By - Tim Rosado
The Biden Administration released (March 2) its long-awaited National Cybersecurity Strategy. As with any strategy document, the document mostly provides a high-level strategic vision, policy areas of focus, and a generalized way-forward on action.
That being the case, what follows is a list of the key elements of the Strategy tied to guidance and specific action:
Standards & Requirements
The Federal Government will use existing authorities to set necessary cybersecurity requirements in critical infrastructure sectors, to include performance-based regulations that define minimum expected cybersecurity practices or outcomes.
The Administration will prioritize adoption and enforcement of a risk-based approach to cybersecurity across Infrastructure-as-a-Service providers that addresses known methods and indicators of malicious activity.
The US will support implementation of international Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) standards globally to mitigate the use of cryptocurrencies for illicit activities that undermine US national interests.
The Administration will work with Congress to pass legislation to codify the Cyber Safety Review Board (CSRB) and provide the authorities it needs to carry out comprehensive reviews of significant incidents.
The Administration will work with Congress and the private sector to develop legislation establishing liability for software products and services. Legislation should prevent the full disclaiming of liability by contract and establish higher standards of care for software in specific high-risk scenarios. The Administration will drive the development of an "adaptable safe harbor framework" to shield from liability those companies that "securely develop and maintain" their software products and services.
Management & Resources
The Federal Government will build out the capabilities of Sector Risk Management Agencies (SRMAs) to enable security and resilience improvements across critical infrastructure.
CISA will lead a process to update the National Cyber Incident Response Plan (NCIRP) to strengthen processes, procedures, and systems to more fully realize the policy that “a call to one is a call to all.”
The White House Office of Management and Budget (OMB), will develop a plan of action to secure Federal Civilian Executive Branch (FCEB) systems through collective operational defense, expanded availability of centralized shared services, and software supply chain risk mitigation.
OMB will also lead development of a multi-year lifecycle plan to accelerate FCEB technology modernization, prioritizing Federal efforts on eliminating legacy systems which are costly to maintain and difficult to defend.
DOD will update cyber strategies, including how US Cyber Command and other DOD components will integrate cyberspace operations into their efforts to defend against state and non-state actors capable of posing strategic-level threats to US interests.
The National Cyber Investigative Joint Task Force (NCIJTC) will expand its capacity to coordinate takedown and disruption campaigns with greater speed, scale, and frequency.
The Federal Government will rapidly overcome barriers to supporting and leveraging the National Cyber-Forensics and Training Alliance (NCFTA) collaboration model, such as those concerning security requirements and records management policy.
The Federal Government will review declassification policies and processes to determine the conditions under which extending additional classified access and expanding clearances is necessary to provide actionable intelligence to owners and operators of critical infrastructure.
The Federal Government will invest in secure software development, including memory-safe languages and software development techniques, frameworks and testing tools.
The Administration will assess the need for a Federal insurance response to catastrophic cyber events (i.e., a "cyber insurance backstop").
The Federal Government will provide leadership with its systems to clean up foundational risks related to, for example, Border Gateway Protocols, unencrypted Domain Name System (DNS) requests, and adoption of IPv6.
The Federal Government will advance Research, Development, and Demonstration (RD&D) projects that advance cybersecurity and resilience in areas such as artificial intelligence, operational technologies and industrial control systems, cloud infrastructure, telecommunications, encryption, system transparency, and data analytics used in critical infrastructure.
The Federal Government will prioritize the transition of vulnerable public networks to quantum-resistant cryptography-based environments and provide complementary mitigation strategies to provide cryptographic agility.
The Federal Government will encourage and enable investments in strong, verifiable digital identify solutions that promote security, accessibility and interoperability, financial and social inclusion, consumer privacy, and economic growth.
Collaboration & Coordination
The US will pursue cross-border regulatory harmonization to prevent cybersecurity requirements from impeding digital trade flows.
The Federal Government will increase the speed and scale of cyber threat intelligence sharing to proactively warn cyber defenders and notify victims when the government has information that an organization is being actively targeted or may already be compromised.
The Federal Government will work with cloud and other internet infrastructure providers to quickly identify malicious use of US-based infrastructure, share reports of malicious use with the government, make it easier for victims to report abuse of these systems, and make it more difficult for malicious actors to gain access.
The Joint Ransomware Task Force (JRTF) will coordinate, deconflict, and synchronize existing interagency efforts to disrupt ransomware operations and provide support to private sector and SLTT efforts to increase their protections against ransomware.
The Administration will encourage vulnerability disclosure across all technology types and sectors; will promote the further development of software-bill-of-materials (SBOMs); and develop a process for identifying and mitigating risks presented by unsupported software that is widely-used or important to critical infrastructure.
The US will work help extend hubs like the European Cybercrime Centre with international partners in other regions, and will also "marshal expertise" across public agencies and the private sector to pursue coordinated and effective cyber-building and operational collaboration efforts.
The Administration will develop policies to determine when it is in the national interest to provide international cybersecurity support, develop mechanisms for identifying and deploying resources, and rapidly seek to remove financial and procedural barriers to enable such support.
The US will work with allies and partners to identify and implement best practices in cross-border supply chain risk management and work to shift supply chains that flow through partner countries and trusted vendors to include the prioritization of opportunities to provide higher levels of assurance that digital technologies will function as expected and to attract countries to support a shared vision of an open, free, global, interoperable, reliable, and secure internet.