When the Biden administration released its eagerly awaited National Cybersecurity Strategy (NCS) in March 2023, the big news was its requirements for potentially increased regulatory oversight and for the private sector to step up.
One major goal of the strategy is to shift responsibility for security away from individuals and small organizations — including state, local, tribal and territorial governments — to those “most capable and best- positioned…to make our digital ecosystem secure and resilient.” That’s primarily the federal government and cloud and infrastructure vendors.
But government has plenty to do under the new guidelines. For starters, NCS calls for accelerating modernization, specifically transitioning from legacy systems to the cloud and speeding up adoption of zero trust.
Specifics of implementation won’t be available until later this year, but here are some ways each pillar may affect you. The key takeaway is that you’ll be collaborating, coordinating and sharing information with other agencies, the private sector and even international allies as never before.
Big Picture
The strategy is designed to drive what it calls two fundamental shifts:
• Rebalance the responsibility to defend cyberspace. In short, individual users have been left to their own devices, making them weak links that malicious actors can exploit to access larger organizations.
• Realign incentives to favor long-term investments. The idea is to find “points of leverage,” or areas where small investments or “minimally invasive actions” could get everyone working toward building for “future resilience.”
“Our goal is a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”
US National Cybersecurity Strategy
Pillar 1: Defend Critical Infrastructure
This pillar raises the minimum cybersecurity requirements in critical sectors, such as energy, nuclear, water, aviation and some high-priority manufacturing, whether public or privately owned.
Agencies, especially Sector Risk Management Agencies (SRMAs), will need to coordinate more tightly with CISA and operators of critical infrastructure systems and assets.
Key tactics:
Regulate, but carefully. The administration plans to work with Congress to establish “minimum cybersecurity requirements” and to “mitigate related market failures.”
Broaden public/private collaboration. The goal is to create a “trust- based ‘network of networks’” of cyber defenders, enabling “collective and synchronized action.”
Coordinate cyber centers. Various agencies have cyber centers intended to support organizations managing critical infrastructure. But everyone could benefit from coordinated intelligence collection, analysis and partnerships.
Update the National Cyber Incident Response Plan. ’Nuff said.
Strengthen federal defenses. In planning for better defenses in the long term — including the adoption of zero-trust principles — feds can serve as “a model for private sector emulation.”
This article appears in our guide, “A New Cyber Game Plan Takes Shape.” To see the rest of the five pillars and learn more about the National Cybersecurity Strategy, download the guide:
Leave a Reply
You must be logged in to post a comment.