Everything you need to know about the National Cybersecurity Strategic Plan 2023 by the US government

It was in 1997 when the paralyzing effects of the imminent dangers of the cyber landscape on citizens and economies were first brought to light by the Clinton administration in the US through the Commission on Critical Infrastructure Protection report. Fast forward a quarter of a century; the Biden administration has published a national cybersecurity strategic plan to protect the United States in the online realms. Rising geopolitical tussles increased attack surfaces, and the severity of cybercrimes and their devastating impact on citizens have been pivotal to the launch of this plan spearheaded by the US Department of Defence (DoD), Cybersecurity and Infrastructure Security Agency (CISA) and President of the US office (POTUS).

The mandate was based on two key findings. First, despite private businesses being allowed to follow cybersecurity guidelines voluntarily, they couldn’t prevent nation-state-sponsored cyberattacks and major infiltrations by cybercriminals. Second, there was a realization that cybercriminals will always find a way around purely defensive measures. This has led the Government to devise a strategy that requires large businesses to shoulder the responsibility of launching high-end products and services and redesigning the digital ecosystem to ensure improved cybersecurity. With built-in security by design assured by the conglomerates, smaller units can be trained and empowered to become resilient for the future. This has led to the growing relevance of global cybersecurity consulting firms as they can efficiently guide small and mid-sized businesses on the necessary steps to safeguard themselves from cyberattacks.

Presently, the US National cybersecurity strategic plan rests upon 4 pillars. The first is the defense and resilience of cyberspace. Risk reduction forms the second pillar. The third is to strengthen operational collaboration on a national scale between the public and private sectors. While the fourth and final pillar aims to break down organizational silos, boost the agency's value, and increase stakeholder satisfaction.

The most crucial aspect of Biden's strategic plan is that it goes a step ahead of just elaborating measures to combat offensive operations by hostile actors to hack into US networks. Instead, the strategy moves beyond the traditional cyber policies and provides enhanced focus on countermeasures, making it both defensive and broadly offensive.

As this strategy plan mentions, critical infrastructure pertains to key performing sectors, including banking, finance, electrical power, water works, transportation systems, telecommunications, and emergency management services. The new strategy makes it mandatory, instead of voluntary, for businesses to be more transparent about their regulatory approaches, product/service codes, digital infrastructure, and policies revolving around their workplace and trade. This means businesses must be more prompt and upfront while reporting potential or confirmed attacks.

The new plan shapes a more aggressive 'hack-back' approach to dealing with foreign adversaries. Imbibing lessons from recent turbulent scenarios and revisiting the guidelines set by former administrations, the strategy marks a paradigm shift towards a more stringent cybersecurity regulation. Characterized by an inclusive and sensible approach, it recognizes that there is no one-size-fits-all policy framework to protect different industries. Instead, it takes a sector-by-sector approach to advise cybersecurity practices and policies relevant to the corresponding industry. Moreover, the strategic plan allows for protecting new sectors, such as space systems or cloud service providers, within critical infrastructure. It will also evaluate whether existing risk management agencies have enough resources or power to oversee cybersecurity efforts in their respective sectors adequately.

Following closely on the heels is the new policy on the cyber workforce, training, and education strategy. This initiative has been undertaken to align the disparate hiring and retention of cybersecurity professionals. It will help the public and private sectors better recruit, develop and retain cybersecurity employees. Moreover, the federal zero trust strategy is a critical mandate launched by the US Government soon. It will focus on a formally structured framework that evaluates and monitors how public and private enterprises and institutions fund, strategize and implement the ZT architecture and methods.

Businesses must accelerate their policy implementations and ensure compliance with the new cybersecurity strategy plan in a fast-moving and ever-evolving world. Collaborating with a global cybersecurity consulting firm will enable them to assess their strengths and weaknesses while aligning their cyber resilience requirements with their business goals.