The National Cybersecurity Strategy was released by the Biden-Harris administration. As the administration continues to push the expansion of internet access across the country, there's an additional push for improved cybersecurity measures. The strategy is meant to shift cybersecurity responsibilities away from individuals and small businesses and onto larger organizations.
The administration aims to take a proactive approach in strengthening digital defenses and clean energy development. The strategy stresses collaboration and investment incentives to promote development.
The strategy is built around five pillars:
- Defending critical infrastructure: expanding minimum cybersecurity requirements and updating federal networks.
- Disrupting and dismantling threat actors: building defenses against ransomware.
- Shaping market forces: prioritizing data privacy and new security infrastructure.
- Investing in a resilient future: minimizing vulnerabilities and workforce development.
- Forging international partnerships: protecting supply chains and building partnerships.
Here are what security leaders have to say about the strategy:
Tim Chase, Global Field CISO at Lacework
“This policy reinforces what software companies should have been doing all along — investing and executing on secure development practices. As the creators of their offerings, they are responsible for the repercussions that can place the government, businesses, consumers and more at risk to adversary actions. While it’s frustrating that we need to rely on the government to validate this effort, it’s clearly needed and now outlined as a basic (and expected!) standard. While all will benefit from this new strategy, it will require software companies to reprioritize and strategize in order to implement the contents of this policy. Secure development practices start at the code level and require implementing Infrastructure as Security (IaC) and scanning applications source code. Both are paramount to reduce risk of security incidents in production and decrease time and effort of security remediation. We no longer need to wait for a product to reach the market before learning of a vulnerability or explicit security threat. Today, we can address in real time, at the source, saving businesses money and end-users from unnecessary repercussions.”
Duncan Greatwood, CEO of Xage Security
“The National Cybersecurity Strategy released today is broad and high-level, but nonetheless embodies and foreshadows a number of major advancements.
The first pillar, focused on defending critical infrastructure, is closely aligned with the cybersecurity performance goals recently released by the Cybersecurity and Infrastructure Security Agency (CISA). The Biden administration’s strategy will enable CISA to turn these requirements into enforceable regulations, spurring real cybersecurity improvements. Equally important, new innovations in cybersecurity are making it practical for critical infrastructure operators to comply with the upcoming requirements without requiring ‘rip and replace’ of existing equipment and networks - so operators can overlay new cyber protection in a timely fashion.
Another aspect of this first pillar focuses on defending and modernizing federal networks and updating the federal incident response policy. Federal agencies are embracing zero trust with defense-in-depth to ensure there are preventative cyber measures in place to ensure the continuity of key systems and critical infrastructure.”
Jason Rebholz, CISO at Corvus Insurance.
“It’s encouraging to see the government step in to support businesses in combating cybersecurity threats. For too long, businesses and individuals have been forced to defend against a well-funded, well trained and well-motivated adversary. This is the right next step in keeping American citizens and businesses safe in the escalating cyber war.
What matters now is taking ideas from policy and implementing them. Cybersecurity has a history of being long in policy but short on execution. The White House has taken a decisive stance on ransomware in strongly discouraging the payment of ransoms. The reality is that in the current environment ransomware is too profitable and too easy for hackers. Increasing barriers to profit can be an effective strategy in combating ransomware.”
Jacob Berry, Field CISO at Clumio
“First, the strategy outlined an initiative to increase the burden on technology companies to provide secure software and services. This is likely to lead to legislation that will create new penalties, or increase penalties, for businesses who do not follow security best practices aligned to NIST standards. This means investment and auditing will need to increase across all domains.
Second, the federal government plans to “shape market forces”. This will come not only in the form of regulation, but in grants and monetary investment in cybersecurity research. For us who preach the need for continued investment in this sector we are excited to see commitment towards private public partnerships.
Finally, we may see federal legislation around privacy and data governance introduced in the future. With many states implementing their own privacy legislation, this may bring a welcome change to a more centralized strategy to U.S. data privacy law.”
Brian Shealey, VP of Public Sector at Immuta
“While this Cybersecurity Strategy addresses many pain points for our nation and its people, I see it as version 1.0. The main points are favorable, but what stands out is the allocation of resources to our intelligence community to help in ideological battles with China and Russia. Further, this strategy is not just about technology: it's about having the ability to leverage technology for potential positive future outcomes, but also ensuring that technology is used responsibly and ethically. Part of this investment must be in funding early-phase STEM education programs to equip our future workforce with the skills and experience necessary to carry the cybersecurity flag into the next generation.
We need to ensure that “secure by design” is a paramount priority in all aspects of our digital lives, from the applications and systems being built by companies or government agencies, to the laws and policies protecting the privacy of U.S. citizens. Investing in a resilient future is critical, especially with quantum technology just over the horizon. Market forces can be influenced by policy/law (driving fear), but also through incentives (driving intent) — it’s encouraging to see that both are outlined in this strategy.
This new framework requires additional improvements to meet the growing complexities of the cyber world which, with our increasing reliance on digital technology, is a marathon, not a sprint. We’ll need funding earmarked in our budgets to support strategic shifts and will have to find ways to drive the adoption of these objectives effectively and efficiently. Additionally, we’ll need to ensure that future administrations continue to drive this initiative forward.”
Camellia Chan, CEO and Co-Founder of Flexxon
“With the new policy, the onus is now on technology companies to mitigate cyber risks and as result, they are forced to take a hard look at their security programs to ensure they are meeting these new standards and guidelines. That said, they must also look beyond their current approaches to discover new ones that will strengthen their cybersecurity frameworks even further. This adds another level of pressure that security professionals already experience as cyberattacks continue to grow in volume and complexity. With that, it’s more important than ever that companies close the security gap and recognize the glaring vulnerabilities of software-based defenses, and ensure they are protected at every level.”
Peter McKay, CEO of Snyk
“We have seen numerous organizations that are embedding secure software best practices in their development cycles from the start, or the initial line of code. They are doing this by empowering their own developers to create secure applications in a seamless and responsible way. By integrating and automating secure software development practices into their workflows, they are deploying ways to find, fix and remediate vulnerabilities in both pre-production and production applications, and as a result, bringing developers, IT and security teams together as one team.
The new White House cyber strategy is a rallying cry for developer security. Organizations should address developer security now, before rules are put in place that will impose fines and other penalties on organizations that fail to do so.”