by: Paul Lanois
According to media reports, White House Office Federal Chief Information Security Officer and Deputy National Cyber Director Chris DeRusha has indicated that the Biden administration is already reexamining the implementation plan for its national cybersecurity strategy published back on March 2, 2023. The government is also considering changes to its national cyber incident response plan.
By way of reminder, the current strategy places greater responsibility on industry, particularly owners and operators of systems that hold personal data and technology providers. It is built upon five pillars:
- Defend Critical Infrastructure;
- Disrupt and Dismantle Threat Actors;
- Shape Market Forces to Drive Security and Resilience;
- Invest in a Resilient Future; and
- Forge International Partnerships to Pursue Shared Goals.
For each pillar, the current National Cybersecurity Strategy identifies a set of “strategic objectives” that relies on two “fundamental shifts” in the nation’s approach to cybersecurity:
- rebalancing cybersecurity responsibilities away from end users and smaller organizations and placing them instead on “the most capable and best-positioned actors” within the public and private sectors, namely “the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems”; and
- realigning incentives in both government programs and private sector markets to encourage long-term research, development and implementation investments in cyber resilience.
To achieve these goals, the current National Cybersecurity Strategy proposes several actions and initiatives across government and society. In particular, it plans to expand minimum cybersecurity requirements for critical sectors such as energy, transportation, health care, and finance. It also entails the Biden Administration working with Congress to pass new legislation that would give federal agencies more authority and resources to prevent and respond to cyberattacks. It also pledges to use all available tools, including sanctions, indictments, and diplomatic pressure, to disrupt ransomware networks and hold their operators accountable.