We don’t know exactly what will be in the upcoming national cybersecurity strategy. But, as FTI Consulting’s Anthony J. Ferrante explains, the policy will almost certainly be an improvement on the status quo.
National Cyber Director Chris Inglis has said the Biden Administration plans to release a national cybersecurity strategy this year, perhaps as early as the end of this month. The strategy, and the corresponding efforts of Inglis, aim to “more forcefully use government power in the cyber arena,” according to reports.
Without seeing the actual proposed policy, whether this explicitly means expanded government oversight related to cybersecurity protections of the nation, an increased regulatory response — or both — is not yet clear. Regardless, it can be expected that the desires of the U.S. government and President Joe Biden are to take the genuine cybersecurity threat more seriously and offer a more active role in helping organizations, both in the public and private space, combat cyber attacks.
What this means for organizations
- Industry tends to follow government guidance. Even if Inglis’ strategy does not directly impact specific industries, it is likely that the private sector will look to introduce similar standards. This may not happen immediately, but it would be wise for organizations across all industries to anticipate increased expectations for their cybersecurity preparedness programs. Instead of waiting to see what happens, organizations should work to get ahead of potential demands.
- Ignorance is not an acceptable excuse. If an organization lacks basic cybersecurity controls needed to protect critical assets — customer information, intellectual property, etc. — then they can be held responsible for any resulting damages. The expectation from the government and the public is that organizations are doing everything in their power to mitigate cyber risk.
- Audits and requirements will increase. Increased government oversight and involvement likely means additional audits, new compliance requirements and baseline standards. In preparation, organizations should evaluate their cybersecurity processes and programs to identify gaps and vulnerabilities. This will reduce potential government penalties and better position organizations to deter and respond to cyber attacks.
- Meeting demands will be challenging. The national cybersecurity strategy is expected to be “tough” and demanding. Without a dedicated team and plan of attack for assessing and improving programs and processes, organizations will be faced with answering challenging questions from regulators, stakeholders and customers, negatively impacting their viability and reputation.
Potential outcomes
Ultimately, a national cybersecurity strategy is a positive development. In theory, increased supervision and participation from the government will keep organizations honest about their cybersecurity efforts and hold them responsible for their protective measures. This should also have the corresponding effect of making organizations more resilient to attacks, which would positively impact larger cybersecurity issues, like reducing successful ransomware campaigns.
However, none of this is achievable or possible without genuine government involvement. Industry cannot combat cyber threats alone. A partnership with the government, which comes with additional resources and legal authority, is essential to mitigate risks from sophisticated threat actors and powerful nation-states.
Equally as important to the success of government collaboration is that this relationship must not become a hindrance. Instead, a cooperative in which intelligence is shared and resources are pooled is vital. Otherwise, Inglis’ plans to “more forcefully use government power” will become a deterrent, where organizations are more focused on compliance and avoiding penalties and less on becoming resilient to attack.