The White House has unveiled the Biden-Harris Administration National Cybersecurity Strategy, and it has some really important implications for the tech channel.
Two Key Topics
Directly from the WhiteHouse.gov website.
“Rebalance” the Responsibility
Topic 1 aims to “rebalance” the responsibility to defend cyberspace by shifting the burden from individuals and small businesses “onto the organization that are most capable and best positioned to reduce risks for all of us.”
We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.
The implications here seem quite obvious, but it will obviously depend on how things are actually implemented. However, I would expect the burden to shift heavily onto technology service providers and application developers (especially considering Jen Easterly’s comments). I wholeheartedly agree with this sentiment, it’s simply unreasonable to expect consumers and small business owners to carry the burden here. Application developers and providers should be developing and deploying secure-by-default configurations and features and should absolutely be responsible for their own code. Technology providers need to be aggressive in closing the gap on key security practices, such as MFA and device management.
“Realign” Incentives to Favor Long-Term Investments
This one is equally important. Per the release:
We must realign incentives to favor long-term investments by striking a careful balance between defending ourselves against urgent threats today and simultaneously strategically planning for and investing in a resilient future.
Cybersecurity (and tech in general) requires practitioners to walk a tightrope between putting out today’s fires and placing fire prevention for tomorrow. We can use all the help we can get in balancing these priorities, and laying out a strategy to do so is key.
Defensibility: Front and Center
I’m thrilled to see the word Defensibility featured on WhiteHouse.gov – it’s a key term we all need to adopt. Looking at the article:
Defensible, where cyber defense is overwhelmingly easier, cheaper, and more effective;
I see defensibility a little differently, but I do not feel this take is wrong. Basic cybersecurity does need to be easier and less costly to achieve. We shouldn’t be faced with a 6300% price hike to get single-sign-on, and every consumer (business and individual/family) should have affordable access to affordable tools and information to protect themselves. The “Vision” portion of the release also lays out to other key concepts:
- Resilient – Building resiliency at the core, reducing the impact of a single incident is how I read this one.
- Values-aligned, “where our most cherished values shape—and are in turn reinforced by— our digital world.”
Obviously none of cybersecurity strategy this matters without the “how.” The Administration has delivered five “pillars” to their approach:
- Defend Critical Infrastructure.
This one is important, it’s no secret that our CI is at risk.
- Disrupt and Dismantle Threat Actors.
Going on the offensive and catching the bad guys will always be a key part. We need to make it less attractive to be a threat actor. Also, see Wes Spencer’s take on the importance of not only arresting the bad guys, but the government’s role in helping victims through incidents.
- Shape Market Forces to Drive Security and Resilience. I think this one is best explained by the text in the release:
- Promoting privacy and the security of personal data;
- Shifting liability for software products and services to promote secure development practices; and,
- Ensuring that Federal grant programs promote investments in new infrastructure that are secure and resilient.
- Invest in a Resilient Future.
Put out the fires today, but don’t forget about tomorrow. This one has a deep focus on cyber R&D and developing a diverse and robust national cyber workforce.
- Forge International Partnerships to Pursue Shared Goals.
Cyberspace is global, so a global approach must be taken to protect it.
The White House Cybersecurity Strategy has been long awaited, and I’m hopeful it comes to fruition. The key concepts covered make a ton of sense.
Call to Action
There is a key call to action embedded in this strategy. The rebalancing of responsibility is not going to be limited to application developers. Technology service providers and MSP’s will be a part of this and will absorb some of the burden. The National Cybersecurity Strategy can be used as a great talking point with customers directly about the importance of upping their cyber game. In addition, definitely publish content in your MSP’s brand about it!