In March 2023, the White House released a new version of the National Cybersecurity Strategy, in May, the Department of Defense submitted the U.S. Department of Defense Cyber Strategy to Congress, in July, the White House released the National Cybersecurity Strategy Implementation Plan, and in August, New York State released its first New York State Cybersecurity Strategy (hereinafter referred to as the "State Strategy"). The U.S. has intensively released a cybersecurity strategy document, emphasizing the strengthening of policy guidance at the national, federal and state levels to enhance cyber resilience and improve cybersecurity.
Background to the release of the policy
The United States believes that the world is entering a new phase of increasing reliance on digitalization, making software and systems more complex and vulnerable to cyberattacks, which will trigger a wider range of malicious cyber behaviors and increase cybersecurity systemic risks.
Emerging technologies increase cybersecurity risks. With the rapid development of emerging network technologies, the Internet, software, and systems are becoming more and more complex. The Internet can connect individuals, businesses, communities, and countries, and expand the scale of international exchange. While global connectivity creates value for U.S. businesses and consumers, it also increases cybersecurity risks for critical systems. Cyberattacks that were originally directed at one organization, industry, or country can quickly spread to other industries and regions, such as Russia's 2020 cyberattack on Ukraine that spread to the United States, causing hundreds of millions of dollars in losses.
Malicious cyber activity continues to proliferate. In recent years, there have been frequent cyber attacks in the United States, including the "Solar Wind" supply chain attack and the "Colonial Pipeline" attack. The Ukraine crisis has led to further spillover of cyber attacks, exposing the U.S. government's office systems and critical infrastructure to more cyber security threats. Foreign offensive hacking tools and services, which were previously in the hands of a few countries, are now widely available, increasing the threat of cybercrime groups.
There are obstacles to the coordination mechanism. The U.S. government believes that the current burden of mitigating cyber risks is too much on the end-user. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, creating a threat to maintaining the nation's cybersecurity. The overall cyber resilience of the United States cannot be dependent on the smallest organizations, and the most capable and optimal actors should be held accountable for more responsibility for ensuring the security and resilience of the digital ecosystem.
Composition of the policy system
The U.S. cybersecurity policy system includes the state, federal agencies, and state governments. At the national level, the National Cybersecurity Strategy and the National Cybersecurity Strategy Implementation Plan of the White House, the U.S. Department of Defense Cyber Strategy at the federal agency level, and the New York State Cyber Security Strategy at the state government level.
At the national level: National Cyber Security Strategy. In March 2023, the U.S. White House released a new version of the National Cyber Security Strategy (hereinafter referred to as the "National Strategy"). The national strategy clarifies the pillars of the cyber security strategy and coordinates the key tasks at the national level. The first is to strengthen the cyber defense of critical infrastructure. Develop cybersecurity requirements, expand public-private partnerships, integrate the Federal Cyber Security Center, and optimize incident response processes to modernize cyber defenses. The second is to crack down on cyber threats. Combat cybercrime by integrating government capabilities, strengthening public-private collaboration, intelligence sharing, threat detection, and preventing adversaries from misusing infrastructure. The third is to shape market forces. Strengthen accountability based on the federal procurement system, require data managers and software vendors to assume security responsibilities, and explore new ways of cyber security insurance to improve cyber resilience. Fourth, invest in the resilient network of the future. Formulate a policy on cyberspace talents, pay attention to cyber security in the Internet, post-quantum, and clean energy fields, and revitalize the research and development of cyber technology. Fifth, we need to build international partnerships. Build alliances to deepen international cooperation to address threats to the digital ecosystem and secure global supply chains for information technology products and services.
U.S. National Cyber Security Strategy
The national strategy refines the implementation path and promotes the implementation of specific work. The first is to clarify the main body of government responsibility. Propose the National Security Council oversight, the Office of Budget Management coordination, and the Office of the National Cyber Director to develop an implementation plan. The second is to carry out effectiveness evaluation. The federal government is required to comprehensively evaluate the effectiveness of the strategy and report annually to the President and Congress to ensure the effectiveness of follow-up. The third is to draw lessons from cyber incidents. Make it a government priority to learn lessons learned from cyber incidents, and encourage relevant agencies to incorporate the cyber incident review process into the regulatory framework. Fourth, guide investment in cybersecurity. Measures such as the issuance of annual guidelines to ensure consistency in budget proposals across departments and agencies and improve the targeting of long-term investments.
At the national level: National Cyber Security Strategy Implementation Plan. In July 2023, the U.S. White House released the National Cybersecurity Strategy Implementation Plan to improve long-term defenses against major cyberattacks. First, the Cyber Security and Infrastructure Security Agency will coordinate public-private partnerships to drive the development and adoption of security technologies. Second, the Department of Defense released a new cyber strategy that focuses on the challenges posed by malicious actors to address potential strategic-level threats. Third, the Department of Justice coordinated with the intelligence community to spearhead the development of "a series of options" to deal with sabotage by cybercriminals and state adversaries. Fourth, it is necessary to reduce the cybersecurity responsibilities of citizens, shift the burden from ordinary citizens to entities with more cybersecurity capabilities, and incentivize long-term investment in cybersecurity. Fifth, the Department of Homeland Security is leading the process of updating the National Cyber Incident Response Plan, requiring the Department of Homeland Security and the FBI to work together to stop ransomware attacks and provide response plans for high-risk targets such as hospitals and schools. Sixth, we should pay extensive attention to the issue of cybersecurity talents.
At the federal agency level: Department of Defense Cyber Strategy. In May 2023, the U.S. Department of Defense submitted a classified version of the U.S. Department of Defense Cyber Strategy (hereinafter referred to as the "National Defense Strategy") to Congress. According to the Strategic Fact Sheet, the National Defense Strategy proposes three guiding principles in the cyber domain: First, the US military will maximize its cyber capabilities to support integrated deterrence and coordinate cyberspace operations with other countries; second, the US military will conduct operations in and through cyberspace in low-armed conflict situations to strengthen deterrence and defeat adversaries; and third, the United States will unite global allies and partners to consolidate and strengthen its superiority in the cyber domain.
In addition, the National Defense Strategy highlights the long-standing cyber threats faced by the U.S. government and the Department of Defense, mainly from competing countries, extremist organizations, and transnational criminal organizations, and proposes four countermeasures: First, defend the country. The U.S. military will conduct operations that leverage cyber capabilities to gain insight into malicious cyber actors, conduct "forward defenses" to disrupt and degrade the capabilities and support ecosystems of these actors, and work with interagency partners to strengthen the cyber resilience of U.S. critical infrastructure and counter readiness threats. The second is to prepare to fight and win the war. The U.S. military will ensure the cyber security of military information networks as well as the cyber resilience of the joint forces, and will use cyberspace operations to generate asymmetric advantages to support the plans and operations of the joint forces. The third is to work with allies and partners to protect cyber domains. The U.S. military will assist allies and partners in building their cyber capabilities and capabilities, expand potential avenues for cyber cooperation, continue "hunt ahead" operations, and strengthen responsible state behavior by encouraging compliance with international law and internationally recognized norms in cyberspace. Fourth, we need to build lasting superiority in cyberspace. The U.S. military will optimize the organization, training, and equipment of cyber combat units and active cyber forces, and will invest in the enablers of cyberspace operations, including intelligence, science and technology, cybersecurity, and culture.
New York State Cybersecurity Strategy
State level: New York State Cybersecurity Strategy. In August 2023, the U.S. state of New York unveiled its first state strategy and appointed its first chief cyber officer. The State Strategy sets out three visions for cybersecurity: integrated management to strengthen the management of cyber information, tools, and services so that cyber defenses can reach all entities, cyber resilience to better protect the security of critical facilities in New York State by expanding the scope of cybersecurity regulations, requirements, and recommendations, and good preparedness to provide broad advice and guidance to ensure citizen cybersecurity. The State Strategy proposes five strategic pillars: building a secure and resilient government network to ensure that the New York State government network is designed in accordance with modern security principles, and strengthening engagement with stakeholders (e.g., local governments, private companies, partners, non-profit organizations, etc.) to provide cybersecurity services such as endpoint detection and response, third, to regulate critical industries and ensure that the services provided by infrastructure owners and operators in critical industries meet minimum security standards, fourth, to promote citizen participation in cybersecurity, emphasizing the importance of the individual in cybersecurity, and fifth, to develop a cybersecurity workforce and build a cybersecurity talent pool in New York State to increase the attractiveness of New York State to cyber talent.
In addition, the state strategy calls for the establishment of an industrial control system network assessment team to assist the New York State Department of Homeland Security in cyber incident response efforts. The state strategy calls for $500 million to improve health care information technology and cybersecurity infrastructure across the state through the state health care technology capital grant program, as well as an increase in the New York State cybersecurity budget to fund the expansion of shared services programs at the county and local levels.
A few points of understanding
There has been a fundamental shift in the positioning of China as the "biggest threat" to cybersecurity. The U.S. National Strategy describes China as "the most extensive, active, and persistent threat to the U.S. government and private sector, and China is the only country that has both the intent to reshape the international order and the increasing use of economic, diplomatic, military, and technological means to advance that intent." In the 2018 version of the strategy, the United States sees Russia, China, Iran, and North Korea as "long-term competitors" that pose challenges, but only emphasizes that China can pose challenges to the United States in cyberspace and emerging technologies. The comparison between the old and new strategies reflects a fundamental change in the Biden administration's positioning towards China in the field of cybersecurity, and China has officially changed from a "competitor" to the "biggest threat".
The US military will ensure the cybersecurity of military information networks, as well as the cyber resilience of the joint forces
Emphasizing the decentralization of federal agency responsibilities and giving suppliers more responsibility for cybersecurity. In its national strategy and national defense strategy in the field of cyberspace, the United States has repeatedly mentioned keywords such as "regulation" and "coordination" to clarify the responsibilities of federal government agencies. The first is to authorize the Department of National Defense's Cyber and Infrastructure Security Agency to protect the federal civil administration system and lead the updating of the cyber incident response plan, the second is to coordinate the participation of the Ministry of Finance, the Ministry of Justice, and the Secret Service in the investigation of extortion attacks to combat cybercrime, and the third is to coordinate the transportation security administration, the Environmental Protection Agency, and other departments to participate in cybersecurity efforts in key areas such as energy, aviation, and railways. At the same time, the U.S. cybersecurity policy system has reshaped the U.S. cyber social contract and adjusted the main body of cyber security responsibility. The policy system requires a rebalancing of cybersecurity responsibilities from individuals, small businesses, and state governments to large vendors with the necessary resources and expertise to better ensure cybersecurity.
Pay attention to long-term capital guidance, consolidate and expand the advantages of network technology. The U.S. cyber policy system revolves around "one system, two subjects, and three fields" to reconstruct the long-term investment mechanism for network technology. The first is to strengthen U.S. cybersecurity resilience and defensive investment with the goal of building a "digital ecosystem"; the second is to strengthen public-private cooperation and optimize the structure of cybersecurity investment with "government agencies and the private sector" as the main coordinating body; and the third is to increase investment in cybersecurity technology research and development in key areas such as "computing technology, biomanufacturing technology, and clean energy technology" to ensure the leadership of U.S. cyber technology.
Compared with the past, the Biden administration's cyber policy system proposes more comprehensive and specific measures
Protecting critical infrastructure is a priority for U.S. cybersecurity. The U.S. cyber policy system puts the protection of critical infrastructure cyber security in the first place, and proposes various measures to protect critical infrastructure from the aspects of policy formulation, public-private cooperation, capability integration, and incident response. The first is to improve the cybersecurity regulations for critical infrastructure, the second is to expand public-private cooperation to promote cyber defenders to protect critical infrastructure simultaneously, the third is to integrate the federal cyber security center to promote intergovernmental coordination, and the fourth is to update the cyber incident response plan and strengthen the ability to respond to critical infrastructure security incidents. Compared with the past, the Biden administration's cyber policy system proposes more comprehensive and specific measures, which shows that the federal government attaches great importance to the cybersecurity of critical infrastructure and urgently needs to restore the confidence of the American people in the cybersecurity of critical infrastructure.
Disclaimer: This article is transferred from Military Digest, the original authors are Fan Wei, Liu Yongyan, etc. The content of the article is the original author's personal point of view, and this official account is compiled/reprinted only to share and convey different views, if you have any objections, please contact us!
Transferred from丨Military Digest
Author丨Fan Wei, Liu Yongyan, etc
About the Institute
Founded in November 1985, the International Institute of Technology and Economics (IITE) is a non-profit research institute affiliated to the Development Research Center of the State Council, whose main functions are to study major policy, strategic and forward-looking issues in the economic, scientific and technological and social development of the mainland, track and analyze the development trend of the world's science and technology and economic development, and provide decision-making consulting services for the central government and relevant ministries and commissions. The "Global Technology Map" is the official WeChat account of the International Institute of Technology and Economics, which is dedicated to conveying cutting-edge technology information and technological innovation insights to the public.
Address: Block A, Building 20, Xiaonanzhuang, Haidian District, Beijing
Phone: 010-82635522
WeChat: iite_er