Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

New Cybersecurity Strategy To Shift Liabilities

Government agencies and large businesses should shoulder the responsibility in case of a cyberattack.
By Diego Laje
The Army works towards supporting cyber requirements and improving cybersecurity. Photo: Thomas Robbins
The Army works towards supporting cyber requirements and improving cybersecurity. Photo: Thomas Robbins

The White House released a new cybersecurity strategy that aims to incentivize investments in the long term by larger organizations, unburdening individuals and small businesses. 

“Securing ourselves against threats is not the only thing that matters, when it comes to cyberspace, if that were the case, we would tell everyone to unplug their computers, but since even our most basic home appliances have chips in them, that is off the table,” said Acting National Cyber Director Kemba Walden at the strategy launch event

The initiative seeks to "protect our investments in rebuilding America’s infrastructure, developing our clean energy sector, and re-shoring America’s technology and manufacturing base,” according to the document. 

Speaking about the strategy, Mark Montgomery, senior director of the Center on Cyber and Technology Innovation, said “[it] is a clear, concise document that clearly lays out the case for a more robust and engaged approach to defending our national critical infrastructure from a growing list of cyber threats.” 

The White House intends to make the cyber environment defensible and resilient, as well as values-aligned. 

The strategy document is organized around five pillars, covering defense, infrastructure, investment and the role of allies: 

  1. Defend critical infrastructure.

  1. Disrupt and dismantle threat actors.

  1. Shape market forces to drive security and resilience.

  1. Invest in a resilient future.

  1. Forge international partnerships to pursue shared goals.

Strengthening critical infrastructure will require new regulations and, possibly, new agencies to build defenses around sectors that are lagging behind, according to the strategy document. Private-public collaboration in this field will be articulated by CISA, the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security, in coordination with sector-specific agencies. CISA will also continue the modernization of federal civilian agencies. 

As the country upgrades its networks, threats to national defense should be tackled by the Department of Justice and the Department of Defense. The private sector is also invited to participate in defense with the federal government and encouraged to work with nonprofits such as the National Cyber-Forensics and Training Alliance

“We need to make some fundamental shifts in the way our digital ecosystem works, this is where President Biden's strategy takes a new approach, first we need to rebalance the responsibility for managing cyber risks, rethink who we are asking to keep us all secure,” Walden said. On this, Walden explained that small organizations cannot be forced to confront criminal organizations for their cyber protection. 

Finding that the private sector has not factored national defense into its finances, the administration plans to “reshape laws that govern liability for data losses and harm cause by cybersecurity errors, software vulnerabilities and other risks created by software and digital technologies,” according to the document. 

One key sector to examine is cloud computing. “The strategy lays out a strong argument for regulating or incentivizing the cybersecurity of key infrastructures that are lacking specific standards, to include the cloud computing sector,” Montgomery said. 

Still, as more systems go online, the opportunities for attacks multiply. 

“Cloud security is often separate from cloud [computing] and I think we need to get to a place where cloud providers have security baked in with that,” said Anne Neuberger, deputy national security advisor for Cyber and Emerging Technologies.

“Cloud offers an opportunity, especially for small and medium sized organizations, to be more secure,” Neuberger said during an event. 

Government funds will be invested to create incentives to further cybersecurity and to “provide market certainty when catastrophic events do occur,” the document said. This entails creating market stability mechanisms for insurance markets. This framework will be discussed in Congress and a federal insurance may be implemented after consideration, the text says. 

Kemba Walden Acting National Cyber Director
We need to rebalance the responsibility for managing cyber risks
Kemba Walden
Acting National Cyber Director

The document also focuses on the Internet of Things (IoT), an area increasingly concerning in cyberspace, as small deviceswith degraded security capabilitiesare vulnerable targets. The document does not mention efforts to draft comprehensive regulation in this field, as other developed economies are doing. 

The document pledges to increase liability for manufacturers and software publishers and establish improved standards in specific high-risk sectors, the document states. 

One of the concerns around how the infrastructure behind cyberspace will be shaped in the future centers on the actions of autocratic regimes. As these seek to steer multilateral institutions governing the internet, “the United States and its foreign and private sector partners will implement a multi-pronged strategy to preserve technical excellence, protect our security, drive economic competitiveness, promote digital trade, and ensure that the ‘rules of the road’ for technology standards favor principles of transparency, openness, consensus, relevance and coherence,” the material reads.  

New investment initiatives include having the Office of the National Cyber Director “lead the development and oversee implementation of a National Cyber Workforce and Education Strategy,” states the strategy. 

“This strategy is an important step in the evolution of the National Cyber Director [NCD], an office designed to lead the federal government in combating cyber malicious actors. This document clearly reflects the strong legacy of the inaugural NCD, Chris Inglis and gives the acting NCD, Kemba Walden, the lead on implementing the strategy’s numerous important tasks over the next two years,” Montgomery wrote in a statement. 

The document establishes multilateralism within the United Nations framework and promotion of diplomatic efforts like the Budapest Convention on Cybercrime to secure cyberspace. Opposition to the People's Republic of China's stance on cybercrime, as well as other authoritarian countries, is to be demonstrated by “jointly imposing consequences for behavior that runs counter to agreed norms of state behavior,” the strategy details. 

“The emphasis on expanding cyber capacity building support to allies and partners and increasing cyber cooperation with more developed allies and partners is critical to U.S. military and economic interests,” Montgomery said. 

Allies’ capabilities for joint cyber defense and bolstering technology supply chains receive special attention. While partnerships are valued, strategic supply chains are to be on-shored. Work with allies will go toward creating networks of trusted vendors, according to the document.

Enjoying The Cyber Edge?
The Cyber Edge is part of SIGNAL Magazine. Subscribe or join AFCEA to receive SIGNAL and its award winning news.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA

Related Cyber Content