President Joe Biden’s new Cyber Security Strategy, issued in March 2023, accompanies a wave of regulation that has swept the U.S. As cybersecurity rises through the list of priorities for businesses, legislators and regulatory bodies are following suit, ushering in higher reporting standards and preventative measures.
The U.S. Securities and Exchange Commission’s (SEC’s) 2022 cybersecurity proposal last year was part of this. The “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” would, if passed, require listed companies to report cybersecurity incidents within 72 hours to investors, shareholders, and customers, as well as the Cybersecurity Infrastructure Security Agency (CISA).
The goal of creating harmonized regulation across sectors under the aegis of the federal administration will effectively combine to form standardized cybersecurity practices. Biden’s new cyber strategy advocates this brand of tech regulation as the answer to a dramatic increase in cyberattacks, but is the private sector on the same page?
A new cyber strategy
President Biden’s landmark Cybersecurity Strategy aims to hold software makers directly responsible for their systems’ defensive capabilities, urging them to take precautionary measures to ensure their systems cannot be hacked. This shifts the burden of cybersecurity from individuals, small businesses, and local governments onto institutions that have the resources and expertise to counteract sophisticated hacker techniques.
This aligns with the efforts of the Federal Bureau of Investigation (FBI) and the Department of Defense (DoD) to hamper the efforts of hackers to disrupt businesses, governments, and critical infrastructure organizations. The FBI already actively collects and shares intelligence whilst seeking justice for victims of attacks, working to unmask those committing malicious cyber activities. However, where the FBI has the power to rapidly respond to major incidents, Biden’s strategy encourages companies to take preventative measures to avoid such incidents.
It is made clear within the strategy that technology as a whole has been recognized as a sector of critical infrastructure, and the new regulation surrounding its application, use, and protection reflects this. The worldwide increase in nation-state attacks in the last year has disabled and disrupted government websites, critical infrastructure, and operational systems. The strategy emerges in the wake of a wave of high-profile cyber breaches and ransomware attacks on these sectors. An example of this is pro-Russian hacking group Killnet’s attack on NATO networks in February. The attack disrupted communications between NATO and airplanes providing earthquake aid to a Turkish airbase. The attack also took NATO’s sites temporarily offline.
Past regulation has relied on governments advising companies to voluntarily report cyberattacks on their networks and regularly update vulnerabilities on their systems to defend against the latest known cyber threats. However, Biden’s new National Cyber Security Strategy declares that such good-faith efforts are insufficient to defend against the growing threat landscape, pushing for stricter regulation, which will force companies to declare breaches.
Minimum cybersecurity requirements will be expected from companies and businesses spanning a multitude of industries. Whether organizations are in the public or private sector, this new strategy will impact their cybersecurity policy.
Building a mentality of resilience
Biden’s policy document focuses on the importance of cyber resiliency. It advocates for requirements to be imposed on all critical infrastructure organizations — such as oil, gas, aviation, and rail providers — rather than just a few. The definition of critical infrastructure is likely to expand as the threat landscape broadens and the damaging effects of cyberattacks and data breaches become even more evident.
Large private sector organizations may already have comprehensive cyber incident response plans in place. However, another objective of this new directive seeks to streamline this escalation process, essentially ensuring information sharing and ownership of the response actions for each cyber incident. By increasing the speed and scale of intelligence sharing and victim notification, the response to attacks by organizations and their communication with stakeholders will come under increased scrutiny. This puts more pressure than ever on organizations to understand the real-time safety of their systems.
Just as our military must constantly train, adapt, and improve their teams, businesses must take a proactive approach to develop and test their processes and technologies. Private sector technology underpins vital services and, up until now, the responsibility to protect that technology has been placed on private enterprises. This policy imposed by the Biden administration suggests that the federal government intends to take stricter action to enforce this defense and support it where necessary.
Cyber war games
To align with Biden’s new cyber strategy, business must take measures to protect their network integrity and safeguard their data stores. “Zero trust” continues to be the main driver for federal security. This security framework requires all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to data. Data security is at the heart of this as a renewed emphasis has been placed on operational technology systems and networks. Yet it is these same cyber tactics that are launched against businesses and organizations across the globe. Therefore, these companies must also adopt a zero trust policy when it comes to cyber defense.
One of the key technologies that can help organizations build cyber resilience is high-fidelity, mil-spec cyber ranges. Cyber ranges allow companies to validate their people, processes, and technology and can help them assess their alignment with the new cybersecurity strategy.
By creating a scaled replica of an organization’s production environment, including their primary defense tools, businesses can identify weak areas in their security stacks. These can then be either offloaded or replaced with more successful and cost-effective applications. Cyber ranges also allow businesses to quantifiably track their cyber defense success and monitor their performance against threat actors. Businesses can make improvements without risking major damage to their production network or sacrificing system uptime.
As implemented by U.S. forces, the methodology of testing your assets to failure within a safe environment is the most effective way of ensuring that your systems are best placed to counter a potential cyber breach. This simulated arena shifts power away from hackers who are intent on extracting sensitive data and damaging critical systems.
Threat actors are relentless in their tenacity, aggression, and frequency. As hackers continue to exploit new attack paths, businesses must ensure they are able to limit the dwell time of an attacker, so their network can recover quickly after a breach.
Demanding the continuous improvements of security capabilities and focusing on long-term security outcomes is one of the most fundamental advancements proposed by this new strategy. Resiliency can be cultivated through the cyber range environment, helping to validate a business’s defense tactics while ensuring they are also aligned with the new Biden initiative.
A collaborative effort
The new Biden strategy seeks to introduce a more coherent collaboration between the CISA, sector risk management agencies, and private sector organizations to improve partnerships at scale. Threat intelligence sharing will be critical in the defense against cyber criminals. It is this collaboration between vendors and governments that will result in the change in stance required to shift to a security-first mindset.
Organizations that collect, use, and manage the preservation of sensitive and personal data have a responsibility to do everything in their power to protect and secure it. This goes beyond rules and regulations — it’s a foundation built on cooperation and trust as businesses undertake a guardianship role in advance of the privacy of their customers.
Biden’s new cybersecurity strategy highlights, for the first time, the need for robust cyber resilience. As our military preparedness relies on training within kinetic field environments, we are now starting to see this “training for live combat mentality” in cyberspace. This is a movement from reactive cybersecurity to proactive. Cultivating a mindset of security and resilience in the U.S. technology ecosystem requires constant testing of current procedures and an ideology of collaboration throughout the technology sector globally.