The Biden Administration recently announced a new, five-pillared cybersecurity strategy that outlines not only new Federal initiatives to strengthen the defense of public infrastructure and increase federal cybersecurity capability, but also details changes that will greatly impact the private sector, cybersecurity leaders, and practitioners of today and tomorrow. It is important to remember that this announcement is a policy document, not an executive order, so while it does signal that changes are coming, it will remain difficult to prepare for specific parts of this shift until further information is released. In the meantime, business leaders and cybersecurity organizations can at least start incorporating some of the bigger and more obvious takeaways into their cybersecurity strategy.
The following are some things to consider as we make decisions today and things that I believe will become very important to business, security, politics, and beyond.
Shifting Responsibility for Infrastructure Protection
As part of the effort to “shape market forces to drive security and resilience,” the Biden administration plans to shift the liability for protecting cyber infrastructure from the clients doing business online to the cyber defense practitioners that serve those clients. A subtle point is lost to many here. This shift will actually have to be made manifest through a series of new pieces of legislation, which may face serious opposition, but businesses should still plan to comply with new minimum security standards. Enforcement of such standards may come through industry or non-government entities, such as insurance companies that will likely use these standards to qualify for coverage. Technology providers such as SaaS and hosting will be expected to adhere to standards and accept more responsibility.
Federal Cyber Insurance Backstop
This announcement makes it clear that the Administration understands the level of potential calamity that a large-scale cyber attack could mean for our government and businesses. The plan to “Invest in a Resilient Future” includes the creation of a Federal Cyber Insurance Backstop. The acknowledgment and preparation for the potentiality of a catastrophic cyberattack is a development in itself, but the fact that such an event is being planned for will have several effects on cybersecurity insurance and the businesses they cover. This backstop will be in place in case a cyberattack has wide enough effect that there are overwhelming cyber insurance claims. Law enforcement and insurers have, to date, treated cybersecurity attacks as individualized harm. However, it is important to understand that the potential impact of a cyberattack can reach the same scale of disruption as weather events, industrial spills, energy production accidents, and terrorist attacks, events that the federal government typically responds to collectively. The Biden administration is signaling that they see cyberattacks as a threat at a collective level and will be prepared to respond with federal assistance and oversight.
Actively Disrupting Attackers
By making this announcement, the Biden administration is sending a clear warning to cyber attackers that it’s no longer business as usual. Attackers often receive support and safe harbor in their home countries in exchange for targeting the US. Our companies are the most valuable and easiest to attack, with a lower risk of retribution. Our past policies and habits of not hacking back, lax law enforcement and little follow-up, allowing companies to pay ransoms, and lack of controls on personal data all contribute to our current vulnerability. The administration is announcing that our networks will be harder to attack, that we will use the whole-of-government to disrupt and prevent cyberattacks, and that we will no longer acquiesce to ransom demands. The businesses of the United States will no longer be an easy target.
The cybersecurity community and businesses will have to wait to see the specifics of any actions taken or orders given in relation to the new cybersecurity plan, but it’s possible to start preparing now. There are steps that businesses can take immediately to be ready for upcoming changes. Take inventory of and have a clear understanding of your organization’s use of cloud-based infrastructure and data vendors. Make a plan to comply with minimum security requirements. Be aware of your company’s cyber insurance policy and potential law enforcement resources in case of attack. Lastly, getting involved in cybersecurity organizations in your industry will help you stay ahead of any future developments.