Public Sector Field CISO, Fortinet.
getty
The White House's National Cybersecurity Strategy can admittedly be a complicated document, organized around six thematic pillars and containing nearly 70 specific initiatives.
While it's easy to be overwhelmed by the details, the bulk of the document's actions are directed at the executive branch of the U.S. government—and most of these government-focused initiatives aren't new. Two factors distinguishing a strategy that is likely to be successfully implemented are that its content is more evolutionary than revolutionary in nature and that the activities it describes don't require new funding.
Although much of this strategy can be read as providing a thematic focus for disparate ongoing government actions, its overarching themes and assumptions are more novel.
The strategy assumes that we have had a sustained and systemic market failure when it comes to cybersecurity. Implementing cybersecurity has, in large measure, been discretionary, and organizations that opt to avoid it often save money in the short term—until the inevitable cyberattack or breach occurs. The strategy is an attempt to level-set and move cybersecurity from optional to an expected activity, especially for organizations that are part of U.S. critical infrastructure where failure has consequences that extend beyond the enterprise and its customers.
Shifting Responsibility, Increasing Incentives
At the same time, the strategy's authors recognized that it is inefficient and often ineffective that our collective cybersecurity is dependent on end users and smaller organizations in critical infrastructure correctly implementing cyber solutions on their own.
One of the major themes of the strategy is the belief that more capable parties, such as the manufacturers of IT products and services, should bear more responsibility for cybersecurity by delivering goods that are "secure by design" and "secure by default." This parallels the approach with automotive safety; while there are elements ranging from better highway design to drivers' education, the largest impact in improving safety arguably occurred when vehicle manufacturers focused on making automobiles that were designed to be safer, starting with features such as seat belts and crumple zones.
A second major focus of the strategy is on increasing market incentives to develop cyber resilience. While this strategy has drawn attention for its mention of regulation and the possibility of federally backed cyber insurance, the reality is more nuanced. The strategy aims to build incentives rather than regulation—and one of the actions taken shortly after the July 2023 release of an implementation plan for the strategy was the launch of a public request for information (RFI) on reducing duplicative or contradictory government cybersecurity-related regulation.
Similarly, the strategy does not aim to displace the burgeoning marketplace for private cyber insurance but rather plans to explore the feasibility of federally backed cyber insurance against a catastrophic national event—much as the federal government implemented for terrorism in the wake of 9/11.
What initiatives and actions are likely to matter the most to the private sector—and how quickly? That depends on what sector you are in along with factors like the size of your enterprise and your customer base. Here are three questions to help you decide the answer that applies to your organization.
• Are you in the IT sector? If so, the strategy's focus on "secure by design" and "secure by default" products and services are likely to affect your organization in the near term as the government and the private sector collaboratively develop goals and approaches. Though the goals are likely to be largely or entirely voluntary, they will shape the expectations of security standards in your customers' minds.
The strategy also seeks to move the liability for insecure software from users to product producers by collaborative work on approaches such as the Secure Software Development Framework and other efforts that are likely to become expected best practices for business.
• Are you currently in one of the other 15 critical infrastructure sectors? If so, the strategy calls on the government to set cybersecurity requirements and standards. Sector Risk Management Agencies and existing regulators in some cases do this; however, the effort is inconsistent, and the net impact is uneven. At the same time that the administration seeks to create greater consistency and a reasonable baseline level of cybersecurity across critical infrastructure, it also suggests that additional organizations may be considered part of critical infrastructure.
The strategy also calls on the government to increase the efficiency of cyber information sharing internally and with the private sector as well as to create sector-specific intelligence. As someone who was responsible for orchestrating the production and use of cyber intelligence by the federal government, I was acutely aware that providing threat information to critical infrastructure did not have a "one-size-fits-all" solution. The strategy provides a needed remedy and the ability to customize such support and interaction by sector.
• Do you currently sell goods or services to the federal government? The strategy has multiple elements focused on improving vendor accountability for the security of the products that companies provide to federal customers. This will be especially important if you inaccurately certify a level of performance or compliance with a standard since the existing False Claims Act can hold an organization liable for damages.
For other organizations, "a rising tide lifts all boats." Progress on creating IT products and services that are "secure by design" and delivered in "secure by default" operating configurations will help organizations of all sizes as well as individual users. Greater transparency in understanding elements in the supply chain for IT and in mitigating risk will also help all users, and action already underway to create the equivalent of an Energy Star rating of security for IoT products similarly will benefit everyone.
Effectively Implementing The Strategy
While this strategy may seem at first blush like a set of marching orders for the federal government, its potential impact is much broader. While some sectors and organizations will be more directly affected than others, everyone has a stake in the successful implementation of the 2023 U.S. National Cybersecurity Strategy.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
