In March 2023, the US government unveiled its National Cybersecurity Strategy (NCS), which lays the groundwork for major changes in the way the country protects its cyberspace. Although this document proposes a comprehensive action plan to guarantee cast-iron security for the nation, the contours of its implementation have yet to be specified.
Protecting a country means protecting its cyberspace. This is the mission that the USA’s executive authority has entrusted to the Office of the National Cyber Director (ONCD), which was created in 2021 at the start of Joe Biden’s presidency to defend the nation’s digital territory. From homeland security to defending the national economy, not forgetting the emergence of new technologies, this action plan addresses all the major issues related to the USA’s cybersecurity.
The National Cybersecurity Strategy (NCS) is based on the premise that cyberspace threats are more varied and fluctuating than physical ones, and that the effects of a cyberattack may spread from one initial target to other organisations. Consequently, cyberprotection work requires the input and involvement of public institutions and also private entities. In the next few paragraphs, InCyber analyses the five pillars of the strategy.
1) Defend critical infrastructure
The NCS first turns its attention to critical infrastructure, such as hospitals, public transport networks and water supply systems, where an interruption of service would constitute a threat to American society. The Cybersecurity & Infrastructure Security Agency (CISA) has compiled a list of the critical infrastructure sectors. Businesses involved in these sectors’ activities must have a satisfactory level of protection, as a priority.
The strategy document also stipulates that the information systems of federal public buildings associated with these strategic sectors must be modernised, and that possibilities for public-private collaboration in this area must be explored. The public agencies that contribute to the National Security System, and which administrate the data necessary to protect US territory, must begin work on this task as a priority. Lastly, the operational and administrative procedures to be adopted in a cyberattack situation will be simplified.
2) Disrupt and dismantle threat actors
This pillar states that all means must be employed to render the malicious actors at the root of cyberattacks, and meddling in the public debate, powerless to cause harm. While acknowledging efforts that have already proved effective, the document proposes increased capacity and especially collaboration between public institutions and private organisations in temporary “units” operating on an ad-hoc basis. Public-private partnerships on cyberprotection have existed in the USA for around 20 years, under the aegis of the National Cyber-Forensics and Training Alliance, but these will become more widespread to include smaller businesses within communities, operating in a hub-style model with leadership from Federal trade departments.
Ransomware is now perceived as a direct threat to national security. The US authorities have launched a Joint Ransomware Task Force administrated by the CISA. The FBI will run investigations and cyber-based counter-attacks to put ransomware operators out of action. Lastly, a special cell will trace the financial exchanges in which cryptocurrency is used to pay ransoms demanded by cyber-hackers. Bringing together agents from the Department of the Treasury, the Department of Justice, and the FBI, this cell will apply the Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) controls. It will also operate beyond US borders, in close cooperation with allies of the USA.
3) Shape market forces to drive security and resilience
The US authorities recognise that cyberspace functions like a market in which cybersecurity measures remain at the discretion of companies. They intend to put a stop to this by means of legislative measures and incentives. Companies that hold personal data will be required to protect their clients’ privacy. Manufacturers of “Internet-of-Things” network-connected devices must present proof of the products’ security.
One of the major changes is to do with the system of legal liability in the event of cyberattacks. Until now, liability for poor security mainly lay with the device user. However, the strategy document proposes a new approach: the vendors will now be liable if security flaws in their products facilitate hacking. Software and application publishers, and providers of cloud access, must redouble their efforts to secure their information networks, and provide transparent information about changes to the source code of their software products.
Lastly, another crucial measure proposes to introduce a Federal insurance backstop, financed through public funds, for responding to cyber-risks. This initiative will enable private insurance companies to offer a broader scope of cover, while requiring that entities seeking this protection adhere to a minimum level of security measures.
4) Invest in a resilient future
This pillar restates the importance of the United States maintaining a technological edge over its adversaries. The Federal Cybersecurity Research and Development Strategic Plan has been updated with a view to advancing scientific research in three key areas: a new generation of hardware, quantum computing, and artificial intelligence. The NCS also contains a large-scale training programme designed to deliver a workforce proficient in cyberdefence. Lastly, the document stresses the importance of making the USA’s electricity grid more resistant to cyberattacks, through the Department of Energy’s chosen protocol.
5) Forge international partnerships to pursue shared goals
The United States remains firmly committed to a “democratic” Internet, and clearly identifies China, Russia, Iran and North Korea as potential threats. By harnessing its involvement in the Declaration for the Future of the Internet, the United States plans to collaborate with its strategic, commercial and diplomatic partners to combat malicious cybernetic organisations.
The US cyberdefence services will exchange information with their counterparts in allied countries on identified threats and which measures to apply, and will provide direct assistance to partners who have fallen victim to cyberattacks.
How will this strategy be applied in reality?
This text, the product of theoretical work, is evasive on the question of its application. According to the Government Accountability Office, in an appraisal issued in June 2023, the document lacks information about funding the strategy, deadlines for implementation, and how the roles will be divided between the various federal agencies concerned.
The White House announced that it would provide more details during the summer of 2023. Two events nevertheless confirm the importance of this strategy and its upcoming implementation. First, a circular published on 27 June 2023 asked agencies and departments answerable to the US government to formulate their budget for the fiscal year 2025 (which the President will submit to Congress for approval) using the pillars of the strategy as their template. These budgets will be reviewed by members of the Office of the National Cyber Director, who will subsequently identify any problems and propose alternative wording if applicable.
Finally, in May 2023 the US Department of Defense published a complementary document along similar lines to the NCS. Entitled the 2023 DoD Cyber Strategy, it advocates the creation of an official line of cyberdeterrence applied to the United States’s armed forces (US Air Force, Navy, Marines…). This second document specifies that even where no conflict has been openly declared, operations will be deployed in cyberspace if necessary to eliminate threats against the United States and its allies. More than a series of military operations, this cybersecurity strategy mobilises all suitably resourced civil stakeholders to seal off the US cyber environment. A great deal of attention will therefore be directed toward its development.
- Security and Stability in Cyberspace
- Cyber industrial safety
- Cyber risks
- Operational security
- Antifraud action
- Digital identity & KYC
- Digital Sovereignty
- Digital transition