It’s often said that the wheels of government move slowly, but the persistent rise in cyberattacks have greased the gears of government to finally move forward with some urgency to address this critical issue. With a National Cybersecurity Strategy anticipated to roll out in the coming weeks, the public and private sectors are eagerly awaiting the outcome.
The White House Executive Order on Improving the Nation’s Cybersecurity in May 2021 was the first notable progress marker, outlining steps for the federal government to take towards modernizing the nation’s cybersecurity. This has been furthered by the funding Congress provided to the Cybersecurity and Infrastructure Security Agency, significantly over the requested budget, and Biden’s recent signing of the Quantum Computing Cybersecurity Preparedness Act into law. A vocal push for the release of this national strategy has brought the nation to where it is now, and with the rise of cyberattacks we have seen in the last year or so, it is abundantly clear this is needed sooner rather than later.
With the details that are available, there are some predictions that can be made around what to expect in the Biden Administration’s soon to be announced cybersecurity plan.
National Cybersecurity Strategy predictions
Here are some top areas that may make their way into the strategy:
Expanded regulations for the private sector: Successfully strengthening the nation’s cybersecurity posture is an all-hands-on deck situation. Cybersecurity’s role in the private sector cannot be overlooked. How enterprises secure their infrastructure, supply chains, customers and data has a colossal impact when it is not done properly, as seen by SolarWinds. While technology is difficult to regulate, stronger security requirements within the private sector are necessary to the nation’s overall cyber hygiene. Expanded regulations will likely take form with a ‘shared responsibility’ model in mind, fostering a deeper public-private partnership between government and industry. This model would force organizations to be more proactive when it comes to security, like reporting ransomware attacks as they occur to provide real-time insight on the state of cyberattacks impacting private industries. For all of this to work, it is time to move beyond guidelines and put in place mandated data security regulations.
Focus on international cyber threats: Use of cyberthreats by nation-state actors is growing on an international scale. In early 2022, we saw Iranian government-sponsored hackers use Log4j to infiltrate a U.S. agency network, spotlighting the need for further protection of critical infrastructures. The increasing hacking attempts on water systems and the agriculture industry also further the need for stronger defenses against international cyber threats. We can expect the framework to provide guidance for these infrastructures to bolster their security.
Addressing the talent gap: Getting ahead of today’s threats requires talent that’s ready for the challenge. Unfortunately, the cyber workforce gap is up 26% compared to 2021 and the industry requires 3.4 million more workers than are currently available to effectively secure assets. This talent gap is hindering progress in all industries and sectors. Outlining a plan to increase workforce development can be expected to provide the necessary security resources to fill this current gap.
These areas will be instrumental in moving our nation toward where we need to be when it comes to security. While any progress is good progress for cybersecurity in the U.S., this is a complex undertaking with many layers to consider.
Future areas for consideration
While we can expect some of these urgent items to be addressed in the strategy, there are still lingering issues that may not make the first cut. Some topics that may not take priority this year, but should be considered as we move forward:
Improving cybersecurity education: Humans are often the weakest link when it comes to security. Effectively improving the nation’s security requires everyday citizens to be better versed in cyber literacy to protect themselves and their employers. The real threats to the everyday citizen are through personal and work devices. Recent breaches from large corporations including Bed Bath & Beyond, Uber and Okta all resulted from employee error. Creating accessible knowledge through regulation will help the public to better discern and remain protected from the real threats aimed at them.
Enhancing data privacy and protection: Unprotected data has become a national cybersecurity risk, with nearly half of US consumers reporting being victims of a data breach – the highest global rate. With no national framework around data privacy in place, and a growing trend around the lack of consumer trust, data provenance is at the center of security discussions. The public’s data is increasingly being put at risk and demand will grow for organizations and government agencies to take provenance more seriously. Revisiting a privacy bill of rights or developing new guidance, whether state or national, will be fundamental in the near future.
The role of encryption: Encryption is the only solution that can ensure data protection across digital technologies, while providing compliance with various regulations like the General Data Protection Regulation and the California Consumer Privacy Act. With the ongoing movement of data, encryption will enable organizations to have better control over their data while leaving it unreadable and useless to anyone that tries to access.
The future is bright for cybersecurity in the U.S.
As we await the release, there is peace of mind knowing one thing: cybersecurity can no longer take a backseat in government policy. Building a robust and national cyber strategy is a challenge, but is essential for the United States to compete in the global economy. Having national data security and privacy regulations is not only good for consumers, but it is also good for business. It’s much easier for business leaders to manage a national framework versus the regulations of fifty states.
Todd Moore is senior vice president of encryption products at Thales.