At first glance, Biden’s recently released National Cybersecurity Strategy appears comprehensive and forward-thinking. It focuses on a number of areas such as strengthening the Cybersecurity and Infrastructure Security Agency (CISA), developing new technologies to detect threats, and increasing international cooperation to fight transnational cybercrime. However, the strategic initiatives laid out in the document are not funded, and in many cases, are not possible without fundamental changes to organizations and their systems. In this blog, we will focus on strategic initiatives 1.4, 2.2, 2.3, and 3.3.
Objective 1.4: Update Federal Response Plans and Processes
GroupSense fundamentally disagrees with the premise of objective 1.4: “The private sector is capable of mitigating most cyber incidents without direct federal assistance.” Our first thought is whom are they talking about? The majority of the private sector includes small and medium businesses that don’t have the monetary or human resources to defend against or respond to attacks. Once again, the backbone of the American economy is forgotten.
Objective 2.2: Enhance Public-Private Operational Collaboration to Disrupt Adversaries
This objective aims to disrupt threat actors with increased information sharing and organizing efforts through established security nonprofits, but it lacks any action plan. There are no funds, resources, or specific plans that would increase collaboration and data sharing, which is already an extreme challenge for the federal government before throwing in private sector organizations. Without more detailed plans, this objective will fall flat.
Objective 2.3: Increase the Speed and Scale of Intelligence Sharing and Victim Notifications
This objective plans to increase intelligence sharing from the federal government to private sector cybersecurity companies and potential cyber crime victims. While the objective does have a specific direction for establishing sector-based priorities and processes, it doesn’t address the that the proposed information-sharing is one-directional. Furthermore, it doesn't acknowledge the confusion and disorganization of victim notifications. In our work, GroupSense sees firsthand that victims don’t know whom to report cyber attacks to when they happen. Between CISA, the FBI, and local law enforcement, victims rarely know the correct reporting protocol. Why not fix this issue with a clear reporting protocol that will be widely distributed to the public?
Objective 3.3: Shift Liability for Insecure Software Products and Services
While GroupSense believes in the premise of this objective to shift the liability away from victims of insecure software and place it on the organizations developing the software, this seems like the pot calling the kettle black. GroupSense and the public have observed time and again the issues that vulnerable, brittle cyber systems created by the government fail us. Just in the past few weeks, GroupSense observed a breach of the US Federal Marshal system among other federal breaches. The government should take its advice here and start addressing the glaring cybersecurity issues on the inside before enforcing this on the outside.
GroupSense believes that Biden’s Cybersecurity Strategy is a step in the right direction, but it needs to go further. We believe that more emphasis should be placed on providing resources and support for small and medium businesses so they can take the necessary steps to protect themselves from cyber threats. This includes increased funding for CISA’s Cybersecurity Small Business program, which provides grants and technical assistance to these organizations; more educational resources on cybersecurity best practices; and better public-private partnerships to facilitate information sharing and collaboration.
We also believe that the strategy should shift focus away from offensive strategies and towards defensive ones, as these are more likely to have a direct impact on businesses’ cybersecurity posture. This could include investing in cybersecurity training for employees, implementing Cybersecurity best practices, and leveraging advanced cybersecurity technologies such as AI and machine learning.
Ultimately, the cybersecurity landscape is constantly evolving, and it’s important for businesses – especially smaller ones – to stay ahead of the curve. Biden's cybersecurity strategy could be an important step towards achieving this, but only if it takes into account the needs of small and medium businesses. GroupSense is committed to helping companies protect themselves against cybersecurity threats, and we look forward to seeing how Biden's cybersecurity strategy evolves to meet their needs.