The new National Cybersecurity Strategy aims to enable the US, its allies and partners to build a secure digital ecosystem together, and to set a path to address cyber threats. It’s a comprehensive document.

“We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us”, the White House said in a statement.

“Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense.”

US President Joe Biden

Infrastructure and software

The new strategy builds on prior work, and will replace the 2018 National Cyber Strategy. It aims to cover all possible challenges and weaknesses within cybersecurity, from infrastructure and software vulnerabilities to the shortage of manpower to fill job gaps.

“Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense”, said President Joe Biden.

He added that the administration has moved decisively to strengthen cybersecurity, and has appointed senior experts to improve the nation’s security.

“Our goal is a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences”, the strategy says.

Five pillars

The strategy is built around these five pillars:

1. Defend critical infrastructure
   The first pillar will focus on increasing the regulation of critical infrastructure, and will intend to enable public-private collaboration. It also aims to modernize and foster better cybersecurity plans within federal networks, and to create a more updated federal incident response plan.
2. Disrupt and dismantle threat actors
   This pillar will develop a strategy on how to integrate operations, internationally and with the private sector, that proactively defend against attacks, including launching disruption campaigns. “Disruption campaigns must become so sustained and targeted that criminal cyber activity is rendered unprofitable and foreign government actors engaging in malicious cyber activity no longer see it as an effective means of achieving their goals.”
   
3. Shape market forces to drive security and resilience
   A significant change will be the proposed shifting in liability for software products and services. “Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unknown or unvetted provenance”, the strategy states. “Poor software security greatly increases systemic risk across the digital ecosystem and leaves American citizens bearing the ultimate cost.”
4. Invest in a resilient future
   This pillar calls for the development of a diverse and robust national cyber workforce, and the prioritizing of cybersecurity research and development for next-generation technologies. It seeks to drive solutions that are economically sustainable, that have clean energy infrastructure and serve the national interest.
5. Forge international partnerships to pursue shared goals
   The last pillar seeks to bring international unions, and private and public sectors together to counter threats.
   

PRC most persistent threat

Today, attacks and data theft are growing rapidly, and losses from ransomware attacks are reaching billions of US dollars annually. And the attacks have progressed from money driven targets to damaging public infrastructure.

“Malicious cyber activity has evolved from nuisance defacement, to espionage and intellectual property theft, to damaging attacks against critical infrastructure, to ransomware attacks and cyber-enabled influence campaigns designed to undermine public trust in the foundation of our democracy,” the report states.

“Our goal is a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”

The National Cybersecurity Strategy

The report names the governments of China, Russia, Iran, North Korea, and other “autocratic states with revisionist intent” as aggressively using advanced cyber technologies to run counter to US interests and global norms. “Their reckless disregard for the rule of law and human rights in cyberspace is threatening US national security and economic prosperity.”

Even if many cyberattacks reportedly come from Russia and Russian-speaking countries, the White House identifies the People’s Republic of China (PRC) as “the broadest, most active, and most persistent threat to both government and private sectors”. It states that the PRC is “the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so”. 

CRI task force

Before this new strategy was announced, multiple steps to tackle cyber threats had already been made by the administration. One of the initiatives that the White House has convened is the Counter-Ransomware Initiative (CRI), a global group with members from 36 countries and the EU, which we have reported on. The CRI’s five core goals are to increase resilience, disrupt ransomware cartels, counter money laundering, build partnerships with private sector cyber firms, and strengthen international cooperation. In January, the group launched an international counter ransomware task force, led by Australia.

The task force will be responsible for developing cross-sectoral tools and threat intel exchange, and consolidating policy and best practice guidance. 

“Ransomware represents a global threat, and Australia calls on other nations to be part of this global initiative to support effective detection, disruption and prosecution of cyber criminals who use ransomware for financial and other gain,” said Minister for Home Affairs and Cyber Security the Hon Clare O’Neil, who is also chair of the task force.

The members of CRI are: Australia, Austria, Belgium, Brazil, Bulgaria, Canada, Croatia, Czech Republic, Dominican Republic, Estonia, France, Germany, India, Ireland, Israel, Italy, Japan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Norway, Poland, Republic of Korea, Romania, Singapore, South Africa, Spain, Sweden, Switzerland, United Arab Emirates, United Kingdom, United States, Ukraine, and the European Union.

Australia number one

Minister O’Neil wants Australia to be the most cyber secure country in the world by 2030, and was pleased ​that Australia has been ranked first in the world for showing the greatest progress and commitment to enhancing cyber security by the MIT last week.

​“Today’s report is great recognition for the thousands of dedicated personnel who are working tirelessly to help us keep pace with the constantly evolving cyber threat, but we will never stop improving our national resilience and security”, said O’Neil. “​This will ensure that all areas of government working to protect Australians from cyber threats are operating as efficiently as possible, and adds to work already under way to protect our critical infrastructure.​”

Read the National Cybersecurity Strategy here.