National Cybersecurity Strategy to address cyber threats; make digital ecosystem defensible, resilient, values-aligned

The U.S. administration published on Thursday a National Cybersecurity Strategy that identifies a deep and enduring collaboration among stakeholders across the nation’s digital ecosystem. It also imposes additional mandates on organizations that control the majority of the nation’s digital infrastructure, with an enhanced government role in upsetting hackers and state-sponsored entities. 

President Joe Biden said that the strategy recognizes that robust collaboration, particularly between the public and private sectors, is essential to securing cyberspace. It also takes on the systemic challenge that too much of the responsibility for cybersecurity has fallen on individual users and small organizations. He added that the administration will realign incentives to favor long-term investments in security, resilience, and promising new technologies.

The National Cybersecurity Strategy seeks to build and enhance collaboration around five pillars – Defend Critical Infrastructure, Disrupt and Dismantle Threat Actors, Shape Market Forces to Drive Security and Resilience, Invest in a Resilient Future, and Forge International Partnerships to Pursue Shared Goals. Each effort requires greater levels of collaboration across stakeholder communities, including the public sector, private industry, civil society, and international allies and partners.

The document also assessed that malicious cyber activity has evolved from nuisance defacement to espionage and intellectual property theft, to damaging attacks against critical infrastructure, to ransomware attacks and cyber-enabled influence campaigns designed to undermine public trust in the foundation of our democracy. “Once available only to a small number of well-resourced countries, offensive hacking tools and services, including foreign commercial spyware, are now widely accessible. These tools and services empower countries that previously lacked the ability to harm U.S. interests in cyberspace and enable a growing threat from organized criminal syndicates,” it added.

Commenting on the National Cybersecurity Strategy, Jen Easterly, CISA director, wrote in a statement that the National Cybersecurity Strategy is an important step forward in building a more secure cyberspace. “In today’s ever-increasingly digitized world, we face dynamic and evolving threats to the critical infrastructure that underpins much of our daily lives. That’s why the Biden-Harris administration has prioritized cybersecurity as a national security issue, and this strategy represents both the progress we have made and the work that remains.”

Easterly added that as the nation’s cyber defense agency, “CISA’s core mission supports  a number of the pillars listed in the strategy, including defending critical infrastructure, helping shape market forces to drive security and resilience, and investing in a resilient future.” 

Alejandro Mayorkas, secretary of the Department of Homeland Security, wrote in a statement that this National Cybersecurity Strategy establishes a clear vision for a secure cyberspace. “The Department of Homeland Security continuously evolves to counter emerging threats and protect Americans in our modern world. We will implement the President’s vision outlined in this Strategy, working with partners across sectors and around the globe to provide cybersecurity tools and resources, protect critical infrastructure, respond to and recover from cyber incidents, and pave the way for a more secure future.”

Rep. Bennie G. Thompson, a Democrat from Mississippi and chairman of the Committee on Homeland Security, and Rep. Eric Swalwell, a Democrat from California and a ranking member of the Subcommittee on Cybersecurity and Infrastructure Protection, said in a statement that “the National Cybersecurity Strategy released today continues the Biden-Harris Administration’s ambitious approach to cybersecurity and we commend the Office of the National Cyber Director for leading this critical national security effort.” 

“In this Strategy, the Administration has committed to a full-court press – pledging to leverage authorities, capacity, and expertise from agencies across the FECB, DoD, and Intelligence Community to make our digital ecosystem more resilient and more secure,” according to the legislators. “We support the Administration’s aspirations to better coordinate federal efforts to disrupt malicious cyber campaigns, become a more effective security partner to the private sector, and ensure we are prepared to defend against the threats of the future by investing in R&D and growing a more diverse cyber talent pipeline.” 

Mark E. Green, a Republican from Tennessee and chairman of the Committee on Homeland Security, and Andrew Garbarino, a Republican from New York and chairman of the subcommittee on Cybersecurity and Infrastructure Protection pointed out in a Thursday statement that it’s no surprise that the administration’s desire for more regulation, bureaucracy, and red tape is a consistent theme in the National Cybersecurity Strategy. 

They added that “while this administration has made some progress on the cyber front, there is still much to be done to strengthen our nation’s cyber resilience in the face of ever-complex foreign threats. In his Executive Order on Improving the Nation’s Cybersecurity (EO), Biden appropriately focused his Administration’s efforts on strengthening the posture of Federal Civilian Executive Branch (FCEB) network security and we are glad to see that also reflected in this Strategy. 

“While we’re encouraged by some of the progress of the EO thus far, like the implementation of Zero Trust Architecture across the FCEB, most of what we’ve seen coming out of the White House, including this new Strategy, is a push for more red tape,” the Congressmen said.

“As Chairmen of the Homeland Security Committee and the Cybersecurity and Infrastructure Protection Subcommittee, we plan to exercise strong oversight over the Administration’s operational implementation of the Strategy, particularly the requirements for the Cybersecurity and Infrastructure Security Agency (CISA),” they added. “We are eager to see the implementation plan for this strategy, especially the planned efforts to hopefully ease the regulatory burden on industry while maintaining a strong cybersecurity posture. A strategy is meaningless unless properly implemented, thus we will maintain unwavering focus on CISA as the lead for federal cybersecurity and critical infrastructure resilience as they operationalize the Strategy.”

“The National Cyber Strategy’s non-voluntary requirements for critical infrastructure to increase cybersecurity posture will be met with varying responses from CEOs and Boards alike,” Edgard Capdevielle, CEO at Nozomi Networks, said in a company blog post. “While the impetus for a better cyber posture to defend against potential nation-state adversaries is wise and necessary, the ability for these entities to identify the budget and personnel to manage these pieces will take time. As it is for most companies in this macroeconomic climate. 

Capdevielle added that “we look forward to working with our U.S. critical infrastructure partners, just as we have with their international counterparts, to meet changing regulatory guidelines with the best defenses and visibility possible.”

“The release of this National Cyber Strategy lays out a bold agenda in prioritizing our nation’s cybersecurity and understanding the steps that must be taken to defend our critical infrastructure,” Joshua Corman, vice president for cyber safety strategy at Claroty, wrote in a company blog post. “We look forward to the implementation phase–and to engaging and assisting where we can—partnering with the federal government and Congress on these efforts.”

Aaron Crow, CTO at Industrial Defender wrote in an emailed statement that “we’re pleased to see continued focus on critical infrastructure and OT cybersecurity in the Biden administration’s national cybersecurity strategy. It’s no surprise that there continues to be a push to raise standards for critical infrastructure, and it’s great to see heightened efforts and progress in improving the visibility of OT assets.” 

Crow added that “we need to see more maturity around more in-depth monitoring of those assets, moving beyond device identification and toward understanding everything possible about those endpoints to understand the associated risks, such as software version and configuration settings.” 

He also added that private and public will also need to align on the mindset of adopting security standards for critical infrastructure not just as a compliance exercise, but executing them to the extent needed for actual security.

Fortress Information Security’s CEO and co-founder Alex Santos wrote in an emailed statement that the “Cybersecurity Strategy is a good first step toward a new means of tackling our challenges, but we need to move quickly as time is not on our side. This national imperative requires bold action and commitment to make this a home run. We have done it before, most recently with CHIPS Act to secure supply chains for the semiconductor industry,” he added.

“We’d like to see more. More funding in the National Defense Authorization Act. More strict adherence to deadlines. More incentive for industries to band together to share critical risk and vulnerability information,” Santos added. “More collaboration and partnership between government and hardware and software providers. More focus on the most critical industries – defense, utilities, and transportation. More support for existing cybersecurity initiatives like Critical Infrastructure Protection standards and the North America Energy Software Assurance Database.”

The success of a strategy like this depends on the policy guard rails and backing from the intelligence community on targeting, Mike Hamilton, CISO of Critical Insight, wrote in an emailed statement. “If the strategy allows for the takedown of criminal infrastructure used for launching denial of service or pushing malware, that’s a good result.” 

“If a nation-state is operating a disinformation campaign from an identifiable network and that campaign is designed to, for example, foment distrust in US elections, policy should allow for takedown although this begins to creep up on what might become an international incident,” Hamilton said. “If a nation-state is using malware to gain access for the purpose of intellectual property theft, it becomes very murky as to what the rules might be. Espionage is commonly conducted by all countries and somewhat considered standard operating procedure, however, espionage and IP theft look very similar.”

Hamilton added that policy would have to limit activities to those deemed defensive, be backed by good intelligence, and achieve specific goals and outcomes. “Part of the difficulty in implementing this policy will be the approval process for takedown and what information is reviewed prior. A mistake could end up damaging private-sector computing or appearing as an offensive act that would lead to escalation. It’s also important to remember that this has always been an arms race, and this policy and practice will likely have the effect of driving criminal operations more fully into compromised systems around the world as an evasive tactic,” he added.

James Campbell, CEO of cloud incident response firm, Cado Security said it’s great to see a framework with a focus on hacking back. “It’s a strong stance for the government to take and it will help make attackers think twice. For sure attackers will have to spend more time and effort to be more cautious and subtle.” 

The US is taking steps with the new cybersecurity strategy document to align itself with other countries such as the UK authorizing the ability to ‘hack back’ when ‘key services’ (such as critical infrastructure and banks) are struck by foreign threat actors, Tom Cope, CISO of data loss prevention firm, Next DLP, identified in an emailed statement, with the Attorney General of the UK authorizing the same behaviour last year. 

The bill is approaching the issues of cyber warfare from two angles, both authorizing retaliation in addition to preventative ‘disrupt and dismantle’ measures to ensure that a foreign government is unable to mount an attack,” Cope said. “Two thoughts come to mind from the details available at the moment. Firstly, which ‘tools’ will be used to mount these attacks? Will there be rules of engagement that only publicly known exploits can be used or will this bill feed a similar situation where organisations like the National Security Agency (NSA) will set up to generate more zero-exploits in order to ‘hack back’ with.” 

Cope added that the main issue with this approach is these exploits do not get reported back to the manufacturer and if asked to the public can have a massive impact as showcased with EternalBlue and Wannacry. “With this new bill will these leaks of hacking tools become more common? The bill also mentions ‘private companies will be ‘full partners’ … to help repel cyberattacks.’ Will more individuals having access to these tools increase the likeliness of a leak?”  

Secondly, Cope said, will this offensive hacking cause the generation of US-specific Tactics, Techniques, and Procedures (TTPs) allowing foreign powers to more easily attribute a cyber attack [to] the US? “At the moment attribution of a cyber attack is not an exact science and this bill could tip the balance from plausible deniability to confirmed attribution,” he added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.