Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

US government releases new National Cybersecurity Strategy paper: What’s inside?

The White House has released a far-reaching new National Cybersecurity Strategy, which aims to shake up the way the US and its allies deal with cyber threats while ensuring the digital economy – and the parts of our lives that depend on it – can continue to grow.

user icon David Hollingworth
Fri, 03 Mar 2023
US government releases new National Cybersecurity Strategy paper: What’s inside?
expand image

The strategy strikes a very different tone from the cyber security discussion paper released earlier this week by the Australian government. It takes the position that a functioning internet is an important tool for democracy, and that America’s vision is the only way to protect it.

“We must ensure the internet remains open, free, global, interoperable, reliable, and secure – anchored in universal values that respect human rights and fundamental freedoms,” President Joe Biden writes in the paper’s foreword.

“Digital connectivity should be a tool that uplifts and empowers people everywhere, not one used for repression and coercion.”

The introduction then lays out the baseline data. It describes the internet as it is now, as both a source of opportunity and crisis, and as being ever more important to the day-to-day operation of industry, institutions, businesses, and individuals.

============
============

This section also makes the claim that the internet and its infrastructure as it currently stands is a hindrance to attempts to keep it safe and secure.

“Its components remain prone to disruption, vulnerable to exploitation, and are often co-opted by malicious actors,” the strategy says.

Emerging trends and the growing number of threat actors in the space are also addressed, with COVID-19 singled out as the driving force behind an ever more digital world. The countries that America feels pose the most threat are singled out – Russia, China, Iran, and North Korea all make the cut, along with “other autocratic states with revisionist intent.”

China is particularly called out as a nation with growing cyber capability and the will to use it.

“Over the last ten years, it has expanded cyber operations beyond intellectual property theft to become our most advanced strategic competitor with the capacity to threaten US interests and dominate emerging technologies critical to global development,” the strategy asserts.

Finally, criminal operators are addressed, with ransomware losses mounting to billions of dollars each year. A particular issue is that of threat actors operating outside of nations who do not cooperate with US law enforcement agencies.

The strategy then lays out the five pillars that the entire framework is to revolve around:

  1. Defend critical infrastructure
  2. Disrupt and dismantle threat actors
  3. Shape market forces to drive security and resilience
  4. Invest in a resilient future, and
  5. Forge international partnerships to pursue shared goals

However, before those pillars can even be addressed, the country must make “two fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace”.

The first of these is that the current balance of responsibility needs to swing back in favour of the makers and providers of security products, and away from the individual.

“The most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem,” the strategy says. “Today end users bear too great a burden for mitigating cyber risks.”

The core principle is that data protection must be the responsibility of those who hold the data, and that the government alone can only – and should only – go so far.

The next point that must be addressed is the need to shift to longer-term thinking when it comes to investments in cyberspace. Again, it’s a matter of achieving the right balance, although this time is between defending the infrastructure we have now and building a more “defensible and resilient” infrastructure of the future.

The five pillars
A lot of work is already being put into defending the critical infrastructure of the United States, but the work needs to be ongoing, and more efficiently managed.

Collaboration is the key principle here, so that risk and responsibility can be spread equally across all entities in the digital ecosystem. To this end the federal government has been engaging with various sectors of industry to create regulations that are clear and easy to follow, and that provide greater protection to operations.

This collaboration needs to be high-speed, and when incidents occur, responses must be equally swift and coordinated. And of course the government must work to keep itself secure at the same time, through zero trust architectures and updated IT systems.

While the first pillar is largely defensive in nature, the second is purely offensive.

“The United States will use all instruments of national power to disrupt and dismantle threat actors who threaten our interests,” the strategy says. “These efforts may integrate diplomatic, information, military (both kinetic and cyber), financial, intelligence, and law enforcement capabilities.”

But more can be done. The new strategy calls for more cooperation between public and private sector agencies when it comes to intelligence sharing, and for future law enforcement operations to be done in a more integrated manner between its own agencies.

One of the key parts of this pillar is defeating ransomware.

“The administration is committed to mounting disruption campaigns and other efforts that are so sustained, coordinated, and targeted that they render ransomware no longer profitable,” the strategy says. A fine goal, but one that will be contested at all turns by the threat actors being targeted.

Targeting cryptocurrency exchanges where money can be laundered will be a key strategy in this instance, as will introducing international standards as to how such exchanges and other institutions can be operated.

The third pillar is about creating a market that promotes security and responsibility first. This pillar outright recognises that the market, such as it is today, has not been enough to protect consumers. To change this, the government will create a legislative framework that holds “the stewards of data accountable”, while also rewarding those organisations that succeed.

“We will use Federal purchasing power and grant-making to incentivise security,” the strategy says. “And we will explore how the government can stabilise insurance markets against catastrophic risk to drive better cyber security practices.”

Investing in a resilient future is the fourth pillar, and here investment R&D, education, and innovation are paramount. To that end the United States must maintain and secure the “technical foundation” of the internet.

This will involve the National Science Foundation’s Regional Innovation’s engine program, the Secure and Trustworthy Cyberspace program, as well as new grants and funding programs established across a raft of Federal Acts, and various Federal research structures.

The new strategy also states the importance of protecting new IP and technologies.

“Decades of adversaries and malicious actors weaponising our technology and innovation against us … has demonstrated that leadership in innovation without security is not enough,” the strategy says. The aim of the game here is to “out-innovate” competitors, and produce better cyber security strategies and technologies sooner, and deploy them faster.

Finally, the fifth pillar of the strategy is all about partnerships, and making partnering with the US an attractive proposition. The country will engage with countries that do not share its values regarding cyberspace, in an effort to change hearts and minds, while still building a “broad coalition of nations” that share the same fundamental values that the internet should be free and open.

This involves cooperation with various United Nations working groups while upholding international conventions such as the Budapest Convention on Cybercrime.

Again, China is called out as just such a nation opposed to the United State’s principles. The US effectively – without saying in so many words – plans to freeze out such autocratic nations by working with international partners, expanding coalitions, and reinforcing international law.

To this end, the US aims to “uphold globally accepted and voluntary norms of responsible state behaviour in peacetime, and punish those that engage in disruptive, destructive, and destabilising malicious cyber-activity.”

There is of course a lot more to the 30-plus page document, and it is well worth reading in its entirety. You can find a PDF here.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.