Carter Hendrick
Old Dominion University School of Cybersecurity
CYSE 425W: Cyber Strategy and Policy
Teresa Duvall
11/5/2024
Analysis of the National Cybersecurity Strategy 2023
The National Cybersecurity Strategy of March 2023 is a very important step for America, Especially the first pillar of the plan. This strategy will effectively help America regain its equality in the digital age on a foundational level in a way that will reduce the threats coming from both internally and externally. It focuses on rebuilding Americas Information Technology foundations and investing in future technologies to further advance the country’s cybersecurity, while also ensuring that those with the capabilities to keep citizens safe from cybersecurity attacks will be incentivized to do so. This will keep the brunt of attacks off the common people and instead have it filtered through those with better defenses.
Overview On the National Cybersecurity Strategy
The National Cybersecurity Strategy March 2023 makes a lot of needed changes for America to keep up against modern cyber threats. It plans to reconfigure, update, and streamline the policies and processes used to protect everyone in America. This starts with the Government leading by example and setting parameters that need to be followed based on what level of security is deemed necessary. The Idea is to set a minimum level of security that needs to be followed and then let the now already secure businesses then have the option to increase their own security afterwards. Many companies try to reduce costs by not always following these kinds of procedures, however there is a plan in place for a policy that incentivizes companies to stay up to date on security parameters and stay secure. The strategy outlines and clarifies the role and responsibilities of the government, and its partners. The strategy goes as far to push for efforts to collaborate with our allies like Australia, the United Kingdom, and 60 other countries to create a safe cyberspace to be navigated by everyone without stress.
The Possible Effects of this Strategy
Although not the first cyber strategy employed by the United States, the March 2023 release is very detailed and takes many things into consideration, although not everything. According to an article released by the Government Accountability Office (GAO), the march 2023 strategy does not go into detail about outcome-oriented goals for the strategy. This means that, “federal cybersecurity leaders do not have a comprehensive way to assess or ensure that their efforts are accomplishing greater cybersecurity,” (GAO). This could be a dangerous development because even though everything sounds good on paper, it could lead to weaknesses that are unknown. To remedy this, penetration testing on all levels to the lowest and highest levels should be implemented. Testing our systems and policies with our own offensive teams can lead to both better defense and offense. Cyber offense is talked about, although under the name of disruption of cyber threats in pillar two of the March 2023 strategy.
Pillar two: Dismantle and Disrupt Threat Actors
Pillar two could initially be the most important focus of the strategy while America rebuilds its foundations and defenses. An article published by the World Economic Forum stated that in 2022 a ransomware attack cost 4.5 million USD on average. By letting these attacks happen America is losing money, which is an important factor in this strategy although not explicitly stated. The plan will not move forward without the funds to create partnerships and combine efforts of the government and other big companies. Pillar two of the strategy can help keep Americas head above water while the strategy is enacted in its completion. The strategy calls for disruption campaigns and many of them. The first step is to combine efforts from the Department of Justice (DOJ) and other federal law enforcement to create a cyberspace that cyber crime is unprofitable to engage in. Essentially making launching a cyberattack more trouble than the goal of the attacker is worth. This would most likely lead to many efforts of disruption campaigns becoming normalized, which would shift the level of secrecy of certain projects being done on a federal level to becoming more public. Eventually the creation of something like Stuxnet may become more common and openly spoke of within the country. This also does not stop at the federal level, the strategy states explicitly that it wants to more routinely involve the private sector into federal disruptions campaigns due to the sheer scale and innovation within the private sector.
Pillar Two: Infrastructure and ransomware
The March 2023 strategy also lists actions that will be taken to protect abuse of Americas infrastructure and crack down on ransomware. The infrastructure referred to in this part of the strategy is the cloud, relating to emails and other features used for malicious activities. The American government plans to work with the cloud to make it easier to report scams and emails doing scams that were previously unreachable due to foreign interference. The cloud is a primary target used for phishing scams and ransomware, which is high on the priority list of the March 2023 Strategy. Many large-scale ransomware attacks come from enemies of America like Russia, North Korea, China, and Iran. The strategy explains that America will work closely with its allies and isolate these nations that harbor cyber criminals. More than thirty countries are already working with America in the Counter-Ransomware Initiative, including a cyber task force lead by Australia.
Conclusion
The National Cybersecurity Strategy March 2023 is very detailed and comprehensive. It does lack certain aspects such as how much it will cost or outcome-oriented goals, but it does come with a promise that America will do everything it can to make itself a hub of cyber defense that is known throughout the world. By focusing on elevating its own defense and cyber strategy and working with other nations to isolate potential threat actors, the March 2023 strategy may be the exact thing needed to make America the most defended country, military or otherwise.
Works Cited:
- National Security Council. (2023, March). National Cybersecurity strategy. https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf
- Office, U. S. G. A. (2024, July 30). The U.S.. now has a national cybersecurity strategy, but is it as strong as it could be?. U.S. GAO. https://www.gao.gov/blog/u.s.-now-has-national-cybersecurity-strategy-it-strong-it-could-be
- Joshi, A., & Dobrygowski, D. (2023, March 9). The US has announced its national cybersecurity strategy: Here’s what you need to know. World Economic Forum. https://www.weforum.org/stories/2023/03/us-national-cybersecurity-strategy/