Summary of the 2023 National Cybersecurity Strategy

By Rex Johnson and Annie L.

On March 1, 2023, the Biden-Harris Administration released the National Cybersecurity Strategy. Its goal is to provide a safe, reliable, and secure Internet for both business and personal use. It outlines several goals including economic security and prosperity, respect for human rights and fundamental freedoms, trust in democracy and democratic institutions, and an equitable and diverse society. In the introduction, the President writes that this strategy is designed to better secure cyberspace and ensure the United States is in the strongest possible position to realize all the benefits and potential of our digital future.”1

This is in line with several cybersecurity initiatives including the President’s Executive Order on Improving the Nation’s Cybersecurity from May 2021, which was followed by the Infrastructure Investments and Jobs Act, or “Bipartisan Infrastructure Law”, providing $550 billion through 2026 to invest in new infrastructure. It replaces the 2018 National Cyber Strategy while continuing the momentum from other initiatives, aligning priorities, and forming collaborative defense.

The strategy includes an introduction that covers the strategic environment, which discusses emerging trends in cyberspace. It outlines that as software and systems are becoming more complex, they cannot continue to be placed on older and less secure technology. The strategy calls out the importance of protecting operational technology (OT) that is digitally connected and used for many factories, power grids, and water treatment facilities. It also recognizes that advanced wireless and Internet of Things (IoT) are becoming more essential.

The strategy also recognizes the threats to a free Internet. Malicious actors have evolved from cybercrime to a more strategic, state-run strategy. It calls out China, Russia, Iran, and North Korea and their pursuit of cyber objectives that counter US and allied interests as well as accepted international norms.

In comparison to the previous strategy, the 2023 version calls out two fundamental shifts on how we will allocate roles, responsibilities, and resources. These include:

• Rebalancing the responsibility to defend cyberspace: Understanding that not everyone has the same resources and capabilities, the plan will ask for the most capable and best-positioned actors to make the Internet more secure. It notes that the responsibility of protecting these systems belongs to the owners, operators, and technology providers.
• Realigning incentives to favor long-term investments: In addition to a shared responsibility to defend, it also outlines incentives for a stronger cyber workforce, more security in design, and collaborative research.

The intro closes with the plan to build this strategy on existing policies and initiatives for a stronger and safer internet.

The strategy includes five pillars that are critical for this vision:

1. Defend critical infrastructure
2. Disrupt and dismantle threat actors
3. Shape market forces to drive security and resilience
4. Invest in a resilient future
5. Forge international partnership to pursue shared goals

Pillar 1: Defend Critical Infrastructure

This pillar focuses on a strategy to defend the systems and assets within our critical infrastructure. This strategy will promote a collaboration between the private and public sectors, further develop existing regulations, create new regulations, and develop frameworks to fill any identified gaps within existing regulations. It is supported by the following five objectives:

• 1.1 Establish Cybersecurity Requirements to Support National Security and Public Safety: Establishes guidelines for requirements of new and existing regulations to secure critical infrastructure. Minimum requirements for regulations will be performance-based and will ensure a level playing field among competitors when it comes to cybersecurity spending.
• 1.2 Scale Public-Private Collaboration: Outlines a structured model of support between public and private sectors. Collaboration efforts in this model will require the use of technological solutions to enhance data sharing between sectors and coordinate defensive efforts. This allows for multi-directional sharing that enables a faster threat response.
• 1.3 Integrate Federal Cybersecurity Centers: Federal Cybersecurity Centers will serve as a node for collaborative capabilities across homeland defense, law enforcement, intelligence, diplomatic, economic, and military missions. These centers will lead in intragovernmental coordination efforts to be able to effectively support non-federal partners.
• 1.4 Update Federal Incident Response Plans and Processes: CISA will lead the process to update the National Cyber Incident Response Plan (NCIRP). As part of the NCIRP, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCA) will aid in the ability to respond to incidents effectively. After an incident, the Cyber Safety Review Board (CSRB) will bring together leaders in the public and private sectors to review major incidents so that the community can benefit from lessons learned, as established in EO 14028 “Improving the Nation’s Cybersecurity”.
• 1.5 Modernize Federal Defenses: IT and OT systems within the federal government that are incapable of implementing the zero-trust architecture strategy within a decade, or otherwise mitigate risks to those that cannot, must be replaced within that decade. Additionally, IT and OT systems within the federal government that are not defensible against sophisticated cyberattacks must also be replaced. The Office of Management and Budget (OMB) will coordinate with CISA to develop a plan of action secure Federal Civilian Executive Branch (FCEB) systems and with the NSA to develop a plan to implement the enhanced cybersecurity requirements of NSM-8.

Pillar 2: Disrupt and Dismantle Threat Actors

This pillar focuses on creating a strategy that disrupts threat actor activities in such a way that cybercriminals no longer see malicious activities as an effective means of achieving their goals, whether it be monetary or nation-state. It includes five objectives:

• 2.1 Integrate Federal Disruption Activities: The Department of Justice (DoJ) and other law enforcement agencies have always had systems in place to partner with authorities in private industries, international allies, and other resources that can disrupt threat actor activities. The information gained from these joint investigations is often invaluable in aiding additional cybersecurity efforts. Modeling after this approach, the Department of Defense (DoD) will develop an updated departmental cyber strategy that aligns with the National Security Strategy, National Defense Strategy, and this National Cybersecurity Strategy. This new strategy will clarify how US Cyber Command and DoD components will integrate cyberspace defense efforts.
• 2.2 Enhance Public-Private Operational Collaboration to Disrupt Adversaries: Routine collaboration between private sector entities and the public sector is encouraged. This collaboration can be coordinated through one or more nonprofit organizations that can serve as hubs for operational collaboration with the federal government, such as the National Cyber-Forensics and Training Alliance (NCFTA).
• 2.3 Increase the Speed and Scale of Intelligence Sharing and Victim Notification: Timely sharing of threat intelligence greatly increases the effectiveness of disruption actions. The federal government will work in coordination with CISA, law enforcement agencies, and the Cyber Threat Intelligence Integration Center (CTIIC) to develop processes to increase the speed and scale of threat intelligence notifications to defenders and victims.
• 2.4 Prevent Abuse of US-Based Infrastructure: The federal government will work with Infrastructure-as-a-Service (IaaS) providers to identify misuse of US-based infrastructure. Service providers will share reports of misuse and malicious activities using their infrastructure with the government and make reasonable attempts to secure their environments against malicious use. Adoption of a risk-based approach to cybersecurity across IaaS providers will be prioritized to make it more difficult for adversaries to take advantage of US-based infrastructure.
• 2.5 Counter Cybercrime, Defeat Ransomware: Over 30 countries participate in the Counter-Ransomware Initiative (CRI). This initiative conducts global exercises to build resilience and launched an international counter-ransomware task force to share information regarding ransomware actors and infrastructure ransomware attacks.

Pillar 3: Shape Market Forces to Drive Security and Resilience

This pillar focuses on developing a marketplace that encourages good cyber-hygiene in the development and implementation of technology. It outlines that those who do not invest in cybersecurity have a negative impact on other organizations, with smaller businesses and less affluent areas becoming more vulnerable as a result. It contains six objectives:

• 3.1 Hold the Stewards of Data Accountable: This creates accountability for those who host data. It establishes clear limits on the collection, use, transfer, and maintenance of personal data.
• 3.2 Drive the Development of Secure IoT Devices: As many devices are sent out under default settings, this increases the risk of compromise. It aims to improve this through research and development as well as IoT security labels to compare the protection of the products available.
• 3.3 Shift Liability for Insecure Software Products and Services: This looks to shift from contractual protection of liability to a higher standard while understanding that not all vulnerabilities can be prevented. Software companies must feel free to innovate but be held accountable if they do not adequately test and minimize vulnerabilities prior to release.
• 3.4 Use Federal Grants and Other Incentives to Build in Security: Balances cybersecurity requirements for applicants with support. It drives investment in critical products and services that are secure and resilient by design.
• 3.5 Leverage Federal Procurement to Improve Accountability: Holds accountable those that put US information or systems at risk by knowingly providing deficient products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cyber incidents and breaches.
• 3.6 Explore a Federal Cyber Insurance Backstop: In the event of a large cyber incident, the federal government should stabilize the economy and aid recovery as well as assess the need for possible structures of a federal insurance response.

Pillar 4: Invest in a Resilient Future

This pillar focuses on building the foundations for a resilient and secure cybersecurity future. It emphasizes the importance of building out the Internet as a whole ecosystem, a focus on research & development, and an investment into training the next generation of the cyber workforce. This pillar has 6 objectives:

• 4.1 Secure the Technical Foundation of the Internet: The Internet is a critical part of the foundation for a digital world, but there are many aspects of this ecosystem that are inherently vulnerable. The federal government will ensure that its networks have appropriate security measures in place to mitigate these risks and vulnerabilities. The US will partner with industry experts in both the public and private sectors and international allies by supporting non-governmental Standards Developing Organizations (SDOs).
• 4.2 Reinvigorate Federal Research and Development for Cybersecurity: The Federal Cybersecurity Research and Development Strategic Plan will be updated to proactively prevent and mitigate cybersecurity risks in existing and new technologies.
• 4.3 Prepare for Our Post-Quantum Future: To counter the use of quantum computing to break current cryptographic techniques, efforts for encryption are directed to focus on quantum-resistant cryptography.
• 4.4 Secure Our Clean Energy Future: This section focuses on investing in new energy infrastructure. The US will build in cybersecurity throughout the development of new energy infrastructure through the implementation of the National Cyber-Informed Engineering Strategy.
• 4.5 Support Development of a Digital Identify Ecosystem: This section focuses on developing digital identity policies, technologies, and verifiable digital identity solutions. These capabilities will enhance individuals’ identity protection and prevent fraud. The digital identity policies will promote improved transparency and accountability in the use of an individual’s data.
• 4.6 Develop a National Strategy to Strengthen Our Cyber Workforce: The Office of National Cyber Director (ONCD) will develop and oversee the implementation of a National Cyber Workforce and Education Strategy. This strategy focuses on addressing the issues of the cyber workforce gap through the investment in recruitment and training of the next generation of cybersecurity professionals. It will also focus on tackling the lack of diversity within the current cyber workforce and acknowledges that women, people of color, first-generation professionals, people with disabilities, and LGBTQ+ individuals are underrepresented. This is potentially an untapped pool of talent that can help close the cyber workforce gap.

Pillar 5: Forge International Partnership to Pursue Shared Goals

The final pillar seeks to bring together a global initiative to maintain a free, reliable, and secure Internet. It aims to respond to threats and digital repression, punishing the actors who engage in disruptive, destructive, and destabilizing actions. This final pillar has a total of 5 objectives:

• 5.1 Build Coalitions to Counter Threats to our Digital Ecosystem: This objective builds on the US and 60 other countries’ Declaration for the Future of the Internet (DFI). It references a number of other initiatives such as the Quadrilateral Security Dialogue (“the Quad”), The Indo-Pacific Economic Framework for Prosperity (IPEF), and Americas Partnership for Economic Prosperity (APEP) for the development of technical standards and mechanisms to enable secure cross-border data flows. It also references other partnerships such as the US-EU Trade and Technology Council (TTC) and the Australia/United Kingdom/United States Partnership (AUKUS) to secure critical technologies, improve cyber coordination, and share advanced capabilities.
• 5.2 Strengthen International Partner Capacity: This section focuses on building a coalition for shared cybersecurity priorities and vision amongst global partners. It includes enabling allies and securing critical infrastructure, as well as pooling experts from the public and private sectors to build a more robust partnership and resiliency to cybercrime.
• 5.3 Expand US Ability to Assist Allies and Partners: Provides support to assist partner nations with recovery and counter adversary actions. This allows partner nations to support each other more effectively and efficiently in response to significant malicious cyber activities.
• 5.4 Build Coalitions to Reinforce Global Norms of Responsible State Behavior: Seeks to pool cooperation for providing standard and acceptable behaviors in cyberspace and upholding international law. It outlines the importance of refraining from cyber operations that would intentionally damage critical infrastructure and holding irresponsible states accountable when they fail to uphold their commitments.
• 5.5 Secure Global Supply Chains for Information, Communications, and Operational Technology Products and Services: Outlines the initiative to work with partner countries in cross-border supply chain risk management. It also reinforces the CHIPS and Science Act to improve domestic manufacturing, along with the implementation of EO 13873, “Securing the Information and Communications Technology and Services Supply Chain” and EO 14034 “Protecting Americans’ Sensitive Data from Foreign Adversaries” to prevent unacceptable and undue risks and influence from adversarial governments.

Implementation

The strategy concludes with Implementation, which includes assessing the effectiveness of the strategy, incorporating lessons learned, and committing to making the investment.

As the US and partner nations look to provide a more safe, secure, and robust Internet, they will continuously be faced with threats from malicious actors and those who wish to exploit others. It is important to note that no individual or business needs to go this alone. Selecting the right partners and advisors will help organizations be more prepared and resilient against these ongoing risks.