The US White House has released its National Cybersecurity Strategy as it looks to firm up its armour against a growing number of cyberattacks.
According to Security Week, the strategy pushes mandatory regulation on critical infrastructure vendors and green-lights a more aggressive ‘hack-back’ approach to dealing with foreign adversaries and ransomware actors.
The government said it plans to use existing authorities to set necessary cyber requirements in critical sectors, where there are often legal gaps around authority.
The document argued, “[While] voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has too often resulted in inconsistent and, in many cases inadequate, outcomes,” the document argues, calling for a dramatic shift of liability “onto those entities that fail to take reasonable precautions to secure their software.”
“In setting cybersecurity regulations for critical infrastructure, regulators are encouraged to drive the adoption of secure-by-design principles, prioritize the availability of essential services, and ensure that systems are designed to fail safely and recover quickly. Regulations will define minimum expected cybersecurity practices or outcomes, but the Administration encourages and will support further efforts by entities to exceed these requirements.”
Security Week noted that the strategy seeks to defund critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future and forge international partnerships to pursue shared goals.
The strategy is also focused on giving high-level authorisation to law enforcement and intelligence agencies to ‘disrupt and dismantle threat actors’ including foreign APT campaigns and data-extortion ransomware groups.
The White House commented, “Disruption campaigns must become so sustained and targeted that criminal cyber activity is rendered unprofitable and foreign government actors engaging in malicious cyber activity no longer see it as an effective means of achieving their goals,” the White House stressed, noting that the federal government will increase the speed and scale of information sharing to proactively warn of looming threats.
“The Federal Government will work with cloud and other internet infrastructure providers to quickly identify malicious use of U.S.-based infrastructure, share reports of malicious use with the government, make it easier for victims to report abuse of these systems, and make it more difficult for malicious actors to gain access to these resources in the first place.”
The White House has also discouraged the payment of data-extortion ransoms to cybercriminals, stating that the most effective way to undermine the motivation of these criminal groups is to reduce the profit potential.
The strategy said, “Our goal is to make malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States.”
Late last year, the chemical sector said it was set to take up the 100-day cyber sprint proposed by President Biden to sharpen the industry’s focus on the topic.
Copyright © 2023 RegTech Analyst
Copyright © 2018 RegTech Analyst
