In March 2023, the Biden administration released a new National Cybersecurity Strategy, which made it clear that the time for private companies to voluntarily choose cybersecurity is long gone. Instead, the new strategy promises to support new regulatory frameworks that will shift accountability and create incentives for private companies to protect against critical vulnerabilities. This article discusses three concrete things that business leaders need to know about new strategy. First, each company needs to know their unique vulnerabilities and risks. Second, companies must adopt measures that address vulnerabilities. Third, the strategic plan says it will push for legislation to hold these companies accountable if they fail to fulfill the duty of care they owe to consumers, businesses, or critical providers. infrastructure.
On March 2, 2023, the Biden administration released the long-awaited National Cybersecurity Strategy. In light of cyberattacks targeting American infrastructure, businesses, and government agencies, the document elevates cybersecurity as a critical component of economic prosperity and national security in the United States. It also presents a fundamental problem, which is that the private sector – with key stakeholders consisting of software firms, small and medium-sized enterprises, broadband providers, and utility companies – holds the key in the public interest in cybersecurity:
The continued disruption of critical infrastructure and theft of personal data make it clear that market forces alone are not enough to drive widespread adoption of cybersecurity and resilience best practices.
Voluntary progress towards better cyber hygiene on the part of the private sector is no longer enough. Instead, the new strategy promises to support new regulatory frameworks that will shift accountability and create incentives for private companies to protect against critical vulnerabilities.
Why is a Public Sector Document Targeted to the Private Sector
The private sector has attracted the attention of a cyber-wary public sector due to several high-profile cyber incidents in the past few years. In 2017, customer credit bureau Equifax experienced a hack that compromised the personal information of more than 143 million Americans, leading to a $425 million settlement with the Federal Trade Commission. Malicious actors are increasingly using ransomware against American businesses, demand large amount of money for the secure exchange of sensitive data.
Ransomware continues to be a popular tactic among hackers as these campaigns are often successful in generating lucrative payouts. According to Comparitech analysis of ransomware incidents across the US, ransomware attacks on American businesses cost $20.9 billion from 2018–2023, with an average ransom demand of $4.15 million dollars for affected businesses in 2022. For example , Colonial Pipelinewhich carries 100 million gallons of fuel per day, or 45% off all fuel used on the East Coast, suffered a devastating ransomware breach in 2021, the largest publicly disclosed attack on critical US oil infrastructure in history. The culprit, DarkSide, stole 100 gigabytes of data within two hours, threatening to release it unless the company paid 75 bitcoins to the group, worth approximately $5 million dollars at the time, paid by Colonial Pipeline in a few hours, blackmailed into action due to the interruption of the attack.
No part of the economy is immune. As of 2021 survey the Center for Strategic & International Studies shows, 42% of small and medium-sized businesses experienced a cyberattack in the past year and estimates suggests that 40% of 2021 cyber attacks will concentrate on small and medium-sized businesses, with attacks on these businesses growing 150% in the last two years. The potential data and earned income may be lower compared to large enterprises such as Microsoft, but small and medium-sized companies have less resources to devote to strong cybersecurity. In some cases, these companies have nothing DEVOTED resources for cybersecurity.
Three Things Companies Need to Know About the National Cybersecurity Strategy
While the 39-page document with bureaucratic buzzwords like “harmonize,” “stakeholders,” and “multilateral,” we identify three concrete things business leaders should know about new strategy.
First, each company needs to know their unique vulnerabilities and risks. The Biden administration’s strategy makes it clear that time is for companies VOLUNTARY the choice of cybersecurity is long overdue. Instead, they need to take proactive steps to try and understand their threat landscape. Companies should conduct formal vulnerability scans and penetration tests which identifies potential access points. Whenever possible, companies should hire “ethical hackers,” otherwise known as “red teams,” which simulates sophisticated cyberattacks and reveals if and how adversaries can access sensitive data or disrupt networks. Companies should also thoroughly vet third-party vendors and software suppliers to minimize the risk of attacks by supply chain.
Second, companies should adopt measures that address supply chain vulnerabilities. As part of this step, they should take advantage of the strategy’s promise for public-private collaboration in the form of information-sharing, as well as practical guidance and support on how to navigate the cyber threat environment. In general, they should take preventive measures, including patching known exploits, providing regular security training for employees, and include anomaly-detection tools, while ensuring they have response plans that reduce the size and damage of successful hacks.
Third, companies need to recognize that one size does not fit all when it comes to cybersecurity. An important subtext of the strategy is its focus on establishing more aggressive regulatory standards on larger enterprises, critical infrastructure, and software providers.
The strategic strategy says that “the lack of mandatory requirements has resulted in insufficient and inconsistent results” and that it will push for legislation to hold these companies “accountable if they fail to fulfill the duty of care they owe to consumers, businesses, or critical infrastructure providers.” These companies may also seek to shape legislation and liability, but the strategy makes it clear that more responsibility in terms of finding and fixing vulnerabilities will fall to larger businesses where the stakes are higher. and resources are abundant. Small businesses aren’t in the crosshairs (yet), but they aren’t off the hook either. They should also look for opportunities for collaboration, such as the one recently launched by the National Institutes of Standards and Technology initiative to improve communication among small businesses.
When it comes to the concrete implications of the Biden administration’s new National Cybersecurity Strategy for American industry, the devil is in the details. The document includes the core pillars and lofty goals we look forward to, as cyberspace is now the backbone of the US national economy. The trick is to do this in ways that are mindful of the realistic challenges of identifying and patching all the vulnerabilities, and the risks that inadequate care can have on not only individuals, but on entire world economy.
