3 Key Takeaways From the US National Cybersecurity Strategy

Earlier in March, the White House published a paper laying out the new cybersecurity strategy for the country moving forward. This paper, titled as the National Cybersecurity Strategy, details key cybersecurity priorities for the government and highlights where the focus should lie for both federal and private entities.

This paper is a guiding document that gives us an idea of what potential regulation, compliance, policy, and areas the government might be considering, prioritizing, and acting on. Companies should get ahead of these potential new shifts, especially if they work with any government organizations or are in a highly regulated or industry mentioned in the paper.

In this article, we’ll go over some of the major details and key takeaways from the report.

Resilience is a key focus

Resiliency takes clear prominence within the document, with the variations of the word showing up nearly 70 times. This is worth distinguishing as it’s significantly distinct from prevention. While there are some preventative measures and efforts laid out, the document as a whole talks about resiliency being the focus of achievement. It highlights the importance of having resilience across government departments, agencies, private organizations, and even throughout key sectors, industries, and cross-national partnerships. The document goes past protection and focuses on the ability to detect, respond, and recover from cyber incidents.

To achieve resilience, the document lays out a number of broad priorities, initiatives, and policies but doesn’t go into any major specifics. It does, however, prioritize and encourage the adoption of existing frameworks developed by NIST and CISA and mentions the need to develop new frameworks across sectors like critical infrastructure.

Coalitions and partnerships on a global scale

Across the five pillars within the document, there’s a pronounced focus on collaboration, partnerships, coalitions, and intelligence sharing.

Some of these have specific directives such as combating ransomware and targeting illicit uses of cryptocurrency that often funnel and feed ransomware attacks. Others are broader and are more focused on outcomes such as:

Improved intelligence sharing.
Better collaboration for proactive threat hunting
Faster communication when it comes to compromises

What’s notable about these initiatives is not only the scope of them but the fact that these are specified to be partnerships across multiple national governments as well as private organizations. Across the entire document, there’s a sense that bringing in private companies will not only be an option but necessary in finding success in these initiatives, potentially opening up new opportunities for private companies to work with government departments.

Place responsibility on companies and manufacturers

One of the more noteworthy elements within the National Cybersecurity Strategy document is how it seeks to place more responsibility on companies and manufacturers for failing to consider cybersecurity within their products, whether it’s software or hardware.

The document specifically highlights IoT device security and acknowledges that many manufacturers lie outside of the US government’s purview. For example, China makes many IoT devices and it would be near impossible for the US to expect foreign manufacturers to comply with their own regulatory standards and/or force companies to use devices made in the US. As a result, it looks to develop a labeling system that details the security within each device.

However, the document looks to also make a major shift towards potentially regulating and/or punishing companies found liable for developing insecure products. Here’s the key quote within Pillar Three, titled “Strategic Objective 3.3: Shift Liability for Insecure Software Products and Services”:

Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers. Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes…

How this will be implemented is yet to be seen but it is a defining element within this document that many organizations need to be aware of. While supply chain risk management is mentioned in the document, this point specifically may mean that companies who provide software to other companies should be responsible for maintaining the security of their software. This can change how a supply chain attack like the SolarWinds breach is approached by federal investigators and litigators and it also means there may be more stringent regulations and/or punishing fines for app, website, or software providers whether they’re B2B or B2C companies.

While outright regulation or compliance may not be what ends up resulting from this section on liability, the document does mention that a way to enforce this may be to set minimum requirements and standards that companies need to abide by before being able to do business with the government.

If that’s the case, we may see a CCPA or GDPR-like response where the scope of the regulation is so broad and the fines are punishing enough that companies decide it’s best, from a risk management perspective, to follow the regulation across their entire business even if only a subset of the company is interacting with a government department or subject to regulation.

Companies should be prepared of new wave of regulatory action

Between this new cybersecurity strategy and the NIS2 regulatory standard that’s going into effect in Fall 2024, companies need to be ready and prepared for a potential global shift in how companies are expected to secure themselves, their data, and their supply chains.

Resiliency seems to be a clear focus and is already a requirement for cyber insurance providers and many other companies who have developed a clear third-party risk management strategy. If companies haven’t invested or developed a cyber resiliency strategy, they may find themselves out of compliance, unable to procure cyber insurance, limit the number of partners they can work with, and be exposed to cyber attacks.

Given the National Cybersecurity Strategy’s focus on federal-private collaboration, companies may also be able to find new opportunities to work with government departments if there’s an increased willingness, which can open up new audiences and an entirely new market.

However, it’s clear that these regulatory shifts mean that organizations need to prioritize cybersecurity resilience across all aspects of their company. In the case of the National Cybersecurity Strategy, companies need to focus on incorporating cybersecurity within product development. For the incoming NIS2, it means having the required security controls and risk management strategy in place.

Whether your company falls in scope or not, it’s clear that governments are looking to take cybersecurity more seriously and it should be part of your overall strategy to take action sooner than later.