The 5 Pillars of the White House's 2023 Cyber Security Strategy

What's new in cyber security?

March saw the release of the White House's much-anticipated 2023 National Cyber Security Strategy. And while full of previously unseen data essential to businesses, the report presents new advances to executive orders, cyber security standards, law enforcement, and international standards previously under development.  

Furthering past administrations’ efforts, the new National Cyber Security Strategy reveals two significant shifts in how the U.S. government plans to allocate roles, responsibilities, and resources in cyber space:  

1. The strategy aims to “rebalance the responsibility for cyber security to be more effective and equitable.” Encouraging business owners and operators to place those “most capable” of creating a secure U.S. digital ecosystem in charge of infrastructures.
2. It focuses on building a more robust digital ecosystem based on more concrete collaborative efforts with domestic and international allies. And while these agencies will have a significant role in maintaining digital safety, the strategy suggests the private sector may have a bigger part in managing technology vulnerabilities.

So, what did the report say? Below we present a comprehensive but swift summary of the new strategy by focusing on its five distinct pillars.

‍Pillar I: Defend your critical infrastructure

To manage and avert future threats, Pillar I addresses establishing cyber security requirements for national security/public safety. And while attempting to regulate mandates and roles has always been a contentious subject between the public and private sectors, the strategy presents the urgency for collaboration, stating…  

“Combining organizational collaboration and technology-enabled connectivity will create a trust-based “network of networks” that builds situational awareness and drives collective and synchronized action among cyber defenders that protect our critical infrastructure.”  

Pillar I also outlines the objectives needed to update incident response plans and how agencies must create cyber security standards for specific sectors—including agriculture, government facilities, and essential manufacturing—such as vaccines and pharmaceuticals.  

Its final objective focuses on modernizing federal defenses using a zero-trust security model that removes implicit trust to help keep data safe. Zero trust typically uses multi-factor authentication, data/app encryption, authentication and access management, clarity on vulnerabilities, advances in cloud security, and upgrading legacy systems.  

Note* The previous Executive Order 14028 on Improving the Nation’s Cyber Security drove the federal government to look closer at zero trust. An order followed six months later by the Office of Management and Budget that set national zero trust standards agencies must complete by the end of the 2024 fiscal year.

Pillar II: Disrupt & dismantle threat actors

With cyber-attacks evolving and the White House elevating ransomware to a national security issue, Pillar II opens by declaring, “The U.S. will use all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests.” It then outlines the intention to create “more sustained and effective disruption of adversaries.” To achieve these goals, the second pillar focuses on five distinct objectives. 

Objective 1: Discusses integrating further federal disruption activities. To improve the volume and speed of these activities, the plan demands the federal government develop more solutions that “enable continuous, coordinated operations.” 

Objective 2: Attempts to build better public-to-private collaboration to disrupt adversaries. The private sector was also recognized for having broader visibility into threat activity than the Federal Government. And knowing this helps create more routine collaboration between the public and private sectors through different methods (e.g., virtual platforms that allow bidirectional data sharing to prevent threats.)

Objective 3: Increases the speed and scale of cyber threat intelligence sharing and victim notification. Here officials address that while open-source and private-sector intel have raised awareness of cyber threats, the intelligence only the government can access remains “invaluable.” Additionally, federal agencies will develop processes to facilitate more secure, clearer cyber threat intelligence sharing, including techniques for the private sector to transport feedback and threat intelligence safely.

Objective 4: Addresses how cyber actors exploit U.S. infrastructures, such as the cloud, and recognizes the urgency for federal agencies to collaborate with cloud and internet suppliers to “identify malicious use of U.S.-based infrastructure,” making it easier to report attacks.  

Objective 5: Concentrates on countering cybercrime and conquering ransomware by stating the U.S. will “employ all elements of national power” along specific effort lines: 

• "Leveraging international cooperation to disrupt the ransomware ecosystem and isolate those countries that provide safe havens for criminals,
• investigating ransomware crimes and using law enforcement and other authorities to disrupt ransomware infrastructure and actors,
• bolstering critical infrastructure resilience to withstand ransomware attacks, and
• addressing abuse of virtual currency to launder ransom payments.” 

This objective strongly suggests the importance of international collaboration. It references its international outreach, Counter Ransomware Initiative, and approaches to defeating ransomware on the financial front, including illicit cryptocurrency exchanges.

‍Pillar III: Design market forces that drive security and resilience

Pillar III highlights the country’s efforts to define market forces/alliances while placing accountability on those “best positioned to reduce risk” and is defined through six objectives...  

Objective 1: Starts suggesting data managers should be accountable for data governance and acknowledges a need for privacy-focused legislation. The National Institute of Standards and Technology guidelines were also showcased, with intentions to define clear limits on collecting, using, transferring, and maintaining sensitive data.

Objective 2: Pushes for developing security for Internet of Things (IoT) devices, specifically through federal research and development and risk management efforts, as mentioned in the IoT Cyber Security Improvement Act. This act follows the Executive Order on Improving the Nation’s Cyber Security, which advocates advancing IoT security. 

Objective 3: Shifts responsibility for insecure software and services onto organizations failing to take precautions to update and secure their infrastructure. This objective also references critical actions, including exposing vulnerability via finders, coordinating information sharing between relevant stakeholders, and disclosing software vulnerabilities to various stakeholders and the public. 

Objective 4: Focuses on federal grants and other incentives to build security. This objective strives to invest in designing, developing, fielding, and maintaining infrastructures with layers of cyber security. It acknowledges the demand for federal government collaboration with state/local agencies and industries in the private sector to balance cyber security requirements.

Objective 5: strives to hold organizations accountable for their digital infrastructure by focusing on federal procurement. This builds off the previous Executive Order on Improving the Nation’s Cyber Security requiring the U.S. government to buy only securely developed software.  

Objective 6: reports “in the event of a disastrous cyber incident, the Federal Government would stabilize the economy and aid recovery” and that preparing that response “could provide certainty to markets and make the nation more resilient.”

Pillar IV: Invest in a resilient future

When investigating and investing in the security of our digital landscape, the administration takes a comprehensive approach to identify the need to invest in past, present, and future technology. Pillar IV covers a range of issues, including addressing vulnerable blind spots, developing a digital identity ecosystem, and preparing for our post-quantum future.

Objective 1: Spotlights the secure technical foundation needed for the internet. The approach includes identifying urgent risks while working with the private sector to reduce hazards without interrupting platforms and services.

Objective 2: Acknowledges the government’s role in the research and development of “defensible and resilient architectures.” Here it notes three “essential families” of technologies:

• Computing-related technologies
• Biotechnologies and biomanufacturing
• Clean energy  

The administration will work to regularly rectify the Federal Cyber Security Research and Development Strategic Plan to achieve this goal.  

Objective 3: Prepares us for the postquantum future. Post-quantum (or quantum-proof, quantum-safe, and quantum-resistant) means cryptographic algorithms (often public-key algorithms) that are considered secure in a cryptanalytic attack from a quantum computer. Here the administration outlines how they intend to prioritize and accelerate investments in the widespread replacement of hardware, software, and services a quantum attack can impact.  

Objective 4: Seeks to secure a new clean energy infrastructure for interconnected systems. The administration will continue implementing the National Cyber-Informed Engineering Strategy, which Congress mandated in the National Defense Authorization Act for Fiscal Year 2020.  

The administration also outlined plans for coordinating with various stakeholders to create a "secure, interoperable network of electric vehicle chargers, zero-emission fueling infrastructure, and zero-emission transit and school buses.” The leading player here will be the Department of energy.  

Objective 5: Declares “strong, verifiable digital identity solutions that promote security, accessibility and interoperability, financial and social inclusion, consumer privacy, and economic growth” must be deployed. And outdated, insecure technology solutions have too long enabled criminal activity and other risks.  

Objective 6: Focuses on developing the cyber workforce. They build on past initiatives like the CyberCorps Scholarships that support three years of cyber security training so they can work for the government, including the National Initiative for Cyber Security Education Framework, who provides tools and resources for businesses to understand cyber security strategies better.

Pillar V: Build international partnerships to pursue shared goals

The fifth final pillar of the new strategy aims to reclaim the digital landscape and “thwart the dark vision for the future of the Internet." Here the administration presents five strategic objectives, which focus on strengthening common approaches and countering global threats.

Objective 1: Addresses the need to build coalitions to deter threats to our digital ecosystem. In the past, reinforcing international partnerships has been a priority over the past few years.  

Objectives 2 & 3: Intends to strengthen international partnerships to secure critical infrastructure networks, develop incident detection/response capabilities, share cyber threat intel, and achieve diplomatic effectiveness by supporting shared interests in cyberspace and reinforcing responsible behavior norms.  

Objective 4: Plans to adopt a "renewed, active diplomacy," including coordinated efforts to identify threat actors and support digital accountability.  

Objective 5: Discusses dependence on foreign suppliers for information, communications, and operational technology products and services in a time of competition—particularly in China—as it raises questions about the trustworthiness of certain products and services.  

The final objective of the report also incorporates the National Strategy to Secure 5G and the affiliated plans to secure the supply chain for 5G and next-generation wireless networks. Measures pushing more technology to be developed within our borders or with close coordination with allies.

Conclusion

The U.S. has encountered significant new cyber security threats, raising alarms about the vulnerability of our national infrastructure. In response, the U.S. government has recognized and prioritized these attacks while acknowledging “secure, functioning, and resilient” technology is vital to economic prosperity and security. The White House's new 2023 cyber strategy presents 5 pillars they believe will be detrimental to defending critical infrastructure while improving collaborative practices with other relevant stakeholders and making its systems more resilient.

Ready to fortify your business cyber security posture? Discover what’s causing vulnerabilities and scale solutions to your specific network needs now.