At the start of March 2023, the Biden-Harris White House administration released its National Cybersecurity Strategy calling for more regulation of vulnerable sectors, such as critical infrastructure, to protect the nation from hacking incidents perpetrated by cybercriminals and foreign governments such as Russia and China. Citing a “new phase of deepening digital dependencies,” and the risks inherent in those interdependencies, the administration put forth a strategy based on five pillars:
- Defend critical infrastructure
- Disrupt and dismantle threat actors
- Shape market forces to drive security and resilience
- Invest in a resilient future
- Forge international partnerships to pursue shared goals
The administration aims to meet its goals by enhancing public-private sector collaboration and requiring some sectors to set up new regulations that drive cybersecurity practices on a greater scale. The policy states, “While voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes. Today’s marketplace insufficiently rewards—and often disadvantages—the owners and operators of critical infrastructure who invest in proactive measures to prevent or mitigate the effects of cyber incidents.”
Acting on behalf of people and small organizations
According to a CNN report, “Acting National Cyber Director Kemba Walden said that too often small businesses and local governments bear the brunt of cyberattacks.” The White House policy places more of the burden of cybersecurity on software and technology partners, instead of relying primarily on individuals, state and local governments, and small businesses to prevent cyber-attacks. The strategic plan states that “the most capable and best-positioned actors to make our digital ecosystem secure and resilient. In a free and interconnected society, protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.”
At Corero, we understand that the constant evolution of the cyber threat landscape makes it extremely difficult for individuals and small organizations to keep abreast of best practices and cyber defense technologies to prevent or respond to cyber incidents. This applies to many cyber threats, including distributed denial of service (DDoS) attacks, which can disrupt the availability of a website or network by overwhelming it with traffic; any organization or industry that depends on Internet connectivity to conduct its business is vulnerable to such attacks.
Because internet service providers (ISPs) are responsible for routing internet traffic, they are part of the nation’s critical infrastructure. In fact, they are frequently targeted by DDoS attacks because many individuals, government offices, organizations, and businesses depend upon Internet availability to conduct their everyday business or affairs. Corero makes the Internet a safer place and protects individuals and small organizations by enabling ISPs to prevent DDoS attacks at the network edge, with real-time, high-performance, automatic DDoS cyber defense solutions that protect both the ISP’s network and their downstream customers from DDoS attacks. For those organizations that want dedicated DDoS protection, ISPs are increasingly offering subscription-based DDoS protection as a value-add service for a fee, or bundled as part of their connectivity solution. Depending on the type of DDoS mitigation technology an ISP has implemented for its own network, it will typically offer a choice of protective measures, such as traffic filtering and blocking, network capacity management, and advanced threat detection and mitigation techniques.
The policy aims to reduce regulatory burdens
Revealed in 2023, the new cybersecurity policy replaces the previous one from 2018, marking a significant change but not constituting a law. The question now is whether ISPs will have to bolster their safeguards against cyber-attacks. While the answer remains uncertain, the federal government’s regulatory power and billions in contract purchasing power could shape the market. If you’re worried about burdensome regulation, the White House’s latest plan emphasizes minimal disruption. By aligning with existing international standards, in compliance with current law and policy, the plan aims to reduce unique regulatory requirements and harmonization needs. The goal is to eliminate conflicting, redundant, or overly burdensome federal regulations.
Past incidents illustrate potential problems
Cybersecurity is a global problem, and sometimes international politics and law enforcement jurisdictions make it onerous or impossible to catch cybercriminals. DDoS and other cyber-attacks can be launched from anywhere in the world where there is an Internet connection. The impacts on business productivity and consumer safety don’t often make headlines, but the Russia-Ukraine conflict has brought the threats into focus. The vast majority of DDoS attacks are small and sub-saturating, but they still pose a serious risk to service availability and security.
Thus far the United States has not experienced many cyber-attacks that completely overwhelmed critical infrastructure, although the 2021 Colonial Pipeline ransomware attack was noteworthy for its impact and duration; that attack crippled a crucial link for the energy sector, lasted five days, and affected fuel supplies up and down the eastern seaboard of the United States, which impacted consumers, airlines, and numerous other areas of the transportation sector. Other noteworthy DDoS attacks include the 2016 attack on Dyn, a domain name service provider. And recently, the October 2022 DDoS attacks on airport websites were cause for alarm.
Ultimately, the new strategy states that both the federal government and the private sector must share and apply best-in-class technologies and cybersecurity practices to protect their assets. The private marketplace usually leads the way in creating and implementing technologies, but the Federal government has a duty to direct, or at least influence, cybersecurity practices, for the sake of economic and national security.