The National Cybersecurity Strategy (NCS) is a U.S. government plan to create a safe and secure digital ecosystem by protecting critical infrastructure—hospitals and clean energy facilities, for example—from cyberthreats, increase public/private partnerships and collaboration with international coalitions, and bolster its technology governance. The goal is to ensure that digital infrastructure is easier to defend than attack while making it safe and accessible for all Americans. A key part of the NCS is shoring up privacy efforts by increasing accountability for tech companies and other enterprises that deal with people’s data. This guide highlights what businesses need to know about the plan.
Table of Contents
Why does the U.S. Need a National Cybersecurity Strategy?
The risk posed by cybersecurity threats is enormous, and the ramifications of targeted attacks are larger still. At the individual level, data breaches can cause identity theft and loss of income; at the corporate level they can disrupt business continuity, damage reputations, and steal intellectual property; and at the government level, they can cripple agencies, shut down power grids, and cut off communications networks.
The National Cybersecurity Strategy is a government effort to expand public/private partnerships, shore up cybersecurity defenses and alliances, and protect networks, systems, functions, and data while continuing to promote tech innovation. Some of the goals of the plan include the following:
- Simplifying threat reporting
- Creating a first-touch response to cyberattacks
- Developing timelines and execution methods
- Allocating resources and mapping responsible government agencies
- Incentivizing cyber hygiene
- Improving public-private partnership
Recent years have shown an increase in state-sponsored cyberattacks—a 300 percent growth from 2000 to 2022, according to government data. For enterprises, the average financial cost of a ransomware attack is already over $4.5 million, and those attacks are only getting more sophisticated.
Learn more about top data security software and solutions.
What is the National Cybersecurity Strategy?
The NCS is a five-pillar action plan to ramp up cybersecurity efforts and bring all stakeholders together to ensure success. A solid national cybersecurity policy is essential to building on the promise of emerging technologies while minimizing the risks they pose.
Pillar One: Defend Critical Infrastructure
Defending critical infrastructure, including systems and assets, is vital for national security, public safety, and economic prosperity. The NCS will standardize cybersecurity standards for critical infrastructure—for example, mandatory penetration tests and formal vulnerability scans—and make it easier to report cybersecurity incidents and breaches.
It seeks to label Infrastructure as a Service (IaaS) providers as a “critical infrastructure,” putting more of the onus on them to ensure data security and protection and using legal accountability to eliminate insecure software products and unpatched vulnerabilities. It will also implement the zero trust cybersecurity model for federal networks.
Pillar Two: Disrupt and Dismantle Threat Actors
Once the national infrastructure is protected and secured, the NCS will go bullish in efforts to neutralize threat actors that can compromise the cyber economy. This effort will rely upon global cooperation and intelligence-sharing to deal with rampant cybersecurity campaigns and lend support to businesses by using national resources to tactically disrupt adversaries.
Components of this pillar include building awareness about threat actors, ransomware, IP theft, and other malicious attacks and creating a Cyber Safety Review Board (CSRB) to review catastrophic incidents and strategize based on repeated attack patterns. It will also implement new guidelines for already-impacted industries—manufacturing, energy, healthcare, and public sectors, for example—and new software bill-of-materials standards to lower supply chain risks.
Pillar Three: Shape Market Forces to Drive Security and Resilience
As the world’s largest economy, the U.S. has sufficient resources to lead the charge in future-proofing cybersecurity and driving confidence and resilience in the software sector. The goal is to make it possible for private firms to trust the ecosystem, build innovative systems, ensure minimal damage, and provide stability to the market during catastrophic events.
The priority plan under this stage includes efforts to protect privacy and personal data security by creating federal grants to encourage investments in secure infrastructure and investing in cyber insurance initiatives to help private firms recover from high-scale attacks. It will also implement an Internet of Things (IoT) security labeling program to improve consumer awareness of IoT device risks.
Pillar Four: Invest in a Resilient Future
To aggressively combine innovation with security and forge an impregnable shield against the growing number of cybercrimes, the government has earmarked funds to secure next generation technology while ensuring necessary tech transfer and information dissemination between private and public sectors. The NCS will put a special impetus on data discovery, protection architecture, and encryption in all government to business communications.
This pillar also includes cybersecurity apprenticeships and a National Cyber Forensics and Training Alliance to train the workforce and improve cyber literacy, and the deployment of a unique digital identity authentication to thwart phishing attacks and create a trusted digital identity framework (TDIF).
Pillar Five: Forge International Partnerships to Pursue Shared Goals
Global leaders are learning that cyber diplomacy is the most forthcoming strategy to turn adversaries to allies. With pillar five, the government will commit to continue global initiatives against digital warfare and build a trust surplus among allies.
Among the ways it hopes to accomplish this is by creating a centralized tracker for coordinating cost-sharing initiatives, creating secure and dependable global supply chains, and strengthening partner nations’ capacities to shield themselves against cyberthreats. It will also establish a threat intelligence infrastructure to collaborate with allies and global agencies.
Learn how to develop an IT security policy.
What Do Businesses Need to Know about the NCS?
Businesses will have to change some of their thinking around cybersecurity under the NCS. It makes the point that voluntary progress toward better cybersecurity and data privacy practices are no longer sufficient, and maybe weren’t working at all. More than that, the government will implement new standards and regulatory frameworks and shift liability to hold enterprises accountable for not doing their part. It will also incentivize cybersecurity best practices.
Here are the three main actions businesses will be pushed to take by the NCS:
- Identify and minimize vulnerabilities by taking proactive measures to test and secure their threat landscape and holding partners and third-party vendors to similar cybersecurity standards.
- Address supply chain vulnerabilities by sharing information through new public/private partnerships, patching known vulnerabilities, providing employee cybersecurity training, and designing critical incident response plans.
- Put cybersecurity front-of-mind when developing software, processes, products, and networks to protect privacy and data—the NCS makes it clear that it expects businesses to take on more responsibility and will seek to enforce it.
Bottom Line: Enterprise Changes in the NCS
The National Cybersecurity Strategy is the U.S. government’s first cybersecurity initiative in 15 years. As such, it’s a living document, an ever-evolving blueprint to build cyber-resilience and protect the U.S. and its allies from threats. More than just filling gaps, it ambitiously seeks to pave the way to a strong, equitable, and inclusive cyber future. Businesses of all sizes will have to play a role in its rollout and will be essential to its success, but it targets enterprises especially—the stakes are higher, the resources are more plentiful, and their responses have the potential to serve as frameworks and best practices for smaller businesses to follow.
Keeping data secure is just one component of an effective data management strategy. Learn the 10 best practices for data management to make sure your business has its own data efforts under control.