The US government has released a national cybersecurity strategy designed to strengthen private sector resilience against cyberattacks while giving law enforcement and intelligence services more freedom to target advanced persistent threat (APT) groups and ransomware criminals. The five-pillar strategy is launched as the number of cyber threats faced by private and public organisations in the US continues to rise.
The 38-page proposal reclassifies ransomware as a “threat to national security, public safety, and economic prosperity”, and pinpoints the threat posed by cybercriminals operating from “safe haven” nations such as China, Russia, the Democratic Republic of North Korea (DPRK) and Iran.
US cyber strategy takes a hard-line stance on the foreign cyber threat
The five pillars of the strategy are to defend critical infrastructure, disrupt and dismantle criminal gangs, shape market forces to drive security and resilience, invest in a resilient future, forge international partnerships and pursue shared goals.
Released yesterday, the new strategy plans to harness “all elements of national power” to mitigate against the international cyber threat. Practically, this means that the US will allow its law enforcement services and intelligence services to take a more active approach in combating state-sponsored hackers and Ransomware-as-a-Service (RaaS) gangs, such as LockBit, which sell malware to other criminals.
“The administration is committed to mounting disruption campaigns and other efforts that are so sustained, coordinated and targeted that they render ransomware no longer profitable. The Joint Ransomware Task Force co-chaired by CISA and the FBI will coordinate, de-conflict and synchronise existing interagency efforts to disrupt ransomware operations and provide support to the private sector to increase their protections against ransomware,” the strategy reads.
The cyber proposal also puts more responsibility on the shoulders of software providers to strengthen their own protections against malicious hackers. Many of the vulnerabilities used by cybercriminals as initial entry points have patches and workarounds available online. The cyber strategy will boost the minimum standard of security to minimise these easy-to-rectify faults.
“[While] voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has too often resulted in inconsistent and, in many cases inadequate, outcomes,” the document says, calling for a dramatic shift of liability “onto those entities that fail to take reasonable precautions to secure their software”.
Cybersecurity strategy could boost US trade with Europe
Heightening the base level of security will also mean that many US businesses will have more of a chance of trading with countries within the EU, something that has been difficult for US businesses that fail to meet the high standards of data protection set out by the Bloc’s GDPR legislation, explains Aaron Kiemele, CISO at software company Jamf.
“It seems some of this is an effort to align our practices with Europe so we can trade there without restriction,” Kiemele says. “Currently our regulatory infrastructure is considered too weak to support unfettered data transport to the US, which means companies need to put their own controls in place to confirm their compliance with EU privacy laws.”
But raising levels of liability and apportioning blame can be risky in an ever-changing landscape, Kiemele adds, and must be approached cautiously:
“Liability for flaws exposed in software is more dangerous,” he says. “That will be a fine line to draw. All software is vulnerable in some way to future exploitation. If a new issue arises and causes widespread impact, that doesn’t mean that the software vendor was negligent.
“You can do everything right and still be impacted by a security incident. That being said, there are plenty of old vulnerabilities that remain unpatched for years.”
But by introducing these rules, the US government hopes it will be able to come down hard on cybercriminals, explains Michael McPherson, SVP of security operations at ReliaQuest: “Agencies like the FBI will continue to play a leading role in coordinating efforts and driving these disruption operations,” he says. “While there will be enormous challenges for collaborating with the private sector, this strategy outlines it is imperative to national security.”