White House cybersecurity message heard loud and clear in corporate boardrooms

Cybersecurity is in the news yet again, but, this time, the headlines aren’t about the latest and greatest breach (though those exploits certainly play a role). This time, the ticker surrounds the state of cybersecurity in America — and how the United States federal government is getting involved.

Digital technology, the rise in remote work, and the move to the cloud has led to a significant rise in economic growth. Unfortunately, it has also led to a less desirable jump in cyber attacks on public services and private organizations.

 

If you can believe it, the cost of cybercrime is predicted to top $8 trillion this year. Ransomware alone created a $1.2 billion dollar loss for US financial institutions. This alarming trend is causing the US national government to pay attention and place security strategy at center stage.

The National Cybersecurity Strategy: A proclamation from Washington, DC

The increase in cybercrime has created a call to action from the US Capitol to build a secure ecosystem that is “defensible, resilient, and values-aligned,” according to the recently announced National Cybersecurity Strategy. This message, coming loud and clear from Washington DC, is in many ways a follow up to the White House cybersecurity executive order that came nearly two years ago.

The White House intends to develop federal regulation to protect vulnerable critical infrastructure and will force companies that are critical to the economy and national security to improve their cyber defenses. This national cyber strategy is the result of a rise in major incidents that have impacted key public services, as well as a consensus that the US government is failing to keep the nation safe from cyber attacks from foreign governments like Russia and China.  

Let’s be clear. At this time, this is not a law, but a working White House cybersecurity strategy, announced in March 2023. It is intended to shape a stronger foundation for cybersecurity defenses with a clear allocation of roles and resources in cyberspace. The policy calls for rebalancing responsibilities by shifting the burden of cybersecurity away from small businesses, individuals, and local governments and placing it on the shoulders of organizations that are best positioned to reduce risks for all. This sounds great in theory, but it also sounds a tiny bit like risk shifting.

5 pillars of the National Cybersecurity Strategy

Let’s look at the five pillars that make up this White House cybersecurity strategy. 

1. Defend Critical Infrastructure: Expand requirements in critical sectors to ensure national security and public safety.

2. Disrupt and Dismantle Threat Actors: Use instruments of national power to make malicious cyber actors incapable of threatening the national security or public safety of the United States.

3. Shape Market Forces to Drive Security and Resilience: Place responsibility on those within our digital ecosystem that are best positioned to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable in order to make our digital ecosystem more trustworthy.

4. Invest in a Resilient Future: Lead the world in the innovation of secure and resilient next-generation technologies and infrastructure through strategic investments and coordinated, collaborative action.

5. Forge International Partnerships to Pursue Shared Goals: Work with allies and partners to seek a world where responsible state behavior in cyberspace is expected and reinforced and where irresponsible behavior is isolating and costly.

We’ll continue to follow these pillars as they become more actionable for organizations. For those interested in seeing the current requirements that shape each pillar, refer to the official National Cybersecurity Strategy documentation. 

Stricter rules, bigger penalties

At this time, there are likely more unknowns than knowns about the specifics of this national cyber strategy and how it will be executed. For now, the government can influence the behavior of corporations by increasing security requirements for federal contracts. This can create incentives for businesses to be more rigorous and implement stricter protocols. 

However, if this proposal moves into legislation, one area of major interest is the possibility to include penalties for software makers, including holding them liable for their products and services if they fail to provide fair protection from a security incident. Wow! This will definitely create a lot of work for the legal system… But I think we can all agree that the objective is on target by creating incentives that balance protection against threats with the need to plan better for a stronger future to secure national security, public safety, and economic growth. 

Blame moves to the boardroom

This White House cybersecurity strategy is also shifting the onus of cybersecurity out of the C-suite. The CEO is not only the one in the hot seat. Nor can blame be shifted to just the CISO and the security team. Now, corporate board members need to understand an organization’s cyber risk, so they can provide governance and report accurately with confidence. However, a recent analysis of board-level expertise revealed that up to 90% of companies in the Russell 3000 lack even one director with the necessary cybersecurity expertise to do so.

 

Organizations are scrambling to develop risk management plans in order to prioritize effectively and make decisions that protect sensitive information, IP, customer data, and employee privacy, without exposing the business to unnecessary risk. Given the shortage of security skills, shrinking budgets and resources in the face of inflation, compliance regulations, and an increase in sophisticated attacks, security is becoming a top business priority. Failure to protect can lead to exposure, brand damage, violations, and expensive remediation costs. 

More guidance from the SEC

In addition to this White House cybersecurity strategy, the Securities and Exchange Commision (SEC) has proposed new rules that aim to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.

The proposed rules would require public companies to, among other things:

• Disclose information on material cybersecurity incidents on 8-K filings.
• Provide updates in quarterly and annual reports on previously disclosed cybersecurity incidents, or when undisclosed immaterial incidents become material.
• Describe their policies and procedures, if any, for identifying and managing cybersecurity risks. 
• Disclose boards of directors’ and senior management’s oversight and expertise in assessing and managing cybersecurity risk, and their role in implementing cybersecurity policies, procedures and strategies. 

Increased visibility, better defenses, impossible standard?

Frankly, it’s hard to know where this ball will bounce. With boardrooms getting more concerned about impending regulations and with government officials under pressure to stop the influx of attacks, we know that change is coming. At this stage, we can only speculate as to how these new regulations will impact sectors and what industries will be officially called out. For example, it won’t be surprising if healthcare is called out, with the rise in ransomware attacks that are impacting care providers across the nation. While the costs for these attacks are large, the potential disruption to lifesaving care is even more concerning. 

 

Many of us in the security industry are wondering how realistic this national cyber strategy will be when it comes to implementation. If you speak to those impacted by the requirements placed on aviation or oil and gas back in 2021, the consensus was that it was close to “impossible” to meet the strict reporting requirements. In fact, the complaining was so severe that President Biden had to revise the rules to lessen the regulations to something more feasible. 

At the end of the day, this is not a new effort. But it is a more concerted “circling of the wagons” to try and increase visibility by agencies into malicious activity and to create better defenses against cyber attackers. 

Automation can help

Organizations without an effective risk management strategy could face lost revenue due to business interruption, decreases in production, delays in product launches. With more strategic investment, organizations can look to decrease remediation costs and cybersecurity insurance premiums, prevent the loss of IP and damage to the brand, and maintain or increase company value. In the face of this White House cybersecurity strategy, it’s important to look for integrated solutions that can simplify reporting and make it easier for even non-security personnel to quickly understand their posture so everyone in the organization can work together to reduce risk based on business, operational, and financial factors. 

Learn more about impending regulations and how Lacework can help in our Compliance with SEC cybersecurity guidance solution brief.

 

 

 

Tim Chase, Global Field CISO at Lacework, is an experienced professional speaker, author, ethical hacker, virtual learning instructor, and certified application security engineer. He has successfully built robust security programs with his strong ability to manage security and risks and develop security systems and standards to meet the needs of growing organizations.