The White House has released a National Cybersecurity Strategy that fundamentally shifts the government’s approach to cybersafety. The strategy, announced by the Biden administration in March, promises big changes for all manufacturers, particularly those in critical infrastructure sectors such as the defense industrial base.
The strategy calls for:
- Increased cyber protection for critical infrastructure that includes requiring, harmonizing, and streamlining cybersecurity regulations;
- Long-term cybersecurity investments including for expansion of the cyber workforce;
- Collaboration at home and abroad to fight cybercrime, including preemptive disruption of criminal networks;
- And in what’s being called the most notable shift, a transfer of the cybersecurity burden from individuals, small businesses, and local governments to organizations including software makers who would be held liable for data security issues. As the report notes: “Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance.”
The long-awaited strategy arrived as cyberattacks are growing. For the second year in a row, manufacturing was labeled the top extortion target for cybercriminals by the IBM Threat Intelligence report. In 2022, the average cost of a ransomware attack in the U.S. topped $4.5 million, IBM reported.
“Our goal,” the strategy says, “is a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”
To get there, the policy document outlines five pillars:
- Defend Critical Infrastructure
- Disrupt and Dismantle Threat Actors
- Shape Market Forces to Drive Security and Resilience
- Invest in a Resilient Future
- Forge International Partnerships to Pursue Shared Goals
All pillars will have some impact on manufacturers, who increasingly rely on digital technologies and networks, said Laura Élan, MxD’s senior director of cybersecurity. But the wide reach of the first pillar means every manufacturer must have defending critical infrastructure on their radar.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified 16 critical infrastructure sectors, Élan said. These include health care, the defense industrial base, food and agriculture, wastewater systems, and critical manufacturing, which includes steel mills and aerospace production.
Ransomware attacks continue to target these key sectors, as evidenced by 2021’s Colonial Pipeline and JBS Foods incidents. The Colonial Pipeline attack, which disrupted the U.S. fuel supply, was linked to the theft of a single password.
In supporting its pledge to rebalance the burden of defending U.S. cyberspace, the strategy notes that “a single person’s momentary lapse in judgment, use of an outdated password, or errant click on a suspicious link should not have national security consequences.”
One strategic objective is establishing cybersecurity frameworks that will help organizations in these sectors — as well as manufacturers in their supply chains — secure their environments, Élan said. In addition to shoring up cybersecurity, she said, “the strategy is also aimed at harmonizing cybersecurity requirements to avoid having disparate systems from multiple government agencies all affecting the same sectors.”
“Another big part of defending critical infrastructure will be the strategy requirement to report attacks, which will enable organizations to know who the bad guys are and the methods that they’re using,” she added. “Bad guys don’t break into hospitals any differently than they break into manufacturing plants.”
Many cyberattacks go unreported. In other cases, organizations share cyberattack data with their sector’s Information Sharing and Analysis Center (ISAC), Élan said. But that information isn’t always distributed more widely, meaning that even when effective new cyberattack methods are identified, other critical infrastructure sectors are unaware of them.
The White House’s focus has now turned to putting its cyber defense blueprint into action. The Biden administration has started an implementation plan that will clarify who’s responsible for doing what, Acting National Cyber Director Kemba Walden told Congress late in March. The Washington Post further reported that other principles of the strategy are in the works under an executive order from 2021, with the government now crafting related workforce and education roadmaps.
Amid those efforts, Élan urged manufacturers to act. At a minimum, she said, manufacturers should assess their organization against the requirements of The National Institute of Standards and Technology (NIST) Cybersecurity framework, upon which the government bases many of its rules.
The best advice, she said, is to get started now.
MxD helps all manufacturers, including those in critical infrastructure sectors, improve their cybersecurity posture. MxD’s Cyber Marketplace offers assessments to help organizations determine their cybersecurity needs and which steps they must take to solidify their defenses.