Risk Management
Biden National Cybersecurity Strategy Key Takeaways
Major changes are underway, with new rules for federal agencies and updated requirements for public-private partnerships. We discuss the implementation plans for the strategy's first two pillars: defend critical infrastructure and disrupt and dismantle threat actors.
After President Biden unveiled America’s National Cybersecurity Strategy earlier this year, both the government and the private sector have been waiting to learn how the plan’s five pillars will be put into practice. The recent Implementation Plan outlines the many coming changes to bring government organizations and private industry in line with the strategy’s new requirements.
This “living document” is meant to evolve over time, but there are already plenty of changes that security leaders should take note of.
Ed Cabrera, chief cybersecurity officer for Trend Micro and former CISO of the U.S. Secret Service, applauds the White House for their ambitious strategy but says implementing their plans will be easier said than done. “You have 65 individual initiatives that they’re going to be focusing in on,” he explains. “What’s the path to success? Well, there’s a lot of headwinds.”
Cabrera discussed the implementation plans for the strategy’s first two pillars in conversation with Jon Clay, Trend’s vice president of threat intelligence.
What are the National Cybersecurity Strategy’s five pillars?
The National Cybersecurity Strategy emphasizes public-private collaboration to better defend against cyber threats and shift the burden away from end users. It also highlights the increasing connectivity of both America and the world at large, and provides incentives to encourage long-term investment in security, resilience, and new technology.
The strategy’s five pillars are:
- Defend Critical Infrastructure
- Disrupt and Dismantle Threat Actors
- Shape Market Forces to Drive Security and Resilience
- Invest in a Resilient Future
- Forge International Partnerships to Pursue Shared Goals
Defend Critical Infrastructure
The first pillar of the government’s new cybersecurity strategy asserts that owners and operators of critical infrastructure should “have cybersecurity protections in place to make it harder for adversaries to disrupt them.” These protections include new government requirements in some sectors and new authorities to set regulations for others.
The key initiatives for this pillar will be to establish these new requirements while increasing public-private collaboration. The government hopes to bolster cybersecurity by promoting information sharing, updating the National Cyber Incident Response Plan (NCIRP), and modernizing several federal networks.
Cabrera says that planned updates to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) will provide a “common language” for adoption and compliance. But uniting the public and private sectors could prove to be a serious challenge.
“It really depends a lot on a public-private partnership,” says Cabrera. “If 80% plus of critical infrastructure resides in private industry, we need much tighter integration and partnership to be able to get it done.” Cabrera warns there will also be plenty of unforeseen roadblocks in the government’s plan to update and proliferate the NCIRP.
“I think from the outside looking in, everybody assumes or thinks about the federal government as this homogeneous entity. And that it's just very easy to do things,” he said. “In the Department of Homeland Security (DHS) alone, you have 22 different agencies that fall under DHS. And so, you look at the Department of Defense (DoD) and you look at other civilian departments, it becomes a challenge when you're trying to establish this national cybersecurity incident response plan.”
Disrupt and Dismantle Threat Actors
The strategy’s second pillar takes a proactive approach to cyber threats. It emphasizes public-private cooperation and intelligence sharing, increasing the speed and scale of victim notification, and countering the most persistent forms of cybercrime, like ransomware.
Planned initiatives for this aggressive approach include strengthening and centralizing the government’s threat response capacity and removing barriers between the public and private sectors. There are also global components to this pillar, with initiatives to disrupt ransomware groups and support the spread of anti-money laundering and terrorism financing procedures worldwide.
For Cabrera, such ambitious plans are long overdue. “We’ve been saying this collectively in federal government for quite some time that we need to do a better job to disrupt and dismantle.”
“From a cybercrime perspective, it’s like going after organized crime” he explained. “But obviously cybercrime and cybercrime groups, crime as a service and ransomware as a service crews operate pretty much at will.”
Successfully disrupting the “digital safe havens” that shelter these groups will require disrupting the trust and money that they rely upon, says Cabrera, and that will be much easier with cooperation from the private sector.
“As a private company, we have a lot of threat intelligence that we can share with them and to support that,” he says. “There's a task force on ransomware that the U. S. government is part of, this strategy that they want to take and figure out how to disrupt and dismantle the ransomware gangs out there, and we're seeing some evidence of that happening.”