The US government has released its National Cybersecurity Strategy, which includes plans to use mandatory regulation to ensure critical infrastructure vendors adopt secure-by-design principles and prioritize essential services.
The government will also encourage the adoption of secure cybersecurity practices, with entities urged to exceed the minimum requirements defined by regulation.
The strategy is divided into five pillars: Defend Critical Infrastructure, Disrupt and Dismantle Threat Actors, Shape Market Forces to Drive Security and Resilience, Invest in a Resilient Future, and Forge International Partnerships to Pursue Shared Goals.
The document also authorizes law enforcement and intelligence agencies to “disrupt and dismantle threat actors” with a more aggressive ‘hack-back’ approach to deal with foreign adversaries and ransomware actors.
The strategy aims to disrupt hostile networks preemptively by authorizing US defense, intelligence, and law enforcement agencies to hack into the computer networks of criminals and foreign governments.
It discourages the payment of data-extortion ransoms to cybercriminals and plans to reduce the potential for profit by making malicious actors incapable of mounting sustained cyber-enabled campaigns that threaten the national security or public safety of the US.
The government will work with cloud and other internet infrastructure providers to identify malicious use of US-based infrastructure, share reports of malicious use, and make it more difficult for malicious actors to access these resources.
The federal government is also exploring a federal cyber insurance backstop to provide stability to the economy during catastrophic events or major crises. Private companies will be full partners to issue early warnings and help repel cyberattacks.
The strategy document assigns the work to the FBI’s National Cyber Investigative Joint Task Force working in tandem with all relevant US agencies. The government plans to use existing authorities to set “necessary cybersecurity requirements in critical sectors” and work with Congress to close any legal gaps around authority.