We have a new National Cybersecurity Strategy, what does it mean?

We have a new National Cybersecurity Strategy, what does it mean?

In this 39-page document . . . 

The Biden administration starts off by recognizing that cybersecurity is here to stay, that this is something that everybody should learn to live with and do as part of their use of technology. The document also says that the administration is investing 65 billion to make sure every American has access to reliable and high-speed internet.

"Cybersecurity is here to stay. This is something that we have to learn to live with."

The document goes on to say, "When we pick up our smartphones to keep in touch with loved ones, log on to social media to share our ideas with one another or connect to the internet, to run a business or take care of any of our basic needs, we need to be able to trust that the underlying digital ecosystem is safe, reliable, and secure. This National Cybersecurity strategy details the comprehensive approach my administration is taking to better secure cyberspace and ensure the United States is in the strongest possible position to realize all the benefits and potential of our digital future."

In response to escalating cybersecurity threats, the White House released the new National Cybersecurity Strategy on March 1 2023.

Further, the document reads, "Our world is at an inflection point that includes our digital world, the steps we take, and the choices we make today will determine the direction of our world for decades to come. This is particularly true as we develop and enforce rules and norms for conduct in cyberspace. We must ensure the Internet remains open, free, global, interoperable, reliable, and secure, anchored in universal values that respect human rights and fundamental freedoms."

To sum it up, he is saying that we really have to start making some hard decisions about what we want to accept and what we don't want to accept on the internet. And that's going to come at a cost for what we normally are thinking of how the internet should work.

We will figure things out

"We will figure out cyber security, just as how we figured out the use of seatbelts, airbags, and car crash detdection system." Bryan Hornung, CEO XactIT Solutions

Back in the 20s to the 30s when cars were first being manufactured, safety really wasn't paramount. It was only where you saw safety regulations starting to come into place in the 70s-90s. It started off with simple things like seatbelts, and then airbags, and then we've evolved into crash detection systems. The same thing is going to happen with technology. We're going to figure things out. We're going to need to put things in place that put guard rails up. This way, people cannot be scammed, cannot be hacked, and cannot have money stolen as easily as it can be done today. And that's really the heart of what the Biden administration is trying to put out here.

Responsibility shifts from consumers to big tech companies

One of the things I really want to point out is this section of the document where the burden of who's responsible for the data security shifts from the people who are most vulnerable to the big tech companies. The document says that to build the secure resilient future that we want, we must shape market forces to place the responsibility on those 'within our digital ecosystem that are best positioned to reduce risks' or shift the consequences of poor cybersecurity 'away from the most vulnerable', making our digital ecosystem more worthy of trust. In addition, the document says, "In this effort, we will not replace or diminish the role of the market, but channel market forces toward keeping our country resilient and secure."

The new Cybersecurity strategy shifts responsibility from consumers to big tech companies.

That's a nice way to say to businesses that they still need to offer technology like they do today. But they also need to make sure that they're doing the right thing to secure their environment. And that means that businesses should have to spend more money to secure their networks because we're certainly not where we need to be today with businesses doing everything that they need to do.

And then the document goes on to say that we must hold stewards of our data accountable for the protection of personal data drives the development of more secure connected devices, and reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities and other risks created by software and digital technologies. "We will use federal purchasing power and grantmaking to incentivize security. And we will explore how the government can stabilize insurance markets against catastrophic risks to drive better cybersecurity practices and provide market certainty when catastrophic events do occur," the document says.

They're really just trying to put an initiative out there where they can calm things down in the marketplace, from both a liability and cyber insurance standpoint. But also make sure that companies are doing the right thing.

Will this cybersecurity strategy succeed?

This is a big initiative and a big strategy that's put out and I think it's painted with a broad brush. A lot of these initiatives are going to be very difficult to accomplish, especially in one year. And not only that, we're talking about making grant decisions and asking congress to put forth money for these things, and for very specific initiatives that have yet to be defined. Couple that with the fact that many of these people who are making these laws don't really understand what it is that they're talking about and what they're requiring. It requires a lot of education for these law-makers. It also requires them to hire consultants to figure out what is being put in these bills and how things are being handled.

But at the end of the day, this is a very large initiative. In order to achieve it, we should start acting pretty quickly. And this covers a ton of stuff - everything from securing IoT devices to making sure that critical infrastructure is protected and making sure that we are putting insurance backstops in place at the federal level. And then we're also going to require that companies be held liable if they don't do cybersecurity properly.

So it's very interesting to me that they went so big with such a broad brush, knowing that probably 10% of what we're seeing in this report is actually going to come to fruition. And I would even say that it's probably not going to come to fruition in 2023.

It is something maybe the administration can work towards for a while. But here's how I think it's going to play out. I think the grant is probably going to be one of the last things that we're going to see before we see laws that force businesses to start figuring out how to pay for this on their own. I don't think there's not much of an appetite in Washington or even at local levels, to provide grants and money to businesses to do this simply because there's not a whole lot of tax money left over. And number two, these lawmakers may not really have a full understanding of this matter just yet. When they read these bills, it may just be hard for them to fathom what they're trying to attach money to.

what businesses should start doing

I think the way that the market is going to shift is that businesses are going to actually start investing the amount of money that they need to invest in cybersecurity on their own because they're going to be forced to do it through laws, fear of prosecution, or fear of lawsuits. It's really at a point right now where businesses are at an inflection point: Do they want to continue to spend the meager amount that they're spending on cybersecurity? Or do they want to invest in cybersecurity to protect their financial and digital assets from cyber threats?

Invest in cybersecurity by ensuring that your company is resilient from cyber attacks, and to avoid lawsuits that may arise from the lack of cybersecurity.

Most businesses that I work with know that they have to spend a significant percentage of their revenue on cybersecurity initiatives. And that number ranges anywhere from three to 6% of your top-line revenue. So you're really going to have to start looking at your IT budgets and how much you're dedicating to that. Business people should take this strategy as a warning that it's time to shore up their cybersecurity, get resilient around cybersecurity, adopt a framework around cybersecurity, and start implementing this framework to become a stronger and better company when it comes to data protection and cybersecurity.