The US government has released a national cybersecurity strategy that will shift the burden of responsibility for data protection towards software vendor and service providers.
“We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us,” the White House wrote in a fact sheet published last week.
The main objectives of the strategy are to defend critical infrastructure, thwart malicious threat actors aiming to endanger US interests, invest in a more secure digital ecosystem, and develop international partnerships and achieve shared goals.
Passing the buck?
There are concerns that the government’s new outlook on how cybersecurity should be managed essentially absolves the public sector of any blame. The government is mitigating this by promising to “deepen operational and strategic collaboration with software, hardware, and managed service providers.”
The extent to which the White House will take accountability for security incidents that occur through third-party software remains unclear.
However, it’s no small threat. According to a Ponemon Institute and RiskRecon study, 54% of surveyed organizations suffered a data breach caused by a third party between 2021 and 2022.
Besides this shift in philosophy, the government’s strategy also contains plans to develop aggressive campaigns designed to make cyber crime unprofitable.
“Disruption campaigns must become so sustained and targeted that criminal cyber activity is rendered unprofitable and foreign government actors engaging in malicious cyber activity no longer see it as an effective means of achieving their goals,” the proposal claimed.
“All service providers must make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior [to] make it more difficult for adversaries to abuse U.S.-based infrastructure while safeguarding individual privacy.”
The White House emphasized ransomware as a particular threat, with criminal gangs crippling public and private sectors alike, disrupting processes, and extorting money.
President Biden stressed that the government “strongly discourages the payment of ransoms,” and that it would continue to target ransomware gangs that target in safe havens such as Russia, North Korea, and Iran.
“The cyber operations of criminal syndicates now represent a threat to the national security, public safety, and economic prosperity of the United States and its allies and partners,” the administration added.
“Total economic losses from ransomware attacks continue to climb, reaching billions of U.S. dollars annually.”
“Over the last ten years, [China] has expanded cyber operations beyond intellectual property theft to become our most advanced strategic competitor with the capacity to threaten U.S. interests and dominate emerging technologies critical to global development,” the strategy reads.
“Russia remains a persistent cyber threat as it refines its cyber espionage, attack, influence, and disinformation capabilities to coerce sovereign countries, harbor transnational criminal actors, weaken U.S. alliances and partnerships, and subvert the rules-based international system.”
What else is the White House doing?
President Biden has been far more committed to cybersecurity than his predecessor, and the National Cybersecurity Strategy is the latest in a series of efforts to address the threat of cybercrime.
Last summer, he signed two bills into law. The first, the Federal Rotational Cyber Workforce Program Act of 2021 (Bill S. 1097), established a system of responsibility within the Federal Cyber Workforce.
The law states that “certain federal employees may be detailed among rotational cyber workforce positions at other agencies.” It also authorized agencies to determine which employees are eligible for the program.
Meanwhile, the State and Local Government Cybersecurity Act of 2021 (Bill S. 2520) introduced new rules requiring the Department of Homeland Security to increase its collaboration with state, local, tribal, and territorial entities when addressing cybersecurity threats.
The department must also work with corporations, associations, and the general public to identify and mitigate risks.
Asking these laws or the National Cybersecurity Strategy to curb the threat of cyber attacks is a tall order. The US is affected by cybercrime worse than any other country in the world, with organizations spending $9.44 million on average responding to security incidents, more than twice the global median.
Legislation is certainly a key component of effective information security, but it needs to be supported with ongoing efforts at an organizational level.
If you’re not already educating your employees on the threat of cyber crime, now is the time to begin.
Our Cybersecurity Complete E-Learning Suite contains all four of our e-learning programs, which, when combined with your continual awareness campaign, will boost your employees’ understanding of a range of topics.
And as it is an annual package, you can roll courses out throughout the year to keep staff awareness as a central part of your business while avoiding the risk of overloading employees with too much training in one go.