The US has announced its National Cybersecurity Strategy: Here’s what you need to know
In 2022, the average cost of a cybersecurity attack was more than $4.5 million, according to IBM. Image: Unsplash/David Everett Strickler
Listen to the article
- The White House released the new US National Cybersecurity Strategy in March 2023.
- The framework seeks to protect critical infrastructure, including hospitals and clean energy facilities, from cyberthreats.
- It also aims to increase collaboration with international coalitions and partnerships to counter threats to the digital ecosystem.
The US government is continuing efforts to strengthen the country's cybersecurity prowess as well as bolster its overall technology governance strategy.
Earlier this month, President Joe Biden released a new National Cybersecurity Strategy, which outlines steps the government is taking to secure cyberspace and build a resilient digital ecosystem that is easier to defend than attack — and that is open and safe for all.
"When we pick up our smart phones to keep in touch with loved ones, log on to social media to share our ideas with one another, or connect to the internet to run a business or take care of any of our basic needs, we need to be able to trust that the underlying digital ecosystem is safe, reliable and secure," Biden wrote in the framework's preface.
The strategy is part of a larger effort by the Biden administration to strengthen cyber and technology governance. This included efforts to increase accountability for tech companies, boost privacy protections and ensure fair competition online.
Why does the US need a National Cybersecurity Strategy?
The world is increasingly complex and cyberthreats are growing more sophisticated, with ransomware attacks running into millions of dollars in economic losses in the US. In 2022, the average cost of a ransomware attack was more than $4.5 million, according to IBM.
The greatest risks we face are interconnected, creating the threat of a "polycrisis", whereby the overall combined impact of these events is greater than their individual impact.
This is equally true of technological risks, where, for example, attacks on critical information infrastructure could have disastrous consequences for public infrastructure and health, or where growing geopolitical tensions heighten the risk of cyberattacks.
Cybercrime and cyber insecurity were seen by risk experts surveyed for the World Economic Forum's Global Risks Report as the 8th biggest risk in terms of severity of impact, across both the short term (next two years) and over the coming decade.
In 2022, state-sponsored cyberattacks targeting users in NATO countries increased by 300% compared to 2020, according to Google data.
With cyberattacks on the rise, experts at the World Economic Forum's Annual Meeting at Davos predicted that 2023 would be a "busy year" for cyberspace with a "gathering cyber storm".
“This is a global threat, and it calls for a global response and enhanced and coordinated action,” Jürgen Stock, Secretary-General of the International Criminal Police Organization (INTERPOL), said at Davos.
The Forum's Global Cybersecurity Outlook 2023 also found that 93% of cybersecurity experts and 86% of business leaders believe that global instability will have a negative impact on their ability to ensure cybersecurity over the next two years.
Robust cybersecurity is key to building on the promise of emerging technologies to enable growth and shared prosperity, while minimizing the perils they pose.
As Biden notes, "Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defence.
"We must ensure the internet remains open, free, global, interoperable, reliable, and secure – anchored in universal values that respect human rights and fundamental freedoms."
What are the 5 pillars of the National Security Strategy?
The COVID-19 pandemic accelerated the world's digital transformation, which means we rely on connected devices and digital technology to do more than ever before – putting our lives and livelihoods at greater risk from cyberthreats.
The US' National Security Strategy recognizes the need to rebalance the burden of responsibility for cybersecurity away from small businesses and individuals and onto the public and private organizations best placed to defend cyberspace through "robust collaboration".
It also seeks to build cyberspace resilience by balancing the need to address immediate threats, with incentivizing investment in the secure, long-term future of the digital ecosystem.
How is the Forum tackling global cybersecurity challenges?
Each of the five pillars it sets out are broken down into strategic objectives, but here's a quick overview of what they entail:
1. Defend critical infrastructure
To build confidence in the resilience of US critical infrastructure, regulatory frameworks will establish minimum cybersecurity requirements for critical sectors.
2. Disrupt and dismantle threat actors
Working with the private sector and international partners, the US will seek to address the ransomware threat and disrupt malicious actors.
3. Shape market forces to drive security and resilience
Grant schemes will promote investment in secure infrastructure, while liability for secure software products and services will be shifted away from the most vulnerable and good privacy practices will be promoted.
4. Invest in a resilient future
A diverse cyber-workforce will be developed and cybersecurity R&D for emerging technologies including postquantum encryption will be prioritized.
5. Forge international partnerships to pursue shared goals
The US will work with its allies and partners to counter cyberthreats and create reliable and trustworthy supply chains for information and communications technology.
How do the Forum’s cybersecurity efforts support the priorities identified in the US strategy?
In response to the need for global public-private collaborative efforts to address the growing cybersecurity challenges, the World Economic Forum launched the Centre for Cybersecurity in 2018.
The Centre's community, which spans over 150 organizations from the public and private sector, has identified three key priorities: building resilience, strengthening global cooperation to address cyberthreats, and understanding future networks and technology to build trust.
To build resilience and help to protect critical infrastructure from cyberattacks, the Forum has convened stakeholders from across the oil and gas and electricity industries and developed best practices to address shared challenges. These include leadership responsibility for organizational security and resilience across the supply chain, among others.
Moreover, the Forum’s Partnership against Cybercrime initiative released recommendations for public and private organizations that aim to facilitate dialogue and cooperation on confronting cybercrime. Building on these recommendations, at the Annual Meeting 2023, the Forum — with support from Fortinet, Microsoft, PayPal and Santander — launched the Cybercrime Atlas, an initiative to map cybercriminal activities and identify joint public and private sector responses.
To ensure that technologies are more secure and trustworthy, the Forum also launched a Digital Trust Initiative that focuses on better decision-making around cybersecurity, privacy, human rights and ethics. The initiative's latest report emphasizes the need for a comprehensive view on technology development that protects and supports individual citizens and their rights and values.
The Forum, in partnership with UC Berkeley’s Center for Long-Term Cybersecurity, is also working on the Cybersecurity Futures 2030 programme — a foresight-focused scenario planning exercise to inform cybersecurity strategic plans around the globe.
As the Forum's Global Cybersecurity Outlook 2023 notes, cybersecurity is increasingly influencing how and where businesses invest, with half re-evaluating the countries they do business with. A lack of skilled cyber-experts is another threat to business and societies, the report found, with key sectors such as energy utilities reporting a 25% gap in critical skills.
The report also provides recommendations on what leaders can do to secure their organizations in the year to come.