US Cybersecurity Strategy Ups the Ante Against Attackers
Table Of Contents:
Soon after we published our preview of the US National Cybersecurity Strategy (NCS), the government unveiled the final document. It contained stronger language than ever as it called for companies across the US to shore up their cybersecurity and also showed some insightful thinking designed to tackle some long-term cybersecurity problems at home and overseas.
A Focus on Critical Infrastructure
The Strategy addresses security challenges across five pillars, the first of which is defending critical infrastructure. It takes a carrot-and-stick approach to this challenge. On one side, it advocates stricter regulation that will make companies more accountable for cybersecurity. However, it acknowledges that some sectors are under-resourced compared to others and calls on regulators to factor in the level of resources available when making new cybersecurity rules.
The document pairs this regulatory stick with incentives for good long-term cybersecurity decisions. These incentives will come from mechanisms including rate-making and tax structures, it says.
Holding Tech Vendors and Operators Liable
Another pillar in the NCS, on shaping market forces to support cybersecurity, also heralds a shift in focus. It transfers liability from what it calls the most vulnerable players in the ecosystem (technology users) to the vendors and operators that supply the tech. Holding the latter more accountable is a foundational tenet of the Strategy.
These operators include cloud service providers (CSPs), which are increasingly important in the tech ecosystem. The same week the NCS dropped, Acting National Cyber Director Kemba Walden called the cloud “too big to fail”. Cloud services are also local enough for attackers to exploit. Overseas adversaries frequently use their infrastructure for attacks, making geoblocking and other protection measures difficult.
With this in mind, the NCS calls on CSPs to take more responsibility in assessing and mitigating risk to their systems. It cites Executive Order 13984, “Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities”. This Trump-era document called for better customer identification among CSPs but was not enforced- until now.
This new focus on accountability extends to those who handle data and create software to manage it. The White House wants legislation that will “set national requirements to secure personal data consistent with standards and guidelines developed by NIST.” This is the clearest indication yet of the desire for strong federal privacy and data security legislation protecting consumers rather than a patchwork quilt of state-level laws.
The NCS also calls for legislation covering software vendors, which it says dodges liability for insecure software in their license agreements. These laws would enforce liability for software vendors that don’t conform to software security standards already established by the likes of NIST. However, there would be a safe harbour agreement for those that do.
Going on the Offensive
Defending domestic networks and consumers is one arm of the strategy. Another pillar, Disrupt and Dismantle Threat Actors recommends more aggression in taking down attackers’ systems.
This approach targets the entire criminal ecosystem, not just attackers’ botnets. The government will counter ransomware attackers by attempting to make their illicit business less profitable. This means continuing to target the cryptocurrency exchanges where they cash out, for example. Treasury has already sanctioned several such systems, so this articulates and doubles down on an existing trend like many other parts of the Strategy.
The military will play a more significant part in this assault on attackers’ ecosystems, creating a new strategy to work more closely with civilian agencies in targeting malicious actors. Private companies will also play an important role. The government has previously worked with organisations like Microsoft to take down malicious networks. Still, it is now upping the ante, enlisting companies openly in its campaign to take down attackers. It advises them to form “nimble, temporary cells” for targeted operations, working via a series of non-profit cybersecurity-focused hub organisations representing an interface with the feds.
Hands Across the Ocean
Part of this offensive strategy involves international collaboration, given that so many malicious actors are overseas. The document devotes an entire pillar to this strategy, which is ongoing. The White House already formed the Counter-Ransomware Initiative (CRI) to combat ransomware in October 2021.
The problem is that Russia, which is a haven for ransomware groups, isn’t a member of that initiative. It is one country, along with China, North Korea, and Iran, that the Strategy calls out as an overseas threat. To counter these adversaries in cyberspace, the NCS promises to apply international diplomatic pressure, working “with our allies and partners to pair statements of condemnation with the imposition of meaningful consequences.”
Longer-Term Thinking
Rather than a knee-jerk reaction to cyber threats, the NCS contains some longer-term thinking. One example is the discussion of a possible cyber insurance backstop to cover the kind of catastrophic cyber event that the World Economic Forum says is coming. This is a reaction to growing tensions between insurers and customers over the rising cost of cyber incidents.
Other longer-term actions sit under a separate pillar called Invest in a Resilient Future. These include a new National Cyber Workforce and Education Strategy to compensate for the lack of cybersecurity skills in the US and an initiative to build better digital identity solutions, fighting the current pandemic of identity theft. This pillar also calls to secure digital supply chains and thinks ahead to a post-quantum world, calling for solutions that can connect data when quantum computers threaten existing cryptographic methods.
This strategy document is a laudable effort to think intelligently about today’s problems while keeping a watchful eye on tomorrow’s. The problem, as always, is execution. The executive branch can only do so much on its own to realise these ambitions. The NCS admits it relies on the legislative branch to push many of these changes through.