Cybersecurity National Strategy: One Year Later

Introduction

In early March 2023, the White House released the National Cybersecurity Strategy, aiming to bolster cybersecurity public-private partnerships in defending against threat actors. The strategy is outlined through five pillars: 

1. Defend critical infrastructure
2. Disrupt and dismantle threat actors
3. Shape market forces to drive security and resilience
4. Invest in a resilient future
5. Forge international partnerships to pursue shared goals. 

As we are approaching the one year anniversary of the National Cybersecurity Strategy’s release we thought we would reflect back on the effectiveness of the strategy to help organizations secure their SaaS applications (and how far we still may have to come). 

‍

Pillar 1: Defend Critical Infrastructure

Recap: This first pillar cut straight to the chase that it was about new and expanded regulations for cybersecurity. And while vague about what those regulations would or should be, the Strategy calls for more open collaboration between public and private sector security professionals. 

‍

Interestingly, the Strategy identifies the need for cloud security multiple times, noting that: “The Administration will identify gaps in authorities to drive better cybersecurity practices in the cloud computing industry and for other essential third-party services, and work with industry, Congress, and regulators to close them.” Further in this section, the Strategy talks about modernizing the cybersecurity of the government and directs “...FCEB agencies to implement multi-factor authentication, encrypt their data, gain visibility into their entire attack surface, manage authorization and access, and adopt cloud security tools.” 

‍

What’s happened since: 

Two major cybersecurity regulations have passed since the Strategy’s release: one from the Securities and Exchange Commission (SEC) and the other from the Federal Trade Commission (FTC). Both of these commissions’ regulations have a large focus on breach notifications.

‍

The SEC regulations went into effect December 2023 and made major waves in both the cybersecurity and business communities. These rulings require registrants to report breaches with “material losses” within four days of discovery, as well as report annually on “...the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.” 

‍

The FTC rules center around expanding healthcare notification rules to companies that handle health data but don’t fall under HIPAA regulations, such as health tracking apps. These companies are now bound by the same notification rules as health companies when a user’s data has been compromised. 

‍

Pillar 2: Dismantle Threat Actors 

Recap: This pillar dove into public-private cooperation in helping thwart threat actors. By coordinating intelligence sharing, disruption activities, and victim notifications, this pillar mentions many agencies that will help in this effort. Where the first pillar dove into shoring up defenses, this one focuses on thwarting threat actors at the source. 

What’s happened since: 

This particular pillar has faced unusual political challenges, even since last year. Recently a report came out alleging a breakdown of one of the key components of this initiative within CISA: the Joint Cyber Defense Collaborative (JCDC). 

‍

Pillar 3: Shape Market Forces to Drive Security and Resilience

Recap: This pillar’s main theme was around transferring the onus of security to the holders of the data from the users. It says, “We must hold the stewards of our data accountable for the protection of personal data; drive the development of more secure connected devices; and reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies.” 

‍

Or, more succinctly: “...shift liability onto those entities that fail to take reasonable precautions to secure their software.” 

‍

The pillar also discusses support for an expansion of data privacy regulations as well as more standards around IoT security. 

‍

What’s happened since: 

This debate over who owns responsibility for a user’s data made major headlines in late 2023 as ancestry and genetics app testing giant 23andMe disclosed a breach and blamed user negligence as the cause, despite their not enforcing recommended security protocols such as MFA. It would be a safe bet this debate on exactly who is liable for data security will gain attention again in the near future. 

‍

Pillar 4: Invest in a Resilient Future

Recap: If the previous three pillars’ themes could be described as various branches of cybersecurity, this pillar goes deep into the roots. This pillar is all about building cybersecurity into the foundations of all infrastructure of the internet and future technologies. These goals focus on six objective: 

1. Secure the technical foundation of the internet
2. Reinvigorate federal research and development for cybersecurity
3. Prepare for our post-quantum future
4. Secure our clean energy future
5. Support development of a digital identity ecosystem
6. Develop a national strategy to strengthen our cyber workforce

What’s happened since: 

Like most systems, we often don’t get good glimpses into the roots, and this pillar has been no exception. Many of the programs in this pillar require slow iterations and/or expansions of divisions of CISA and other federal agencies to create codes and even plans to secure the shifting landscape and build security into the core infrastructure. One example of such a program is the launch of the National Cyber Workforce and Education Strategy, which is meant to help address the ongoing critical cybersecurity staffing shortages felt in both the public and private sectors. 

‍

Pillar 5: Forge International Partnerships to Pursue Shared Goals

Recap: It’s not a secret that most cyber attacks originate outside the United States, which is why this pillar is all about the world stage. While light on details, this pillar addresses the need to strengthen partnerships with international allies, work toward normalizing state behaviors around cybersecurity, and securing the global supply chains. 

‍

What’s happened since: 

The cyber intelligence community has been working more and more to strengthen its work and information sharing with allies as well coordinating law enforcement efforts against threat actors. We have seen major takedowns that required multiple international agencies working together such as the Conti ransomware group in September 2023 and Lockbit in February 2024. Both of these show an increased acknowledgment that these types of operations can only happen with international coordination and collaboration. 

‍

Takeaways, One Year Later

As is always the case, a lot has changed in the year since the National Cybersecurity Strategy was released, and its future might even hang in the balance looking forward. However, new regulations have come into place – even as they make their ways through the courts – and we will see how or if their actual roll outs affect behaviors. 

‍

As we’ve taken this time to look back, the way forward in cybersecurity is about adaptation and foundational shifts. We must learn to adapt to new technologies that increase our operations while we also cushion their potential negative impacts. To do this means to bake security into the groundwork of everything we build and adopt. 

‍

And, of course, if you’d like to learn more about how Reco can help build this type of adaptable, scalable security into your SaaS infrastructure, you can request a demo with one of our SaaS security experts.