The majority of Americans who stay up to date on cybersecurity news are aware that the Biden-Harris Administration announced its new "National Cybersecurity Strategy" early this year.
Immediately after taking office, this administration had to cope with the consequences of the major SolarWinds data breach and a widespread panic on the eastern seaboard spurred on by the Colonial Pipeline ransomware attack.
The administration quickly issued executive orders focusing on cybersecurity and pushed for laws that would improve the national infrastructure of the United States for the government, businesses, and citizens in response to this "trial by fire."
Although widely acclaimed by the cybersecurity world, the strategy is quite comprehensive and ambitious. Numerous experts feel that the document needs to improve on several of its points.
The first critical point specified in the strategy's announcement was: "We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organisations that are most capable and best-positioned to reduce risks for all of us."
That appears to be an excellent premise, and experts concur to some extent. Infrastructure companies in the United States (think of your internet service provider as well as the Amazons and Metas of the world) should be more aggressive in recognising and protecting their clients and users from threats. They might certainly be more prominent in this fight, rather than simply stating that they will provide their end consumers with retroactive tools to combat the onslaught of cyberattacks.
The worry here is the perception that this will create for individuals and small enterprises. Herd immunity also applies to cybersecurity. We are all connected thanks to email, messaging, social media, and other technologies. The huge infrastructure providers can only do so much, and phishing will remain a serious issue even if ISPs turn their detection up to 11.
Experts are concerned that a large number of people and small businesses would assume everything is taken care of for them and, as a result, will not invest in cyber awareness training, threat detection systems, and other measures. If the Biden administration does not clarify this, it could leave US citizens less secure.
The strategy's second point is as follows: "Disrupt and Dismantle Threat Actors - Using all instruments of national power, we will make malicious cyber actors incapable of threatening the national security or public safety of the United States…"
This is just another fantastic point. Whoever the "malicious cyber actors" are, it is critical to confront and combat malicious software that infects and impairs the operations of an organisation or government. Ransomware, banking trojans, and other malicious software are practically uncontrollable and rampant.
The difficulty here is the overarching concept of what a "threat actor" and a "threat" are in the eyes of this executive order. For years, foreign intelligence agencies have used social media platforms in the United States to spread disinformation, dividing society and eroding confidence.
While there is no doubt that obviously false data should ideally be removed from the public forums that are the major social media platforms, the worry here is that a large number of individuals already feel they are reading the truth when they are reading disinformation.
Under the cover of "public safety," some may perceive this executive order as an attempt to suppress any information that does not agree with the President's (or government's) existing point of view. There has yet to be a perfect approach for identifying and removing only misinformation. Inevitably, factual information will become entangled in the removal process, reinforcing those who believe disinformation that there is a conspiracy at work when there isn't.
The administration's best chance is to clarify the term and define specifically what "public safety" means in this case. Any executive order must have teeth in order to be effective. Failure to comply must result in financial penalties, the loss of the right to conduct business, and possibly even jail time. So the question is, which agency is most prepared to be the order's enforcer?
The Cybersecurity Infrastructure Security Agency appears to be the greatest fit. It appears to be a no-brainer when staffed with true cybersecurity professionals and executives. However, this is one of the worst choices for enforcement.
CISA's objective is to be a partner to all critical infrastructure sectors. The agency provides helpful support, education, and a variety of other services, ultimately making it a trusted partner for the entire country. Requiring CISA to implement cybersecurity rules goes against its basic objective. If that were to happen, firms would perceive CISA as a threat rather than a beneficial resource.