On March 2, 2023, the Biden administration announced its National Cybersecurity Strategy. The administration’s stated goals for the strategy are, “to secure the full benefits of a safe and secure digital ecosystem for all Americans.” This blog outlines Forrester’s existing Security & Risk research to help organizations navigate, manage, and prepare their organizations for the implications of the National Cybersecurity Strategy.
Whether your organization is in the public or private sector, your cybersecurity program will feel the impact of the National Cybersecurity Strategy. The strategy document makes the following clear:
- Minimum cybersecurity requirements will cascade across industries.
- Technology is critical infrastructure.
- Protecting technology is a national security imperative.
- Private enterprises are a critical dependency for national security.
Forrester Security & Risk Research Gives You A Head Start
Forrester has existing research which addresses key pieces of the National Cybersecurity Strategy. What follows is a short description of the five pillars described in the full National Cybersecurity Strategy document along with corresponding Forrester research to help security leaders – both public and private – address those pillars.
Pillar 1: Defending Critical Infrastructure
In countries like the United States, private sector technology underpins vital services afforded to citizens. Up until now, the responsibility to protect that technology has been placed on private enterprise. This announcement by the Biden administration signals the federal government intends to take a stronger stance to scrutinize and enforce that defense and, in some instances, support it.
Strategic Objective 1.1 – Establishing Requirements to Support National Security
Critical infrastructure presents a target-rich environment for nation-state and other malicious actors. Companies like oil, natural gas, aviation, and rail providers have established cybersecurity requirements – those will now expand to all critical infrastructure providers. CISA lists key critical infrastructure providers, but no doubt the scope of these regulations will expand as the government recognizes the broad reach of cyberattacks that affect national security. Forrester’s nation-state threats research will put you on the right path:
Strategic Objective 1.2 – Scaling Public-Private Collaboration
The administration is introducing more robust collaboration between CISA, Security Risk Management Agencies (SRMAs), and the private sector organizations to increase collaboration and improve partnership at scale – using yet-to-be-defined technologies. This is likely going to be a partnership of threat intelligence sharing, which is described in more depth in Pillar 2. Forrester’s nation state threats research will put you on the right path:
Strategic Objective 1.3 – Integrate Federal Security Centers
Building on the Solarium Commission’s proposal for an integrated public-private cyber center in CISA, the administration will fuse cyber defense planning and operations across the government with private sector and international partners. In practice, this means the Executive Branch will continue to augment CISA’s role as national coordinator for critical infrastructure with the FBI’s law enforcement arm, and with the Intelligence Community’s cyber intelligence collection and analysis capabilities.
Strategic Objective 1.4 – Update Federal Incident Plans and Processes
Large private sector organizations have comprehensive incident response plans and playbooks that detail to the letter who within the IR ecosystem should be contacted and when – with the exception of law enforcement. The number of agencies (and their respective outposts or field offices) who either offer themselves as contacts or expect to be contacted during a major breach or attack is confusing to security leaders. This objective streamlines the notification and escalation process to ensure information sharing and ownership of response actions for those incidents, like those on critical infrastructure, requiring a federal response. Forrester understands the importance of a solid incident response program – and the damage done by a major breach, with research aimed at our security leader clients like:
Strategic Objective 1.5 – Modernize Federal Defenses
It’s no surprise that Zero Trust (ZT) continues to be a driver for Federal cybersecurity. Federal civilian agencies, and more recently the DoD, have been issued executive orders (EOs) and Office of Management and Budget (OMB) memorandums describing the steps, and associated timelines, for implementing ZT within federal systems. Data security is at the forefront of the charge, and for good reason as data is at the center of ZT and must be secured beyond due diligence. Renewed emphasis has been placed on OT systems and networks as they have historically tended to be left to the wayside from a networking and security perspective. Forrester believes that the commercial ZT adoption landscape will be changed as organizations not only recognize the benefits of ZT, but also see it as becoming a cost of doing business with the US federal government.
Pillar 2 – Disrupt and Dismantle Threat Actors
Cyberattacks are currently out of the control of the federal government. This pillar’s goal is to level the playing field by making attacks more costly for cyberattackers, improve collaboration between the private sector and the public sector, and expand breach notification requirements.
Strategic Objective 2.1: Integrate Federal Disruption Activities
The administration’s goal is to make cyberattacks so costly that they are no longer 1) profitable 2) a viable means of achieving nation-state ends via disruption campaigns. Some security tools take this approach currently, such as using bot management tools to raise costs of bot attacks. However, this will likely be a broader effort of combined technology disruption plus ZT implementation to harden infrastructure.
Strategic Objective 2.2 – Enhance Public-Private Operational Collaboration
The federal government admits the private sector has more knowledge of threat actors than it can collect on its own. Because of this, they are enhancing collaboration through the National Cyber-Forensics and Training Alliance, among other non-profits. If done well, this coordination will improve shared threat intelligence capabilities across the public and private sector. However, the delivery and quality of that threat intelligence remains to be seen.
Strategic Objective 2.3: Increase The Speed And Scale Of Intelligence Sharing And Victim Notification
Breach notification is much more than a regulatory requirement. How organizations respond and communicate to stakeholders about data breaches and other disruptive events like ransomware sets the tone for recovery.
Strategic Objective 2.4 – Prevent Abuse of US-Based Infrastructure
Infrastructure-as-a-service (IaaS) providers will be held to a higher standard in the speed at which they must respond to and alert on cyberattacks. IaaS providers are effectively considered critical infrastructure now.
Strategic Objective 2.5 – Counter Cybercrime, Defeat Ransomware
The administration is taking a four-pronged approach to cybercrime and ransomware defense:
- International cooperation
- Law enforcement investigations of ransomware actors
- Critical infrastructure resiliency
- Addressing abuse of virtual currency.
Importantly, the administration does not explicitly state that ransomware payments will be scrutinized or banned – while they heavily discourage them. Ultimately, the strategy promotes reporting ransomware incidents to law enforcement.
Pillar 3: Shape Market Forces To Drive Security And Resilience
This pillar emphasizes accountability and incentives: financial sticks and carrots to build security and resilience into the US technology ecosystem.
Strategic Objective 3.1: Hold The Stewards Of Our Data Accountable
Organizations that collect, use, transfer, and maintain personal data have a responsibility for securing that data and protecting individuals’ privacy rights. This responsibility is much more than a regulatory obligation. It is a foundation for building trust and competitive differentiation in a digital world.
Strategic Objective 3.2: Drive The Development Of Secure IoT Devices
Internet of things (IoT) devices are used in organizations of all sizes, locations, and industries to performance variety of tasks. Because of a history of poor cybersecurity practices in development and deployment, IoT devices have become a prime target of attacks. Changing this requires new devices be built securely by default and adopting networking and device security practices that limit who – or what – can talk to these devices inside and outside the organization.
Strategic Objective 3.3: Shift Liability For Insecure Software And Services
Companies are in for a rude awakening as the strategy makes them liable for security flaws in their products and services. With this shift, securing what you sell becomes not just a strategic objective for top line CISOs to enable the business but also a defensive measure to protect the business. Companies are also responsible for any open source and third-party dependencies assembled, packaged. and utilized by the product. Incorporating a software composition analysis (SCA) tool in the SDLC provides visibility into the risks of third-party libraries and SCA will generate an SBOM that can be used as evidence of secure software development practices.
Strategic Objective 3.4: Use Federal Grants And Other Incentives To Build In Security
With the government offering financial support to build security in, now is the right time to Gauge The Maturity Of Your Product Security Program and develop a roadmap for improving product security at every stage of the product lifecycle. For new products and prototypes, follow the principles of Minimum Viable Security to make sure that security is right-sized even at the earliest stages.
Strategic Objective 3.5: Leverage Federal Procurement To Improve Accountability
As the administration works to establish liability for software products and services, it’s also using contracting requirements to hold companies accountable. “Plausible deniability” isn’t a valid legal strategy – if a company makes a contractual commitment to the government, it is accountable for following cybersecurity best practices. Knowingly providing defective products, misrepresenting security practices, or failing to monitor and report cyber incidents could result in the DOJ filing civil actions under the False Claims Act.
Strategic Objective 3.6: Explore A Federal Cyberinsurance Backstop
Cyberinsurance is one component of a multilayered cybersecurity and risk management strategy. Today’s environment of systemic risks stemming from global events, geopolitical threats, and third-party risk events have a cascading impact on and across organizations – and the cyber insurance market. The call for a Federal response to support the existing cyberinsurance market is welcomed. But this kind of subsidization, however, could be costly to the government, much like individual flood insurance. If exploration moves to enactment, reforms will likely be needed in the future. Meanwhile, organizations must address the current reality of cyberinsurance market dynamics and increasingly stringent requirements for obtaining cyberinsurance policies. Forrester is tracking the evolution of this still relatively nascent market with reports like:
Pillar 4 – Invest in a Resilient Future
Every strategy requires looking ahead into the future and planning for disruption. This strategy is no exception. The document makes clear the need to invest in, develop, and secure the internet, develop and safeguard cybersecurity intellectual property, and cultivate practitioner skills.
Strategic Objective 4.1: Secure The Technical Foundation Of The Internet
The US governmental focus on vulnerable infrastructure is not a new idea, however it is frequently overlooked while planning for innovative technology adoption strategies. The U.S. government’s proactive alignment with industry leaders, academia, and allied nations will foster global standards of interoperability, thereby increasing adoption rates while working towards global security standards.
Strategic Objective 4.2: Reinvigorate Federal Research And Development For Cybersecurity
Much of the cybersecurity innovation has been driven by the investment community, focusing on solutions to solve invdividual cyber problems. This pillar is forward-looking and aims to drive investment in the security of “computing-related technologies, including microelectronics, quantum information systems, and artificial intelligence, biotechnologies and biomanufacturing, and clean energy systems.” We expect this strategy to initiate even more cybersecurity innovation than we already have in the US- focused on these strategic areas – as the federal government encourages technology builders to improve cybersecurity.
Strategic Objective 4.3: Prepare For Our Post-Quantum Future
In recent months, the US government has pushed its agencies to plan for the transition to post quantum cryptography. Now, they are also pushing the private sector to invest in that same migration. This will require major efforts in 1) data discovery, 2) encryption discovery, and 3) data protection rearchitecture for cryptographic agility. Organizations should prepare for the risks to traditional cryptography and the move to post quantum.
Strategic Objective 4.4: Secure Our Clean Energy Future
Last year, the administration passed the Inflation Reduction Act that came with $369B for greenhouse gas emissions (GHGs) reduction and climate risk adaptation through tax incentives and directed investment in clean energy projects including domestic manufacturing of clean energy technology. Creating a national clean energy infrastructure relies on cloud-based technologies and devices adversaries will try to exploit. This section calls for a “security by design” approach to clean energy technology described in the DOE’s National Cyber-Informed Engineering Strategy, in the whereby cybersecurity controls are embedded early the design lifecycle of engineered systems to reduce cyber risks and vulnerabilities, rather than added after manufacturing.
Strategic Objective 4.5: Support Development of a Digital Identity Ecosystem
The emphasis on establishing a digital identity ecosystem will accelerate innovation around solutions for phishing resistant authentication (as emphasized in the 2022 memo M-22-09 Moving the US Government Toward Zero Trust Cybersecurity Principles). However, the most profound impact of this strategic objective will be on enabling trusted digital identities. The concept of trusted digital identity is simple: It’s the high degree of confidence that an organization, person, device, and machine are who or what they represent themselves to be. While the definition is simple, creating trusted digital identities and the trust ecosystem around them are not.
Strategic Objective 4.6: Develop A National Strategy To Strengthen Our Cyber Workforce
The nation faces a severe, chronic staffing shortage for cybersecurity talent, threatening to burn out those in security roles and leaving firms – and government agencies – vulnerable to attack. This shortage, however, is largely self-inflicted owing largely to rigid hiring practices and a lack of new talent entering the cybersecurity career pipeline. The implementation of the National Cybersecurity Workforce Strategy doubles down on the work the administration has already done to encourage and enable cybersecurity apprenticeships and other training and education programs to increase diversity and address unique challenges faced by critical infrastructure providers and government agencies.
Pillar 5 – Forge International Partnerships to Pursue Shared Goals
Pillar 5 breaks down the international relationships and norms the US government has and hopes to establish for broader impact on their cybersecurity initiatives. Ultimately, the world must move towards more unified understanding of, response to, and constraints around how cyberattacks are used for nation-state ends. Each strategic objective outlines a piece of this work.
Strategic Objective 5.1 – Build Coalitions to Counter Threats to Our Digital Ecosystem
The administration is establishing a set of shared goals for cyberspace with existing partnerships in the UN, the Quadrilateral Security Dialogue, and others. This will hopefully improve the collaboration and shared threat intelligence between nations, increasing visibility into threat actor activity.
Strategic Objective 5.2 – Strengthen International Partner Capacity
The federal government and Department of State is enhancing military-to-military partnerships with other allied nations.
Strategic Objective 5.3 – Expand US Ability to Assist Allies and Partners
The US recognizes the toll recent cyberattacks against countries have taken and intends to enhance this partnership with groups like NATO to build an incident support capability with allies.
Strategic Objective 5.4 – Build Coalitions to Reinforce Global Norms of Responsible State Behavior
Cybersecurity norms have yet to be established and upheld by all nations. The UN has some established norms for peacetime, but many nations fail to comply, and as of yet there are no consequences for it. This establishes an intent to not only expand those norms to more nations, but also to enforce them.
Strategic Objective 5.5: Secure Global Supply Chains For Information, Communications, And Operational Technology Products And Services
Forrester data shows that 33% of cyberattacks were caused by a supply chain or third-party breach. The administration takes a multi-pronged approach to combat national dependence on a “growing network of foreign suppliers” for products and services that introduce “systemic risk to our digital ecosystem.” This is a long-term strategy, not a short-term fix and calls for public/private sector collaboration, reshoring manufacturing of critical components and systems, and prioritizing resilience and supply chain security.