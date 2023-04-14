



In March 2023, the Biden administration released a new National Cybersecurity Strategy, which makes clear that the time for private companies to voluntarily opt for cybersecurity is long over. Instead, the new strategy promises to support new regulatory frameworks that will shift responsibility and create incentives for private companies to defend against critical vulnerabilities. This article discusses three concrete things business leaders should know about the new strategy. First, each business will need to identify its distinct vulnerabilities and risks. Second, companies will then need to adopt measures to address these vulnerabilities. Third, the strategy states categorically that it will push for legislation to hold these companies accountable when they fail to meet the duty of care they owe to consumers, businesses or critical infrastructure providers.

Continued disruptions to critical infrastructure and theft of personal data make it clear that market forces alone have not been enough to drive widespread adoption of cybersecurity and resilience best practices.

Voluntary progress towards better cyber hygiene by the private sector is no longer enough. Instead, the new strategy promises to support new regulatory frameworks that will shift responsibility and create incentives for private companies to defend against critical vulnerabilities.

Why a public sector document is fixed on the private sector

The private sector has come to the attention of a cybersecurity-wary public sector due to a slew of high-profile cyber incidents in recent years. In 2017, customer credit bureau Equifax suffered a hack that compromised the personal information of more than 143 million Americans, resulting in a $425 million settlement with the Federal Trade Commission. Malicious actors are increasingly using ransomware against US companies, demanding large sums of money for the secure exchange of sensitive data.

Ransomware continues to be a popular tactic among hackers precisely because these campaigns have often succeeded in generating lucrative payouts. According to Comparitechs analysis of US ransomware incidents, ransomware attacks against US businesses cost $20.9 billion from 2018 to 2023, with an average ransom demand of $4.15 million for companies affected in 2022. For example, Colonial Pipeline, which transports 100 million gallons of fuel per day, or 45% of all fuel used on the East Coast, suffered a devastating ransomware breach in 2021, the largest attack publicly disclosed against historically critical US oil infrastructure. The perpetrator, DarkSide, stole 100 gigabytes of data in two hours, which he threatened to release unless the company paid the group 75 bitcoins, worth around $5 million at the time , which Colonial Pipeline paid within hours, being blackmailed. by the disruptive nature of the attack.

No part of the economy is immune. As a 2021 survey from the Center for Strategic & International Studies indicated, 42% of small and medium-sized businesses experienced a cyberattack in the past year and estimates suggest that 40% of cyberattacks in 2021 focused on small and medium-sized businesses, with attacks against these businesses increasing by 150% over the past two years. The potential extractability of data and revenue might be lower than large companies like Microsoft, but small and medium-sized businesses also have fewer resources to devote to robust cybersecurity. In some cases, these companies simply do not have dedicated cybersecurity resources.

Three things companies need to know about the national cybersecurity strategy

While the 39-page document features bureaucratic buzzwords like harmonize, stakeholder and multilateral, we’ve identified three concrete things business leaders should know about the new strategy.

First, each business should identify its distinct vulnerabilities and risks. The Biden administrations’ strategy makes it clear that the time for companies voluntarily opting for cybersecurity is long over. Instead, they should take proactive steps to test and understand their threat landscape. Organizations should perform formal vulnerability scans and penetration tests that identify potential access points. Whenever possible, companies should hire ethical hackers, also known as red teams, who simulate sophisticated cyberattacks and reveal if and how adversaries could access sensitive data or disrupt networks. Companies should also vet third-party vendors and software vendors carefully to minimize the risk of attacks throughout the supply chain.

Second, companies must then adopt measures that address these supply chain vulnerabilities. As part of this step, they should leverage promises of public-private collaboration strategies in the form of information sharing, as well as practical advice and support on how to navigate the cyber threat environment. . More generally, they should then take preventative measures, including patching known exploits, providing regular security training to employees, and incorporating anomaly detection tools, while ensuring they have response plans that can minimize the scale and damage of successful hacks.

Third, companies need to recognize that one cybersecurity solution won’t fit all. An important subtext of the strategy is the emphasis on setting more aggressive regulatory standards for large enterprises, critical infrastructure and software vendors.

The strategy categorically states that the lack of mandatory requirements has led to inadequate and inconsistent results and will push for legislation to hold these companies accountable when they fail to meet the duty of care they owe to consumers, businesses or critical infrastructure providers. . These companies may in turn seek to shape legislation and accountability, but the strategy makes it clear that more of the responsibility for finding and fixing vulnerabilities will fall to larger companies where the stakes are higher and the more abundant resources. Small businesses are not (yet) in the crosshairs, but they are not out of the woods either. They should also seek opportunities for collaboration, such as the National Institutes of Standards and Technology’s recently launched initiative to foster communication among small businesses.

When it comes to the practical implications of the Biden administration’s new national cybersecurity strategy for American industry, the devil will be in the details. The document includes fundamental pillars and lofty goals that we would expect, given that cyberspace is arguably now the backbone of America’s national economy. The trick will be to do so while considering the realistic challenges of identifying and correcting all vulnerabilities, and the risks that inadequate care will affect not just individuals, but the entire global economy.

