The Biden Administration has released its long-awaited National Cybersecurity Strategy that sketches a blueprint for how the federal government plans to deal with the immense volume of cyber threats hitting targets in the public and private sectors and critical infrastructure facilities.
The 35-page document is not law and the White House does not expect it to pass Congress in its current iteration but hopes that it will serve as a guideline for future cyber legislation. Indeed, in its current form it could also serve as a standard for how third-party companies compete for lucrative federal and private sector contracts based on minimally acceptable cybersecurity protections by law.
Strategy's MSSP Advantage
The document gives managed security service providers (MSSPs) a potentially notable windfall, set up as they are to deliver cyber expertise well beyond what other third-party providers can do. While the policy paper does not specifically mention MSSPs, the inference and opportunity is clear for big deals in the public and private sector.
The bottom line change is that the proposition relieves individuals, small businesses and local governments from the burden of implementing and protecting their cyber investments. In truth, the White House doesn't have the power to make the tech sector do anything, but the strategy is much more than ideas and intentions: It can serve as a beacon of where legislative priorities are headed and signal which companies are leading the charge.
Commenting on the strategy during a press briefing, Acting National Cyber Director Kemba Walden said:
“The president’s strategy fundamentally reimagines America’s cyber social contract. It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it.”
Walden said that the "biggest, most capable and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe.”
She added that laying responsibility on individuals and groups who lack the resources to protect themselves is both “unfair” and “ineffective.” And vendors are currently rewarded for being “first to market, not secure to market.” Translated, it means that the policy asks the tech sector to bake security into its products, similar to a call to action that CISA Director Jen Easterly delivered in remarks last week at Carnegie Mellon University in a lead-in to the cyber policy document.
A Closer Look at the White House Cyber Strategy
Among the key precepts of the document, the White House is proposing that legislation be directed at software makers that fail to safeguard their products and services, suggesting that a bill of that magnitude not be merely a stick but also a carrot. The Administration is offering an “adaptable safe harbor framework” to protect companies that follow through with locking down their products from digital sabotage.
“Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses or critical infrastructure providers,” the White House said in the report.
The national cybersecurity strategy is built on what the Administration calls five pillars (abridged and based on a White House fact sheet):
1.) Defend Critical Infrastructure
- Expanding the use of minimum cybersecurity requirements in critical sectors to ensure national security and public safety
2.) Disrupt and Dismantle Threat Actors
- Strategically employing all tools of national power to disrupt adversaries
- Engaging the private sector in disruption activities through scalable mechanisms
- Addressing the ransomware threat through a comprehensive Federal approach and in lockstep with our international partners
3.) Shape Market Forces to Drive Security and Resilience
- Promoting privacy and the security of personal data
- Shifting liability for software products and services to promote secure development practices
- Ensuring that Federal grant programs promote investments in new infrastructure that are secure and resilient
4.) Invest in a Resilient Future
- Prioritizing cybersecurity R&D for next-generation technologies such as postquantum encryption, digital identity solutions, and clean energy infrastructure
- Developing a diverse and robust national cyber workforce
5.) Forge International Partnerships to Pursue Shared Goals
- Leveraging international coalitions and partnerships among like-minded nations to counter threats to our digital ecosystem through joint preparedness, response, and cost imposition
- Increasing the capacity of our partners to defend themselves against cyber threats, both in peacetime and in crisis
- Working with our allies and partners to make secure, reliable, and trustworthy global supply chains for information and communications technology and operational technology products and services
Cybersecurity Industry Leaders React
A number of cybersecurity providers weighed in on the strategy.
Joshua Corman, former CISA chief strategist and current vice president of cyber safety at Claroty said:
"In Pillar 3, which is likely to be the most controversial, the strategy acknowledges market failures and that voluntary free market forces only get you so far (something I’ve told Congress and the last several administrations). To protect the public good, the federal government intends to use its existing authorities to regulate and incentivize better cybersecurity and resilience of the nation’s critical infrastructure. Where it lacks sufficient statutory authorities, it intends to ask Congress for new authorities."
Cody Cornell, Swimlane co-founder and chief strategy officer, commented:
"While the idea of sector-specific frameworks is a good one, these frameworks are not one size fits all and have specific guidance and controls that can be very beneficial. There is a lot of work to be done on defining the sectors, the frameworks, getting buy-in and providing guidance on not just implementation, but how they will be measured and enforced, because a framework with no enforcement is entirely voluntary and runs contrary to the goal of rebalancing the responsibility of defending cyberspace."
Edgard Capdevielle, chief executive of ICS/OT cybersecurity, Nozomi Networks, said:
"The National Cyber Strategy's non-voluntary requirements for critical infrastructure to increase cybersecurity posture will be met with varying responses from CEOs and boards alike. While the impetus for a better cyber posture to defend against potential nation-state adversaries is wise and necessary, the ability for these entities to identify the budget and personnel to manage these pieces is going to be difficult. As it is for most companies in this macroeconomic climate.
"We look forward to working with our U.S. critical infrastructure partners, just as we have with their international counterparts, to meet changing regulatory guidelines with the best defenses and visibility possible."