Biden’s National Cybersecurity Strategy to reimage cyberspace, shift cybersecurity burden to tech providers 

The U.S. administration released a National Cybersecurity Strategy on Thursday, identifying a deep and enduring collaboration among stakeholders across the nation’s digital ecosystem. The move serves as a foundation for making a path to resilience in cyberspace more inherently defensible, resilient, and aligned with the country’s values. It also imposes additional mandates on organizations that control the majority of the nation’s digital infrastructure, with an enhanced government role in upsetting hackers and state-sponsored entities.

“This strategy recognizes that robust collaboration, particularly between the public and private sectors, is essential to securing cyberspace. It also takes on the systemic challenge that too much of the responsibility for cybersecurity has fallen on individual users and small organizations,” U.S. President Joe Biden wrote in the National Cybersecurity Strategy document. “By working in partnership with industry; civil society; and State, local, Tribal, and territorial governments, we will rebalance the responsibility for cybersecurity to be more effective and more equitable.” 

“We will realign incentives to favor long-term investments in security, resilience, and promising new technologies,” Biden added. “We will collaborate with our allies and partners to strengthen norms of responsible state behavior, hold countries accountable for irresponsible behavior in cyberspace, and disrupt the networks of criminals behind dangerous cyberattacks around the globe. And we will work with the Congress to provide the resources and tools necessary to ensure effective cybersecurity practices are implemented across our most critical infrastructure.”

A Fact Sheet released by the White House said that the Administration has already taken steps to secure cyberspace and the digital ecosystem, including the National Security Strategy, Executive Order 14028, (Improving the Nation’s Cybersecurity), National Security Memorandum 5 (Improving Cybersecurity for Critical Infrastructure Control Systems), M-22-09 (Moving the U.S. Government Toward Zero-Trust Cybersecurity Principles), and National Security Memorandum 10 (Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems). It added that expanding on these efforts, the strategy recognizes that ‘cyberspace does not exist for its own end but as a tool to pursue our highest aspirations.’

The National Cybersecurity Strategy seeks to build and enhance collaboration around five pillars – Defend Critical Infrastructure, Disrupt and Dismantle Threat Actors, Shape Market Forces to Drive Security and Resilience, Invest in a Resilient Future, and Forge International Partnerships to Pursue Shared Goals. Each effort requires greater levels of collaboration across stakeholder communities, including the public sector, private industry, civil society, and international allies and partners. Furthermore, the pillars organizing the strategy articulate a vision of shared purpose and priorities for these communities, highlight challenges they face in achieving this vision and identify strategic objectives around which to organize their efforts. 

To realize the vision these pillars layout, the National Cybersecurity Strategy will make two fundamental shifts in how the U.S. allocates roles, responsibilities, and resources in cyberspace. “In realizing these shifts, we aspire not just to improve our defenses, but to change those underlying dynamics that currently contravene our interests.”

The changes include rebalancing the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all stakeholders. 

“Our collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual citizens. Instead, across both the public and private sectors, we must ask more of the most capable and best-positioned actors to make our digital ecosystem secure and resilient,” the National Cybersecurity Strategy laid down. “In a free and interconnected society, protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.” 

It added that the government’s role is to protect its own systems; to ensure private entities, particularly critical infrastructure, are protecting their systems; and to carry out core governmental functions such as engaging in diplomacy, collecting intelligence, imposing economic costs, enforcing the law, and conducting disruptive actions to counter cyber threats. “Together, industry and government must drive effective and equitable collaboration to correct market failures, minimize the harms from cyber incidents to society’s most vulnerable, and defend our shared digital ecosystem.”

Secondly, the National Cybersecurity Strategy covers realignment of incentives to favor long-term investments by striking a careful balance between defending the nation against urgent threats, while planning for and investing in a resilient future. It outlines how the federal government will use all tools available to reshape incentives and achieve unity of effort in a collaborative, equitable, and mutually beneficial manner. 

“We must ensure that market forces and public programs alike reward security and resilience, build a robust and diverse cyber workforce, embrace security and resilience by design, strategically coordinate research and development investments in cybersecurity, and promote the collaborative stewardship of our digital ecosystem,” the National Cybersecurity Strategy outlines. “To achieve these goals, the Federal Government will focus on points of leverage, where minimally invasive actions will produce the greatest gains in defensibility and systemic resilience.”

The Strategy proposes to defend critical Infrastructure by delivering confidence in the availability and resilience of critical infrastructure and the essential services it provides. The administration seeks to do this by expanding the use of minimum cybersecurity requirements in critical sectors to ensure national security and public safety and harmonizing regulations to reduce the burden of compliance; enabling public-private collaboration at the speed and scale necessary to defend critical infrastructure and essential services, and defending and modernizing federal networks and updating federal incident response policy.

When it comes to disrupting and dismantling hackers, the National Cybersecurity Strategy said that using all instruments of national power, it will make malicious cyber actors incapable of threatening the national security or public safety of the United States. The administration proposes to do this by strategically employing all tools of national power to disrupt adversaries; engaging the private sector in disruption activities through scalable mechanisms; and addressing the ransomware threat through a comprehensive federal approach and in lockstep with international partners.

The National Cybersecurity Strategy laid down that it will shape market forces to drive security and resilience. The administration said it will place responsibility on those within its digital ecosystem that are best positioned to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable to make the digital ecosystem more trustworthy. This will be done by promoting privacy and the security of personal data; shifting liability for software products and services to promote secure development practices; and ensuring that federal grant programs promote investments in new infrastructure that are secure and resilient.

The administration will invest in a resilient future through ‘strategic’ investments and coordinated, collaborative action. It will continue to lead the world in the innovation of secure and resilient next-generation technologies and infrastructure, including by reducing systemic technical vulnerabilities in the foundation of the Internet and across the digital ecosystem while making it more resilient against transnational digital repression; prioritizing cybersecurity R&D for next-generation technologies such as post-quantum encryption, digital identity solutions, and clean energy infrastructure; and developing a diverse and robust national cyber workforce.

The National Cybersecurity Strategy also addresses forging international partnerships to pursue shared goals. The U.S. seeks a world where responsible state behavior in cyberspace is expected and reinforced and where irresponsible behavior is isolating and costly, by leveraging international coalitions and partnerships among like-minded nations to counter threats to the digital ecosystem through joint preparedness, response, and cost imposition; increasing the capacity of partners to defend themselves against cyber threats, both in peacetime and in crisis; and working with allies and partners to make secure, reliable, and trustworthy global supply chains for information and communications technology and operational technology (OT) products and services.

Realizing the strategic objectives outlined in the National Cybersecurity Strategy will require a strong focus on implementation, it laid down that under the oversight of NSC staff and in coordination with OMB, ONCD (Office of the National Cyber Director) will coordinate the implementation of the strategy. ONCD will work with interagency partners to develop and publish an implementation plan to set out the federal lines of effort necessary to implement this strategy. Where the implementation of this strategy requires a review of the existing policy or the development of a new policy, NSC staff will lead this effort through the process described in NSM-2, ‘Renewing the National Security Council System.’

In implementing this strategy, the federal government will take a data-driven approach, measure investments made, progress toward implementation, and outcomes and effectiveness of these efforts. The document also laid down that the ONCD, in coordination with NSC staff, OMB, and departments and agencies, will assess the effectiveness of this strategy and report annually to the President, the Assistant to the President for National Security Affairs, and Congress on the effectiveness of this strategy, associated policy, and follow-on actions in achieving its goals.  

For federal agencies to support their private sector partners and increase their capacity to carry out essential federal missions, targeted investment will be required. To guide this investment, ONCD and OMB will jointly issue annual guidance on cybersecurity budget priorities to departments and agencies to further the administration’s National Cybersecurity Strategy approach. ONCD will work with OMB to ensure alignment of department and agency budget proposals to achieve the goals set out in the strategy. The administration will work with Congress to fund cybersecurity activities to keep pace with the speed of change inherent within the cyber ecosystem.

Advancing the priorities outlined in Biden’s Executive Order 14028 issued in May 2021, the Cybersecurity and Infrastructure Security Agency (CISA) released in October a Binding Operational Directive to make more measurable progress toward enhancing visibility into assets and associated vulnerabilities across all federal civilian executive branches (FCEB) and the agencies operating those systems. The CISA BOD 23-01 mandates federal civilian agencies to conduct continuous and comprehensive asset visibility and vulnerability enumeration for all IP-addressable networked assets across IPv4 and IPv6 protocols.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.