The White House last week released its new National Cybersecurity Strategy that aims to shift the burden of defending the country’s cyberspace towards software vendors and service providers. This new policy is a modification of the Bush administration’s first 2003 plan that followed the 9/11 attacks, then considered—among others—the ‘digital age’s Pearl Harbor’. It was since updated several times, most recently in 2018

The purported goal is to increase the resilience of the nation’s digital infrastructure, prevent cyber attacks, and promote cybersecurity awareness among individuals, businesses, and government agencies.

Table of Contents

The wakeup call

In previous posts, we have described the many dangers facing the current cyber landscape, whether it is Russians attacking the US election process, the Russia-Ukraine cyber war Ukrainians, the China-US trade wars, and so forth.

Krebs on Security coverage focuses on the Russian ransomware groups’ use of the Emotet botnet alongside the Russian threat. According to the white house paper, China has “expanded cyber operations beyond intellectual property theft to become our most advanced strategic competitor with the capacity to threaten US interests and dominate emerging technologies critical to global development.” He underscores that country’s dominance in the Internet of Things, those chips we find in nearly every daily tool we use, which are “insecure by design.”

Russia, for its part, has refined its spying, disinformation, and attack capabilities, and now easily can “coerce sovereign countries, harbor transnational criminal actors, weaken US alliances and partnerships, and subvert the rules-based international system.”

And the list goes on…

The strategy

Clearly, taking down ransomware groups one at a time, imposing sanctions, and trying to change the world from without is both a thankless task, as well as considerably Sisyphean. The challenges of securing one’s environment must begin from within, and the lackadaisical approach of some entities requires attention.

The new strategy is the result of several months’ consultations that drew together over twenty government agencies and countless private sector organizations. It has been spawned by the inordinate increase in online attacks upon the nation’s critical services and private companies, and is meant to create “a more comprehensive, coordinated approach to bolster US Cyber Command’s ability to engage in offensive operations.

According to the White House’s press statement, which accompanied the release, Today’s marketplace insufficiently rewards—and often disadvantages—the owners and operators of critical infrastructure who invest in proactive measures to prevent or mitigate the effects of cyber incidents.”

Consequently, the strategy proposes shifting responsibility to the software companies that supply those infrastructures with their tools. It will penalize those companies that “fail to take reasonable precautions to secure their products”.

At present, according to the report, software makers have little incentive to do this, mainly, thanks to their market dominance and the resulting ability to contractually disclaim liability. One primary result, for example, is insufficient testing before releasing a product to market.

In addition to other measures, the National Cybersecurity Agency will also help develop a National Cyber Workforce and Education Strategy, which builds upon existing programs, such as that of the National Initiative for Cybersecurity Education (NICE).

The main points

The most important aspect of the new strategy, as mentioned, is to shift the burden for cybersecurity away from end-users (individuals, small businesses, and local governments), and towards the manufacturers who are “best-positioned to reduce risks for all of us.” To this end, government will increase the level of collaboration with manufacturers and service providers.

Concurrently, it will also create a “safe harbor framework” to protect those companies from liability, so long as they have done their part in developing and maintaining safeguards for their products. Thus, so long as the company—on the one hand—secures the infrastructures using its product, and—on the other—safeguards individual privacy, they will be considered compliant and protected against prosecution.

Brian Fox, chief technology officer and founder of the software supply chain security firm Sonatype, considers this a welcome conceptual innovation: It “allows the industry to mature incrementally, leveling up security best practices in order to retain a liability shield, versus calling for sweeping reform and unrealistic outcomes, as previous regulatory attempts have done.

Another point is the aim to disrupt criminal campaigns to the point of making them “unprofitable and ineffective”. According to the White House document, the administration “will continue targeting ransomware gangs operating from safe havens like Russia, North Korea, and Iran,” while strongly discouraging the payment of ransom.

A fourth aspect of focus is cloud computing, which was still in its infancy at the time of the first strategy paper over a decade ago. While vastly leveraging small businesses to compete with major corporations, the wealth of XaaS services also increases a company’s attack surface. Here, the government will “work with cloud infrastructure and other providers to identify malicious use … (and) identify gaps in the cloud computing industry and other essential third-party providers.”

Additional topics of focus include:

  • eradicating the use of unencrypted DNS (domain name system) system requests,

  • expediting the adoption of IPv6, and

  • increasing intelligence sharing

In short, the new strategy takes a comprehensive approach to cybersecurity by addressing its various elements. These include securing federal networks, critical infrastructure protection, and promoting international cooperation. It relies on collaboration between federal agencies, state and local governments, and private sector stakeholders.

Besides, the obvious protection of critical infrastructure as a primary target for cyber attackers, the proposal also focuses on workforce development—all these with the blessing of industry pundits, such as Michael Daniel, president and CEO of the Cyber Threat Alliance, and Tom Kellermann, Senior Vice President of cyber strategy at Contrast Security.

Bumps in the road

The previous 2018 initiative was found lacking mainly due to the lack of incentives for the private sector to take up the challenge. Their lack of involvement was a major hindrance. While admirably addressed in the 2023 update, other challenges remain prominent. Now, critics betoken the lack of financial resources and cybersecurity professionals, while for others, the plan is too vague and lacks clear metrics for measuring progress and success.

A huge impediment is bound to be those software vendors now being hit with a new responsibility. ImmuniWeb founder and CEO Ilia Kolochenko expects them to claim that the new responsibilities will increase prices, harming the end users and innocent consumers. “This”, he writes, “is comparable to carmakers complaining about unnecessarily expensive airbag systems and seatbelts.” In that same article in Security Week, Tresorit’s Szilveszter Szebeni reminds us that “the IT industry has demonstrated remarkable adeptness in evading warranties on their products and offering them for sale ‘as is.’ This apparent lack of accountability is unprecedented in other industries, such as healthcare and construction.

As with most administrative plans, the going is bound to be slow and lumbering… slower, without doubt, than is the emergence of new threats—a game of catch-up between a spritely stalker and a ponderous pursuer. The strategy addresses IoT, for example, but has not even begun to awaken to the threats of quantum computing and AI.

And finally remains the biggest obstacle of them all—the politicians: what the White House decrees, not always does Congress concede.

Between two Houses

The Institute for Security and Technology’s chief strategy officer, Megan Stifel believes that “... getting the necessary authorities passed through Congress will likely be a tough slog”; or, as Robert DuPree, Telos’ Manager of Government Affairs puts it: “The Republican House majority is philosophically opposed to new government mandates … new funding will be needed from … House Republicans (who are committed) to reduce overall discretionary spending.”

And even if that august assembly of dignitaries can be convinced that in times of war, it is the nation that is under attack and not merely its citizens, there are those that urge for caution: “It is one thing to call for harmonizing and streamlining regulation, but another to ensure it is actually done,” claims Brandon Pugh, policy director for the R Street Institute. The new strategycan result in a compliance nightmare … that could undermine free market principles.

Clearly, and given the long-term results that won’t be immediately evident, the proof will be in the pudding—how it will be implemented. The 2023 National Cybersecurity Strategy is a comprehensive plan to improve our cybersecurity posture. While it has several benefits such as a comprehensive approach and international cooperation, it also has several limitations, such as a lack of resources, limited focus on emerging threats, and opposing interests among those affected. Addressing these limitations will be crucial to its success.