In its 2022 National Security Strategy document, the Biden Administraiton suggested an outline for a cyber threat strategy:
Our societies, and the critical infrastructure that supports them, from power to pipelines, is
increasingly digital and vulnerable to disruption or destruction via cyber attacks. Such attacks
have been used by countries, such as Russia, to undermine countries' ability to deliver services to citizens and coerce populations. We are working closely with allies and partners, such as the Quad, to define standards for critical infrastructure to rapidly improve our cyber resilience, and building collective capabilities to rapidly respond to attacks. (National Security Strategy , p. 34).
On 2 March 2023, the Biden Administration appeared to make good on that objective with its release of the National Cybersecurity Strategy "to secure the full benefits of a safe and secure digital ecosystem for all Americans." (FACT SHEET: Biden-Harris Administration Announces National Cybersecurity Strategy). The strategy is based on the determination to"make fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace.
). The strategy is based on the determination to"make fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace.
The Strategy recognizes that government must use all tools of national power in a coordinated manner to protect our national security, public safety, and economic prosperity. (FACT SHEET: Biden-Harris Administration Announces National Cybersecurity Strategy)
- We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.
- We must realign incentives to favor long-term investments by striking a careful balance between defending ourselves against urgent threats today and simultaneously strategically planning for and investing in a resilient future.
It s based on a five prong strategy:
1. Defend Critical Infrastructure – We will give the American people confidence in the availability and resilience of our critical infrastructure and the essential services it provides.
2. Disrupt and Dismantle Threat Actors – Using all instruments of national power, we will make malicious cyber actors incapable of threatening the national security or public safety of the United States.
3. Shape Market Forces to Drive Security and Resilience – We will place responsibility on those within our digital ecosystem that are best positioned to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable in order to make our digital ecosystem more trustworthy.
4. Invest in a Resilient Future – Through strategic investments and coordinated, collaborative action, the United States will continue to lead the world in the innovation of secure and resilient next-generation technologies and infrastructure.
5. Forge International Partnerships to Pursue Shared Goals – The United States seeks a world where responsible state behavior in cyberspace is expected and reinforced and where irresponsible behavior is isolating and costly. (FACT SHEET: Biden-Harris Administration Announces National Cybersecurity Strategy)
Besides the aspirational language, the strategy points to some interesting developments in the strategic architecture of cybersecurity. The one worthy of distinguishing is #3--shaping market forces. This has substantial possibilities but also poses the greatest risks to the core strengths of the Republic: the power of its markets driven development. Merely suggesting that all that is required is some of sort enhanced compliance strategy suggests the little minds of great administrators unable to get their head's out from within the small lifeworlds they inhabit. One will hope for better. For the moment that better is not embedded in the strategic objectives outlines in the National Cybersecurity Strategy itself (pp. 19-22). For the moment what one has are strategies that rely on further governmentalization of cyber platforms and data holders (Strategic Objective 3.1); better the security architecture for technology of things (IoT) (Strategic Objective 3.2); liability shifting (Strategic Objective 3.3); subsidies for innovation (Strategic Objective 3.4); strategic use of federal procurement as a work around to legislation or regulation (Strategic Objective 3.5); and create a federally subsidized insurance scheme (Strategic Objective 3.6).
The full text of the FACTSHEET follows.
FACT SHEET: Biden-Harris Administration Announces National Cybersecurity Strategy
Today, the Biden-Harris Administration released the National Cybersecurity Strategy to secure the full benefits of a safe and secure digital ecosystem for all Americans. In this decisive decade, the United States will reimagine cyberspace as a tool to achieve our goals in a way that reflects our values: economic security and prosperity; respect for human rights and fundamental freedoms; trust in our democracy and democratic institutions; and an equitable and diverse society. To realize this vision, we must make fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace.
- We must rebalance the responsibility to defend cyberspace by
shifting the burden for cybersecurity away from individuals, small
businesses, and local governments, and onto the organizations that are
most capable and best-positioned to reduce risks for all of us.
- We must realign incentives to favor long-term investments by striking a careful balance between defending ourselves against urgent threats today and simultaneously strategically planning for and investing in a resilient future.
The Strategy recognizes that government must use all tools of
national power in a coordinated manner to protect our national security,
public safety, and economic prosperity.
VISION
Our rapidly evolving world demands a more intentional, more coordinated, and more well-resourced approach to cyber defense. We face a complex threat environment, with state and non-state actors developing and executing novel campaigns to threaten our interests. At the same time, next-generation technologies are reaching maturity at an accelerating pace, creating new pathways for innovation while increasing digital interdependencies.
This Strategy sets out a path to address these threats and secure the promise of our digital future. Its implementation will protect our investments in rebuilding America’s infrastructure, developing our clean energy sector, and re-shoring America’s technology and manufacturing base. Together with our allies and partners, the United States will make our digital ecosystem:
- Defensible, where cyber defense is overwhelmingly easier, cheaper, and more effective;
- Resilient, where cyber incidents and errors have little widespread or lasting impact; and,
- Values-aligned, where our most cherished values shape—and are in turn reinforced by— our digital world.
The Administration has already taken steps to secure cyberspace and our digital ecosystem, including the National Security Strategy, Executive Order 14028 (Improving the Nation’s Cybersecurity), National Security Memorandum 5 (Improving Cybersecurity for Critical Infrastructure Control Systems), M-22-09 (Moving the U.S. Government Toward Zero-Trust Cybersecurity Principles), and National Security Memorandum 10 (Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems). Expanding on these efforts, the Strategy recognizes that cyberspace does not exist for its own end but as a tool to pursue our highest aspirations.
APPROACH
This Strategy seeks to build and enhance collaboration around five pillars:
1. Defend Critical Infrastructure – We will give the American people confidence in the availability and resilience of our critical infrastructure and the essential services it provides, including by:
- Expanding the use of minimum cybersecurity requirements in critical sectors to ensure national security and public safety and harmonizing regulations to reduce the burden of compliance;
- Enabling public-private collaboration at the speed and scale necessary to defend critical infrastructure and essential services; and,
- Defending and modernizing Federal networks and updating Federal incident response policy
2. Disrupt and Dismantle Threat Actors – Using all instruments of national power, we will make malicious cyber actors incapable of threatening the national security or public safety of the United States, including by:
- Strategically employing all tools of national power to disrupt adversaries;
- Engaging the private sector in disruption activities through scalable mechanisms; and,
- Addressing the ransomware threat through a comprehensive Federal approach and in lockstep with our international partners.
3. Shape Market Forces to Drive Security and Resilience – We will place responsibility on those within our digital ecosystem that are best positioned to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable in order to make our digital ecosystem more trustworthy, including by:
- Promoting privacy and the security of personal data;
- Shifting liability for software products and services to promote secure development practices; and,
- Ensuring that Federal grant programs promote investments in new infrastructure that are secure and resilient.
4. Invest in a Resilient Future – Through strategic investments and coordinated, collaborative action, the United States will continue to lead the world in the innovation of secure and resilient next-generation technologies and infrastructure, including by:
- Reducing systemic technical vulnerabilities in the foundation of the Internet and across the digital ecosystem while making it more resilient against transnational digital repression;
- Prioritizing cybersecurity R&D for next-generation technologies such as postquantum encryption, digital identity solutions, and clean energy infrastructure; and,
- Developing a diverse and robust national cyber workforce
5. Forge International Partnerships to Pursue Shared Goals – The United States seeks a world where responsible state behavior in cyberspace is expected and reinforced and where irresponsible behavior is isolating and costly, including by:
- Leveraging international coalitions and partnerships among like-minded nations to counter threats to our digital ecosystem through joint preparedness, response, and cost imposition;
- Increasing the capacity of our partners to defend themselves against cyber threats, both in peacetime and in crisis; and,
- Working with our allies and partners to make secure, reliable, and trustworthy global supply chains for information and communications technology and operational technology products and services.
Coordinated by the Office of the National Cyber Director, the Administration’s implementation of this Strategy is already underway.
###
No comments:
Post a Comment