The US National Cybersecurity Strategy and what it means

NetworkTigers discusses the US national cybersecurity (so-called Biden-Harris) strategy and what it means for small businesses.

Small businesses can take comfort in the new US national cybersecurity strategy. This new strategy attempts to share federal resources, refocus national priorities on cybersecurity, and support small to medium-sized businesses. With the launch of this March 2023 development, the US national cybersecurity team signifies its willingness to take cybersecurity risks more seriously and attempt to alleviate the burden that has fallen chiefly on individual businesses to combat cyber threats. Jen Easterly, the director of the Cybersecurity and Infrastructure Agency (CISA), argued only last month that “incentives for developing and selling technology have eclipsed customer safety in importance … the cybersecurity burden falls disproportionately on consumers and small organizations, which are often least aware of the threat and least capable of protecting themselves.” 

What is the timeline for the US strategy?

This national approach is set to take place over the next ten years, or this “decisive decade,” according to a government briefing. Over this period, the new plan revolves around two main goals:

1. Rebalancing responsibility. Small to medium businesses often bear an unfair burden when assessing, analyzing, and responding to the seemingly endless barrage of cyber-attacks that come their way. According to Accenture’s Cost of Cybercrime Study, a disproportionate 43% of cyberattacks are aimed at small businesses—meanwhile, only 14% of small businesses self-assess as ready to respond to a sophisticated cyber threat. The federal government and industry leaders can take on a more significant role in helping respond to and divert threats away from smaller businesses.
2. It favors long-term investments. Cybersecurity as a threat is not going anywhere. Cybercrime has risen by 600% in recent years, partly due to the onslaught of the COVID-19 pandemic and the more significant shift in business priorities towards online transactions. Cybercrime is expected to grow by an estimated 15% each year over the next five years, representing one of the most significant wealth transfers in history if it runs unchecked. Acknowledging this ongoing threat, the new plan seeks to prioritize long-term investment in cybersecurity over quick fixes. 

The Pillars of the US cybersecurity strategy

The new cybersecurity strategy is built around five pillars to achieve the above two main goals:

1. Defend critical infrastructure. According to the release, the US cybersecurity team is upgrading national networks. In addition, the launch of the Civil Cyber Fraud Initiative is one example of how the federal government has begun to crack down on contractors and other businesses that receive public funds using minimum cybersecurity standards. According to the initiative, whistleblowers can now report companies that receive government funding, conceal cybersecurity breaches and existing threats, or fail to meet minimum security standards. Whistleblowers may be able to receive a reward for their information. 
2. Disrupt and dismantle threat actors. The US strategy recognizes cybersecurity as a national security threat and an economic risk. With that in mind, cyber criminals will be treated as threat actors. 
3. Shape market forces to drive security and resilience. New federal grant programs may allow businesses to make necessary cybersecurity upgrades and investments. Additionally, these programs will help improve data privacy.
4. Invest in a resilient future. New cybersecurity technologies, such as post-quantum encryption and computing, clean energy infrastructure, and the development of AI strategies, all require public investment to make them successful and scalable. 
5. Forge international partnerships to pursue shared goals. Repressive regimes that restrict free and open internet access may find themselves outside of new US partnerships, which will be calculated in alignment with democratic values. 

What can businesses do to align themselves with this new national approach?

While the average small business likely can’t create international alliances or dismantle threat actors, many steps can be taken to apply the new US cybersecurity strategy to your IT infrastructure. Here are five strategies that complement the government’s latest approach, aligning your business with the national conversation and allowing you to take full advantage of recent developments. 

1. Apply for cybersecurity grants and funding. New programs, scholarships, and incentives may be available to help your small business afford cybersecurity upgrades and help diverse populations access STEMM and cybersecurity training more equitably. Contact the Small Business Administration for more information about what kinds of businesses and business owners qualify for loans and grants.
2. Invest in long-term solutions. Cyber threats will only grow in the coming years, and the new US cybersecurity strategy approach asks that everyone take the risk seriously. If you must decide between a temporary patch and a longer-term solution, go with the lasting upgrade. 
3. Implement Zero Trust Architecture. Executive Order 14028 began to restructure federal digital security under the zero trust assumption. Zero trust architecture assumes that threat is always present and removes implicit trust from any access stage. Some zero-trust steps you can implement in your business are using multi-factor authentication, data encryption, cloud security tools, removing legacy access, and replacing outdated legacy systems.
4. Report existing threats. One essential step in defending critical infrastructure is reporting known threats. Don’t sweep concerns under the rug or assume they’ll be solved with time. Escalate existing threats to the appropriate law enforcement agency. The new plan aims to ease the response burden away from individual businesses and utilize government resources. 
5. Consider collaborating. While you may not want to collaborate internationally, smaller-scale technology conferences and IT-sharing seminars are available for many small businesses in the United States. By sharing our concerns over recurring threats, we can help ensure that they are addressed and taken seriously by organizations with the infrastructure to help. 

While the new US cybersecurity approach is meant to shift the responsibility of responding to cyber threats away from small businesses, it can’t be accomplished alone. The plan relies on international collaboration, large-scale buy-in, and a new national focus from everyone to ensure that data privacy is taken seriously for the next ten years and beyond.