The White House Announces Its National Cybersecurity Strategy to Enhance Industry Collaboration
On March 2nd, the White House released its National Cybersecurity Strategy, which is a comprehensive document providing recommendations and changes on how the country should approach securing our cyberspace. The document describes two fundamental changes in how the US will allocate roles, responsibilities and resources in cyber.
The first change is the rebalancing of responsibilities to defend cyberspace. The burden of cybersecurity will shift away from the individual or small business and onto the most capable organizations that are best positioned to address the overall cyber risk. Second, the government will realign incentives to favor long-term investments and strategic planning for the future, while simultaneously addressing today’s immediate threats.
The Five Pillars of the National Security Strategy
To accomplish these changes, the strategy will leverage 5 pillars to provide focus, direction, and accountability:
- Defend Critical Infrastructure.
- Disrupt and Dismantle Threat Actors.
- Shape Market Forces to Drive Security and Resilience.
- Invest in a Resilient Future.
- Forge International Partnerships to Pursue Shared Goals.
Each of the 5 pillars is a critical part in addressing many of the known weaknesses and concerns in cybersecurity. Of course, this strategy also leverages many of the policies and programs already in place including the plethora of executive orders and memorandums delivered in the last two years.
Many in the industry are particularly interested in the upcoming changes to roles and responsibilities as it relates to cyber defense and strategy. In a briefing to reporters on the Cybersecurity Strategy announcement, Kemba Walden, acting National Cyber Director, said: “Across the public and private sectors, we tend to devolve responsibility for cyber risk downwards. We ask individuals, small businesses and local governments to shoulder a significant burden for defending us all. This isn’t just unfair, it’s ineffective.”
It’s clear that expectations and possible liability of software providers, cloud service providers, and managed service providers will change as we move to a more mature approach to cybersecurity. Incentives to drive security into software and services will be leveraged, including federal grant money and government contracts. Conversely, penalties and restrictions to markets will likely be used against non-compliant behavior.
Aligning with the Cybersecurity Strategy
Over the last decade, many well-defined programs including NIST’s Cybersecurity Framework, FedRAMP and CMMC have been created for the purpose of providing guidance and direction for commercial industry to deliver effective cybersecurity solutions to government agencies. It should be noted that FedRAMP and CMMC compliance are required to execute any business with federal agencies or the Department of Defense respectively. Though each of these programs have gone through their own growing pains and are often seen as burdensome, they are now well known within the industry and have clearly made software and cloud offers more secure and resilient. Unfortunately, most commercial providers see their regulated offers (FedRAMP, CMMC) as a one off and different than their standard commercial offer. I believe that these standards become baseline for all markets in order to elevate the security of not just federal but commercial markets starting with the critical infrastructure. This ‘mainstreaming’ of the federated offers provides a simpler development and operating model for the provider and uplevels overall cyber security in these commercial markets.
Accepting the Shift
This new cybersecurity strategy is not the first and most certainly won’t be the last we hear from the White House on this important issue. It’s not a matter of if organizations need to adopt new cyber and zero trust strategies but a matter of how fast and how well. There is an abundant list of technologies that can help strategists and engineers who can advise but the organizations that are successful in this undertaking will be the ones that accept the shift and responsibility in every aspect of their operations and create a clear roadmap to bring a long-term plan to fruition sooner rather than later.