Official websites use .mil
Secure .mil websites use HTTPS
MxD
The White House has released a National Cybersecurity Strategy that fundamentally shifts the government’s approach to cybersafety. The strategy, announced by the Biden administration in March, promises big changes for all manufacturers, particularly those in critical infrastructure sectors such as the defense industrial base.
The strategy calls for:
The long-awaited strategy arrived as cyberattacks are growing. For the second year in a row, manufacturing was labeled the top extortion target for cybercriminals by the IBM Threat Intelligence report. In 2022, the average cost of a ransomware attack in the U.S. topped $4.5 million, IBM reported.
“Our goal,” the strategy says, “is a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”
To get there, the policy document outlines five pillars:
All pillars will have some impact on manufacturers, who increasingly rely on digital technologies and networks, said Laura Élan, MxD’s senior director of cybersecurity. But the wide reach of the first pillar means every manufacturer must have defending critical infrastructure on their radar.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified 16 critical infrastructure sectors, Élan said. These include health care, the defense industrial base, food and agriculture, wastewater systems, and critical manufacturing, which includes steel mills and aerospace production.
Ransomware attacks continue to target these key sectors, as evidenced by 2021’s Colonial Pipeline and JBS Foods incidents. The Colonial Pipeline attack, which disrupted the U.S. fuel supply, was linked to the theft of a single password.
In supporting its pledge to rebalance the burden of defending U.S. cyberspace, the strategy notes that “a single person’s momentary lapse in judgment, use of an outdated password, or errant click on a suspicious link should not have national security consequences.”
One strategic objective is establishing cybersecurity frameworks that will help organizations in these sectors — as well as manufacturers in their supply chains — secure their environments, Élan said. In addition to shoring up cybersecurity, she said, “the strategy is also aimed at harmonizing cybersecurity requirements to avoid having disparate systems from multiple government agencies all affecting the same sectors.”
“Another big part of defending critical infrastructure will be the strategy requirement to report attacks, which will enable organizations to know who the bad guys are and the methods that they’re using,” she added. “Bad guys don’t break into hospitals any differently than they break into manufacturing plants.”
Many cyberattacks go unreported. In other cases, organizations share cyberattack data with their sector’s Information Sharing and Analysis Center (ISAC), Élan said. But that information isn’t always distributed more widely, meaning that even when effective new cyberattack methods are identified, other critical infrastructure sectors are unaware of them.
The White House’s focus has now turned to putting its cyber defense blueprint into action. The Biden administration has started an implementation plan that will clarify who’s responsible for doing what, Acting National Cyber Director Kemba Walden told Congress late in March. The Washington Post further reported that other principles of the strategy are in the works under an executive order from 2021, with the government now crafting related workforce and education roadmaps.
Amid those efforts, Élan urged manufacturers to act. At a minimum, she said, manufacturers should assess their organization against the requirements of The National Institute of Standards and Technology (NIST) Cybersecurity framework, upon which the government bases many of its rules.
The best advice, she said, is to get started now.