White House shares cybersecurity strategy details

The White House has now unequivocally signaled its intention to leverage the combined weight of Federal agencies and forthcoming legislation to require as many organizations as possible to improve their cybersecurity.

The implementation plan outlined by the Biden administration specifically states will ask regulators across multiple industries to outline how they will use their existing authority to establish cybersecurity requirements to mitigate risks, identify gaps, and create proposals to close them. Furthermore, the administration will work with Congress to pass legislation to close any current gaps that might exist in statutory authority.

Given the current political climate that may be a lot more easily said than done, but both major political parties recognize that cybersecurity is now a major national security issue on par with any other defense spending initiative. It’s simply not possible to defend national interests if the means by which it is enabled are crippled by a cyberattack.

The implications of this approach for cybersecurity professionals are going to be profound. There are still lots of devil in the details to work through but the days when investments in cybersecurity were kept to a bare minimum are now all but over. Organizations will be held accountable not only for protecting the data they collect but also for the security of any application they build or deploy.

On the plus side, the Federal government is going to back those mandates up with education initiatives that will be driven by public-private partnerships that will include providers of technology solutions, academia, cybersecurity training firms, academia, and the open-source community. The goal is to ensure that hardware and software are both secure by design and secure by hardware.

In total, the implementation plan describes 65 initiatives complete with due dates spanning everything from how to disrupt the operations of adversaries to how cybersecurity incidents should be managed. In effect, every organization is now expected to contribute to the cyberwar effort.

Of course, successfully waging war requires insight into the tactics being employed by your enemy. This is an area that has been especially problematic because so many organizations are loath to disclose they’ve been breached or whatever other intelligence they may have collected the hard way. experience. The absence of shared intelligence, however, only plays into the hands of adversaries that benefit from being able to operate in the shadows.

U.S. law enforcement agencies, in the meantime, are now trying to discourage that behavior by holding cybersecurity professionals that work for public companies more accountable for their actions. However, those efforts may simply wind up driving the best and cybersecurity brightest into the private sector.

Regardless of the type of organization any cybersecurity professional works for, however, the level of scrutiny being applied to every aspect of cybersecurity is increasing. Most of that will be welcome in the sense that the more attention paid to cybersecurity by senior leaders in the organization the easier it becomes to justify investments. The downside, of course, is that there are now a lot more mandates being created by individuals that don’t always have the deepest appreciation for all the nuances that need to be mastered when defining a successful cybersecurity strategy.