Nine Takeaways from the Newly Announced National Cybersecurity Strategy

By Max Shier

03/14/2023

Cybersecurity Strategy Online Article

Recently, the Biden administration released its much anticipated National Cybersecurity Strategy. Founded on five pillars—defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships to pursue shared goals—the strategy builds on the 2018 National Cyber Strategy issued by the Trump administration, as well as several other national security memorandums and Executive Order 14028. 

Though the five pillars identified in the 2023 strategy are vastly different in verbiage from the 2018 version, they are similar in intent—and they’ve been modernized to meet today’s threats and cybersecurity trends. Some of the initiatives within focus on areas that warrant much-needed national attention, and others change the national cybersecurity landscape for developers and service providers.

There is a lot to digest in the 39-page strategy, but here are a few key themes that stood out to me, as well as key takeaways for each:

  1. The strategy further calls for formalizing performance-based cybersecurity requirements across critical infrastructure and government systems, including national security systems. There are some initiatives already underway that aim to do just this, including Cybersecurity Maturity Model Certification (CMMC) for those that process or handle government-controlled, unclassified information—and this is a good start. The 2023 strategy, however, takes the principles within CMMC and makes them more widely applicable to all industries deemed “critical.” Among other things, the strategy emphasizes that regulations must be agile enough to adapt to adversaries’ tactics, there must be a focus on secure-by-design principles, and systems must be designed to fail safely and recover quickly, all of which are a marked change from what have been compliance-based regulations in the past. This points to a continued trend of the government taking a risk-based approach to cybersecurity. 

  2. An emphasis is placed on increased collaboration between the government and the private sector, including increased access to sensitive cyber intelligence for those defending critical infrastructure and increased speed to sharing of information across industries and the government. This speaks to the importance of enabling real-time, actionable, and multidirectional sharing, which is a capability that the industry needs. Any increased visibility into bad actors’ tactics, techniques, and procedures, especially intelligence that is actionable and timely, is a positive for the industry. 

  3. A specific section regarding national security systems calls for increased protection against insider threats and nation-state actors. Actively identifying these systems for modernization of cybersecurity requirements is something that has been long overdue. My hope is that this will carry over to the defense industrial base as well and include an effort to modernize the archaic architectures and limitations levied on national security systems. A concerted effort to move to more secure cloud platforms and enable more effective cybersecurity tools needs to be made in this space.

  4. The move to zero-trust architectures is another recurring theme in the strategy, which reflects the push in the industry. We will continue to see the federal government modernize its security to reflect industry standards, and its move to zero trust is no different. What is different, however, is its sense of urgency to act. Several recent policy memos and regulations have centered on modernizing government cybersecurity infrastructure, and this is emphasized heavily in the 2023 strategy.

  5. The themes of accountability and shifting liability, including holding developers responsible for security vulnerabilities in their products and moving to incentivize secure development practices, are repeated throughout the document in several sections. This is coupled with a call for increased federal oversight and standards, and continued development of a software bill of materials. This follows a continued struggle in the industry with software supply-chain issues and third-party software. For example, according to Statista, there was a 742 percent increase of opensource software supply-chain attacks from 2020 to 2022, and I expect that trend to continue.

  6. The strategy details the exploration of a federal cybersecurity insurance program. This has been a hot topic in the industry as insurance premiums have been increasing, policies have stricter terms and more exclusions, and it’s growing harder to secure a policy. While there weren’t too many details on the program, I foresee this gaining traction if the cyber insurance market continues to head in the same direction. 

  7. Another focus area that aligns with current trends in the cybersecurity market is developing cybersecurity talent and strengthening the cybersecurity workforce. There continues to be a shortage of qualified cybersecurity professionals across the government and industry. The 2023 strategy places a focus on closing this gap, mentioning several ongoing efforts that are helping remediate the shortage of workers, including the National Initiative for Cybersecurity Education, CyberCorps, and National Centers of Academic Excellence in Cybersecurity program. 

  8. Pillar five was dedicated to international partnerships, which is critical to ensuring that other countries help enforce the rule of law and agree to norms of behavior. As the 2023 strategy states, most attacks against the United States originate from outside the country. This, in and of itself, is why we need to focus on building a common vision and agreed-upon norms around the world.

  9. Also in pillar five, there is a focus on securing the supply chain and ensuring goods are sourced from trusted vendors and countries. The concerns about and subsequent banning of Huawei and ZTE in the United States opened people’s eyes to potential spying and supply-chain issues from countries and companies that may be tied to nation-state actors. This reflects the continued posture toward hardware supply chain-risk mitigation and a continued move toward sourcing from US-based companies and trusted foreign vendors. 

We’re living in an unprecedented threat landscape, and we can only protect ourselves from bad actors if we work together. This means there must be ongoing collaboration between the private and public sectors. This is exactly what the Biden administration aims to jumpstart with its 2023 strategy, and the initiatives within will put us on the path to cybersecurity success.

Max Shier
Max Shier is the chief information security officer at Optiv. He has more than 27 years of experience in all facets of security, including direct cybersecurity, information technology, cybersecurity oversight, and implementation of critical space-based national defense programs.