May 1, 2023

What the 2023 National Cybersecurity Strategy Means for Your IT

Security & Compliance

The Biden-Harris administration released the National Cybersecurity Strategy on March 2, 2023. The national cyber strategy document establishes expectations and offers guidance on how the United States government intends to protect the country’s digital assets and critical infrastructure from the threat of cyberattacks.

To help you understand the U.S.’s new national cyber strategy, this post will dive into the highlights, who needs to worry about it, and what the 2023 National Cybersecurity Strategy means for your IT and infrastructure.

Back to top

What is the National Cybersecurity Strategy?

The National Cybersecurity Strategy (or National Cyber Strategy 2023) recommends broad improvements to American cybersecurity and risk. It encourages collaboration between public and private entities, expanding the federal workforce, and creating special protections for critical infrastructure.

The National Cybersecurity Strategy was published by the Biden-Harris Administration on March 2, 2023, and is the latest in a long list of White House communications pertaining to cyber defense.

Some recent Presidential communications on cybersecurity include:

  • National Cyber Strategy (September 2018)
  • National Security Presidential Memorandum 13 (NSPM13) (September 2018)
  • Cybersecurity and Critical Infrastructure Protection Act (November 2018)
  • Executive Order on Improving the Nation's Cybersecurity (May 2021)

As expected, the latest strategy reiterates many of the previous recommendations, including the need for increased communication and collaboration amongst government agencies, and improved incident response. The new document unsurprisingly singles out the “governments of China, Russia, Iran, and North Korea” as the primary (but not only) threat actors to “U.S. national security and economic prosperity.”

Back to top

What’s in the National Cybersecurity Strategy 2023?

The 39-page National Cybersecurity Strategy is a roadmap for new laws and regulations to help the U.S. prepare for existing and emerging cyber threats and threat actors. It aligns numerous strategic objectives under five pillars:

  1. Defend Critical Infrastructure
  2. Disrupt and Dismantle Threat Actors
  3. Shape Market Forces to Drive Security and Resilience
  4. Invest in a Resilient Future
  5. Forge International Partnerships to Pursue Shared Goals

It will take time for these objectives to translate into actionable laws and regulations but many of the strategies are deeply familiar to cyber-security experts.

Other elements of the strategy broach the possibility of a federal cyber insurance backstop, development of updated incident response guidance, and the modernization of federal defenses in accordance with zero trust principles which acknowledge that threats can originate from both inside and outside network boundaries.

Pillar 1: Defend Critical Infrastructure

History is filled with monumental and painful lessons. The terror attacks of September 11, 2001 changed American consciousness forever. The COVID pandemic taught the entire world about how supply chain fragility impacts individuals, business, and governments. WannaCry – a fast-spreading computer ransomware attack – caused significant disruption to hundreds of thousands of computers in over 150 countries.

This pillar of the National Cybersecurity Strategy declares that the American people should have confidence in the resilience of critical infrastructure. A malicious, large-scale attack on vulnerable infrastructure could do more than stop business. It could literally destabilize the lives of millions. This new strategy document recognizes that building defenses against cyberattacks is no longer just a nice-to-have – that it may well be the difference between life and death.

Pillar 2: Disrupt and Dismantle Threat Actors

The National Cybersecurity Strategy also suggests a more proactive approach to deal with threat actors. with the intent to disrupt and dismantle their organizations. Crime syndicates who utilize cyber techniques – such as ransomware gangs – are now considered a threat to national security.

Since these are no longer considered simply criminal acts, additional U.S agencies like the NSA can now join the fight against them, as well as outreach to allies and partners for support. To quote the strategy document:

"Collaboration to address advanced threats will only be effective if owners of critical infrastructure have cybersecurity protections in place to make it harder for adversaries to disrupt them.”

Back to top

What the National Cybersecurity Strategy Means for You

The National Cybersecurity Strategy applies to U.S. organizations in the public and private sectors. Broadly, it seeks to increase collaboration and shift cybersecurity responsibilities onto software developers and tech providers.

This strategy entails protection for every person and organization in the United States, and likely has cross-industry impact for businesses both large and small.

While much of the national cyber strategy document is a restatement of previous information and goals, there are also areas where the strategy breaks the mold. One of the areas in which it introduces fresh ideas is in response to ongoing changes in the threat landscape.

A Shift in Cybersecurity Responsibility

For years, software companies have operated under shrink-wrap licenses which force the installer to accept non-negotiable terms and conditions before they can install commercial computer software. This has allowed the authors of software to hide behind a veil of legal protection from a customer’s reasonable use of their products, even if the author is at fault for releasing a product that is insecure or has known flaws.

eBook: Getting Cross-Team Buy-In for Compliance

Silos and skill gaps are holding back your compliance initiatives. Learn how to make it all sing in our free eBook.

DOWNLOAD

A cover of an eBook by Puppet. Text reads: FREE - Fostering a Culture of Joint Accountability for IT, Security, and Compliance

The latest strategy breaks new ground by indicating that the administration will work with Congress to prevent companies from claiming immunity from liability claims, while also acknowledging that no software is completely secure. Responsibility will no longer fall entirely on the end user or small business, communities that often lack the skills and resources needed to ensure good security hygiene related to application functionality. This will incentivize software providers to ensure that their processes and applications incorporate good security, and that adequate precautions are being taken.

Back to top

What Does “Critical Infrastructure” Mean Here?

As defined by the National Cybersecurity Strategy, critical infrastructure includes IT and infrastructure used by energy pipelines, food companies, schools, and hospitals.

In addition, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has previously identified 16 critical infrastructure sectors. CISA asserts that failure to protect critical infrastructure in these 16 sectors would have a debilitating effect on security, national economic security, and national public safety.

Many industries in these sectors are expected to be subject to the initiatives laid out in the National Cybersecurity Strategy:

Chemical 

Organizations that manufacture, store, use, and transport potentially dangerous chemicals. 

Commercial Facilities 

Sites that draw large crowds, including hotels, parks shopping malls, casinos, entertainment venues, and more. 

Communications 

The sector that provides enabling communications functions to all other critical infrastructure sectors. 

Critical Manufacturing 

Industries that provide manufacturing to other industries of national significance. 

Dams 

Includes critical water retention and control services in the US, supporting multiple critical infrastructure sectors and industries. 

Defense Industrial Bases 

Organizations engaged in research and development of military weapons systems, subsystems, and components or parts. 

Emergency Services

Organizations that help save lives, protect property and the environment, and assist in recovery efforts. 

Energy 

Industries providing electricity, oil, and natural gas resources and assets. 

Financial Services 

Financial institutions including global companies and community banks. 

Food and Agriculture 

Privately owned farms, restaurants, and food manufacturing, processing, and storage facilities. 

Government Facilities

Federal, state, local and tribunal government buildings and spaces. 

Healthcare and Public Health 

Industries that protect all sectors of the economy from health hazards like terrorism, outbreaks, and natural disasters. 

Information Technology 

Industries that identify and protect against cyber threats and vulnerabilities. 

Nuclear Reactors, Materials, and Waste 

Civilian nuclear infrastructure, including power reactors to medical isotopes. 

Transportation Systems 

The system that moves people and goods, including aviation, highways, mass transit, freight, postal, and maritime transportation. 

Water and Wastewater 

Systems that provide access to clean, healthy water. 

Back to top

What You Should Do About the National Cybersecurity Strategy

Adopting established compliance frameworks and adhering to security standards are both best practices to align with the National Cybersecurity Strategy.

As the strategy is ingested into new or revised laws and regulations, existing frameworks and standards will also be updated to reflect new recommendations. Organizations who have eluded regulatory oversight so far should anticipate that minimum cybersecurity requirements will be expanded and would be well-served by anticipating and preparing for that now.

Back to top

Are There Penalties for Not Meeting the National Cybersecurity Strategy?

There is no enforcement of the 2023 National Cybersecurity Strategy, per se. As of this writing, it represents a wish list of things that the administration feels are necessary for the security of the nation. It’s an executive roadmap that prepares for the creation of laws and regulations over the coming years, and it can take months or even years to translate into something enforceable within the private and public sector.  

But that doesn’t mean the strategy can be ignored, especially for those organizations identified as critical infrastructure. The White House indicates that elements of the strategy are already underway based on existing directives, coordinated by the Office of the National Cyber Director. To actually execute the national cyber strategy, the U.S. Federal government will require collaboration from organizations and international allies and partners. That likely includes organizations in your industry.

Back to top

Using Puppet to Help Protect Critical Infrastructure

Puppet’s automation and compliance solutions help organizations with critical infrastructure align with compliance frameworks and security standards.

Having the ability to quickly scan, verify, and adjust configurations to ensure compliance with security standards like CIS Benchmarks and DoD Compliance – and to prevent drift and stay compliant – achieves many components of system hardening across your infrastructure. Compliance automation also helps IT ops teams prevent ‘firefighting’ that comes with audits.

See the value of compliance automation for yourself. Request a free trial of Puppet Enterprise or schedule a demo of Puppet Enterprise, Puppet Comply, and Puppet Compliance Enforcement for your infrastructure now.

TRY PUPPET FREELIVE DEMO

Back to top