Discover more from Global Cyber Digest
New US National Cyber Strategy: Regulation, Resilience, Ransomware, and More
The US has released its new national cyber strategy. Here's what to know.
On Thursday, March 2, the White House released the new US National Cyber Strategy. It was a long time in the making and reflects months and months of work by the government officials involved, as well as the numerous industry and civil society organizations consulted throughout the writing and development process. Here’s what to know — including with a data-driven breakdown of the most frequently discussed topics in the document. Brought to you by Global Cyber Strategies, a Washington, DC-based research and advisory firm.
The new US National Cyber Strategy makes a positive, much-needed call for more, and better, regulation to boost US domestic cybersecurity practices — and it most frequently mentions topics such as infrastructure, resilience, collaboration, disruption, regulation, data, and ransomware.
The Cyber Strategy’s Core Elements
The National Cyber Strategy effectively argues for two fundamental shifts in the US, summarized succinctly in the White House’s press release from last week:
“We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.”
“We must realign incentives to favor long-term investments by striking a careful balance between defending ourselves against urgent threats today and simultaneously strategically planning for and investing in a resilient future.”
Five pillars underpin this approach:
Defend Critical Infrastructure
Disrupt and Dismantle Threat Actors
Shape Market Forces to Drive Security and Resilience
Invest in a Resilient Future
Forge International Partnerships to Pursue Shared Goals
In short, the strategy takes a much more assertive position on the need for regulation and for government to incentivize industry to do more for cybersecurity. “Regulation can level the playing field, enabling healthy competition without sacrificing cybersecurity or operational resilience,” it reads. “New and updated cybersecurity regulations must be calibrated to meet the needs of national security and public safety, in addition to the security and safety of individuals, regulated entities, and their employees, customers, operations, and data.”
Of course, action must follow — saying something is one thing; getting it done is another — but this is a significant shift. Clearly, the US government’s relatively hands-off approach to cybersecurity, shying away from even financially incentivizing companies to invest in security, has led to rampant bad practices in critical infrastructure, at Internet of Things (IoT) device manufacturers, and much more. The Biden administration has taken an important, positive step in asserting the need for the US government to help shift market incentives and promote necessary regulation.
For instance, it discusses at length the need for cybersecurity regulations for US critical infrastructure. There are 16 of these designated sectors in the US, including the chemical, commercial facilities, communications, critical manufacturing, defense industrial base, emergency services, energy, financial services, food and agriculture, healthcare and public health, information technology, and transportation systems sectors. All these sectors need stronger cybersecurity. The Transportation Security Administration (TSA)’s dysfunctional approach to pipeline security and response to the Colonial Pipeline ransomware attack is just one demonstration of the need for new, more effective regulations and enforcement.
Regulation, Resilience, Ransomware, and More
The National Cyber Strategy covers a wide range of topics, and I highly recommend the expert markup assembled by my colleagues at the Atlantic Council’s Cyber Statecraft Initiative and Eugenia Lostri and Stephanie Pell’s summary for Lawfare, among others, for additional perspectives and for a play-by-play look at some of the specifics. Our data analysis finds that some of the strategy’s central themes were infrastructure, resilience, collaboration, disruption, regulation, data, and ransomware.
Infrastructure was mentioned 88 times in the strategy, resilience (or some variant) was mentioned 68 times, collaboration (or some variant) was mentioned 67 times, and disruption (or some variant) was mentioned 42 times. It further underscores the fact that public-private collaboration, collaboration within government, and collaboration with overseas counterparts is a central part of the strategy. Disrupting and dismantling threat actors, a strategy pillar, explains the heavy use of “disrupt.”
The Biden administration’s National Cyber Strategy mentions “regulation” (or some variant) 40 times. By comparison, the Trump administration’s National Cyber Strategy, released in September 2018, did not say “regulation” once. This is a huge shift.
The strategy mentions China five (5) times, Russia eight (8) times, Iran four (4) times, and North Korea four (4) times. Nonetheless, it says about China:
The People’s Republic of China (PRC) now presents the broadest, most active, and most persistent threat to both government and private sector networks and is the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so. Over the last ten years, it has expanded cyber operations beyond intellectual property theft to become our most advanced strategic competitor with the capacity to threaten US interests and dominate emerging technologies critical to global development.
It then discusses how Russia “remains a persistent cyber threat” and has caused, through cyber attacks in support of its “brutal and unprovoked” (and illegal) invasion of Ukraine, “irresponsible spillover impacts onto civilian critical infrastructure in other European countries.” The strategy then says that Iran and North Korea are “similarly growing in their sophistication and willingness to conduct malicious activity in cyberspace.” While the strategy clearly states that the Chinese government, from the US government’s perspective, presents the broadest, most active, and most persistent cyber threat to the United States, it is worth noting that there are many differences between Chinese and Russian cyber behavior that still make the Kremlin a considerable threat in this arena — including its willingness to launch destructive operations, much more so than the Chinese government, at least publicly to date.
The Biden administration’s National Cyber Strategy mentions ransomware 29 times, versus the single mention it received in the Trump administration’s strategy.
The frequent discussion of “ransomware” reflects ransomware as a growing problem and ransomware as a core focus for the Biden administration — which has held multiple international meetings on ransomware and even, in June 2021, raised the issue with Vladimir Putin. Although the White House had attempted to make progress on the issue in talks with Putin pre-2022, there are limits to negotiations with foreign governments harboring cybercriminals. The White House’s efforts to push for domestic protections from ransomware are vital and positive, and there are no signs of that slowing down. But its international plans here raise different questions.
In Russia’s case, the Kremlin draws on Russia’s vast cyber web (including cybercriminals) to augment state cyber power; permits and even encourages cybercrime in order to bring money into Russia (and as part and parcel of criminal competition and state corruption); and perceives many benefits, including deniability, from tapping cybercriminals on the shoulder as-needed to help run state operations.
Moscow therefore has many strong incentives to continue to let cybercriminals operate from within Russia, so long as they follow what I often call the Kremlin’s “social contract” with hackers: focus on foreign targets, don’t undermine the Kremlin’s objectives, and answer to the state when asked. The US government is thus discussing what one “unnamed senior official” described to Axios as “tools and authorities and options that go beyond what we would have traditionally done on a crime problem,” a pretty clear reference to using military or intelligence capabilities.
US policymakers, though, may be too quickly moving past the implications of taking a more aggressive response to cybercriminal actors. In October 2021, the REvil ransomware group in Russia reportedly shut down after US Cyber Command and a foreign government reportedly hacked into its servers. (As a side note, the Russian government subsequently announced in January 2022 that it had arrested the REvil gang, and too many US media outlets, in my view, failed to properly interrogate those claims and US officials’ praise of the news.) Yet, choosing to have military cyber units target cybercriminal organizations overseas raises all kinds of questions, including about what this does to US messaging on cyber activity. As Gavin Wilde has written:
If the gauntlet is thrown down for military cyber units to conduct offensive operations against non-state entities abroad—particularly in retaliation for damages that are primarily financial and criminal in scope—the issue becomes as much about which behaviors the United States is endorsing as those it seeks to curb.
Further, to quote Gavin Wilde’s article:
While most of Cyber Command’s operations are, for good reason, not publicized, those that are risk sending a concerning signal to Moscow: that the focus of the United States’ limited military cyber resources can be occupied by online trolls and cybercriminals. Without downplaying the seriousness of those threats, which are often deployed in coordination with state actors, it is still crucial to get an accounting of where they rank on Cyber Command’s priority and resourcing spectrum relative to more critical activity by more sophisticated nation-state actors.
Understanding full well how cybercrime operates in Russia, it is still important for the US government to think very carefully — and in some cases, very cautiously — about the implications of this approach to ransomware.
The National Cyber Strategy is a major, important shift in US executive branch messaging and official position on the need for greater cybersecurity regulation. It hopefully will help lead the US towards much better protection of systems, networks, and data across both the public and private sectors, without too much regulatory heavy-handedness. Now that the strategy has landed, the implementation work begins.
Subscribe for more public insights, and reach out on Global Cyber Strategies’ website for a range of custom-tailored research and advisory services.
© 2023 Global Cyber Strategies LLC.