USA: Two fundamental shifts in the new “National Cybersecurity Strategy”
In March 2023, the Office of the National Cyber Director released the public version of the National Cybersecurity Strategy, which provides strategic guidance for how the U.S. should protect internet users from cyberattacks and bad actors. This new strategy highlights two fundamental shifts in how the U.S. “allocates roles, responsibilities and resources in the cyberspace,” and cybersecurity professionals have lauded it as a welcome change to previous strategies.
Below are the key ways the new National Cybersecurity Strategy changes the landscape of privacy and data security:
The new strategy removes some of the burdens on end users to protect against malicious cyberactivity and places more responsibility on the owners and operators of technology systems. The strategy states: “End users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, yet these actors’ choices can have a significant impact on our national cybersecurity. A single person’s momentary lapse in judgment, use of an outdated password, or errant click on a suspicious link should not have national security consequences. Our collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual citizens.”
The new strategy realigns incentives to favor long-term investments in cybersecurity. Among the stated long-term investments in promoting cybersecurity are “generational investments in renewing our infrastructure, digitizing and decarbonizing our energy systems, securing our semiconductor supply chains, modernizing our cryptographic technologies, and rejuvenating our foreign and domestic policy priorities.”
The new National Cybersecurity Strategy consists of five pillars:
- Defend critical infrastructure. To do so, the federal government will expand the use of minimum cybersecurity requirements in critical sectors, enable public-private collaboration, and modernize national networks and incident response policies.
- Disrupt and dismantle threat actors. The strategy aims to “make malicious cyber actors incapable of threatening the national security or public safety of the United States” by strategically using tools of national power to disrupt bad actors, engaging the private sector, and addressing ransomware threats in collaboration with international partners.
- Shape market forces to drive security and resilience. The strategy will place responsibility on those who can better control cyberthreats, including by shifting liability to software products and services.
- Invest in a resilient future. Among the investments are reducing systemic technical vulnerabilities and prioritizing cybersecurity research and development.
- Forge international partnerships to pursue shared goals. The strategy seeks to leverage international coalitions and alliances and bolster defensive strategies to protect against cyberattacks.
Companies are reminded to review and update their privacy and cybersecurity policies regularly and employ cybersecurity best practices, including:
- Running and maintaining backups of critical data offline in the cloud or on an external hard drive.
- Securing data backups so the backup is not accessible for modification or deletion from the system where the original information is housed.
- Installing and updating anti-virus and anti-malware software.
- Instructing employees only to use secure networks and avoid public Wi-Fi networks.
- Using multi-factor authentication when users log in.
- Requiring employees to use strong passwords and ensure they are not reused across multiple accounts.
- Reminding employees not to click on suspicious links, and conducting regular tests and trainings to raise awareness.
- Identifying employees on call for any IT security issues that arise on weekends or holidays.
- Ensuring appropriate cybersecurity insurance coverage.