The White House released the new US National Cybersecurity Strategy earlier this month.
- The framework seeks to protect critical infrastructure, including hospitals and clean energy facilities, from cyberthreats.
- It also aims to increase collaboration with international coalitions and partnerships to counter threats to the digital ecosystem.
- The US government is continuing efforts to strengthen the country’s cybersecurity prowess as well as bolster its overall technology governance strategy.
The new National Cybersecurity Strategy, outlines steps the government is taking to secure cyberspace and build a resilient digital ecosystem that is easier to defend than attack:
“When we pick up our smart phones to keep in touch with loved ones, log on to social media to share our ideas with one another, or connect to the internet to run a business or take care of any of our basic needs, we need to be able to trust that the underlying digital ecosystem is safe, reliable and secure….”
The strategy is part of a larger effort to strengthen cyber and technology governance. This includes efforts to increase accountability for tech companies, boost privacy protections and ensure fair competition online.
Why does the US need a National Cybersecurity Strategy?
The world is increasingly complex and cyberthreats are growing more sophisticated, with ransomware attacks running into millions of dollars in economic losses in the US. In 2022, the average cost of a ransomware attack was more than $4.5 million, according to IBM.
The greatest risks we face are interconnected, creating the threat of a “polycrisis“, whereby the overall combined impact of these events is greater than their individual impact.
This is equally true of technological risks, where, for example, attacks on critical information infrastructure could have disastrous consequences for public infrastructure and health, or where growing geopolitical tensions heighten the risk of cyberattacks.
In 2022, state-sponsored cyberattacks targeting users in NATO countries increased by 300% compared to 2020, according to Google data.
The National Cybersecurity Initiative notes, “Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense.”
What are the 5 pillars of the National Security Strategy?
The COVID-19 pandemic accelerated the world’s digital transformation, which means we rely on connected devices and digital technology to do more than ever before – putting our lives and livelihoods at greater risk from cyberthreats.
The US’ National Security Strategy recognizes the need to rebalance the burden of responsibility for cybersecurity away from small businesses and individuals and onto the public and private organizations best placed to defend cyberspace through “robust collaboration”.
It also seeks to build cyberspace resilience by balancing the need to address immediate threats, with incentivizing investment in the secure, long-term future of the digital ecosystem.
1. Defend critical infrastructure
To build confidence in the resilience of US critical infrastructure, regulatory frameworks will establish minimum cybersecurity requirements for critical sectors.
2. Disrupt and dismantle threat actors
Working with the private sector and international partners, the US will seek to address the ransomware threat and disrupt malicious actors.
3. Shape market forces to drive security and resilience
Grant schemes will promote investment in secure infrastructure, while liability for secure software products and services will be shifted away from the most vulnerable and good privacy practices will be promoted.
4. Invest in a resilient future
A diverse cyber-workforce will be developed and cybersecurity R&D for emerging technologies including postquantum encryption will be prioritized.
5. Forge international partnerships to pursue shared goals
The US will work with its allies and partners to counter cyberthreats and create reliable and trustworthy supply chains for information and communications technology.
Where is the Big Shift in the National Cybersecurity Strategy?
Vendor Indemnification Ending?
For decades, the technology industry has operated under what is known as “shrink-wrap” licensing. This refers to the multiple pages of legal text that customers, both large and small, routinely are forced to accept before installing or using computer products, software and services. Think click through agreements….
While much has been written about these agreements, such licenses generally have one thing in common: They ultimately protect vendors from legal consequences for any damages or costs arising from a customer’s use of their products. This is important when the vendor is at fault for producing a flawed or insecure product that affects the end user and there is little recourse.
In a groundbreaking move (Strategic Objective 3.3), the new cybersecurity strategy says that while no product is totally secure, the administration will work with Congress and the private sector to prevent companies from being shielded from liability claims over the security of their products. These products underpin most of modern society.
Removing that legal shield is likely to encourage companies to make security a priority in their product development cycles and have a greater stake in the reliability of their products beyond the point of sale.
Ransomware as a National Security Threat
Interestingly, the strategy places great emphasis on the threat from ransomware as the most pressing cybercrime facing the U.S. at all levels of government and business. It now calls ransomware a national security threat and not simply a criminal matter.
Backstopping cyber insurance
The new strategy also directs the federal government to consider taking on some responsibility for so-called cybersecurity insurance. It appears that the administration wants to ensure that insurance companies are adequately funded to respond to claims following a significant or catastrophic cybersecurity incident. Since 2020, the market for cybersecurity-related insurance has grown nearly 75%, and organizations of all sizes consider such policies necessary.
RSLG is at the tip of the spear when it comes to best practices and offering clients the best protection going forward for their data protection needs. Offering a 24/7 legal hotline, let us show you how RSLG can help you with your data protection needs.