to Booker. “As the Federal Government moves towards mandates for critical infrastructure cybersecurity, we encourage approaches that incentivize American companies to leverage and integrate mature security capabilities from the private sector and that use transparent and continually updated measurement and assurance systems to assess and sustain security capabilities in the face of constantly changing threats.”

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, wrote in an emailed statement that he was “elated to see that the National Cybersecurity Strategy is allowing law enforcement to finally take the gloves off. Cybercrime cartels and spies have been operating with relative impunity for decades. I commend the administration on mandating cybersecurity requirements for critical infrastructures (Cis).”  

“This will enhance our defensive posture against systemic destructive attacks,” according to Kellermann. “These bold steps coupled with the unprecedented level of information sharing buttress our nation’s national and economic security.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.