While the threat landscape moves at a sometimes dizzying speed, there are some parts of the cyber-sphere which have been ossified for decades. One is the relative agility of threat actors versus those tasked with defending networks and tackling cybercrime. Another is the apparent inefficacy of market forces at improving baseline security. These have been persistent challenges for many years. Such challenges require major shifts in government policy to overcome.
That’s why many commentators are cautiously optimistic about the long-awaited National Cybersecurity Strategy recently published by the White House. While the text is wide-ranging and the implications far-reaching, it’s easy to see enhanced data protection as a key step on the journey.
What it says
The strategy document broadly builds on President Biden’s Executive Order of May 2021. In so doing, it offers five key pillars for consideration. They promise to:
- Defend critical infrastructure
By expanding baseline cybersecurity requirements and harmonizing regulations to enhance compliance efforts.
- Disrupt and dismantle threat actors
By engaging private sector, directing a federal ransomware response, and using “all tools of national power” to counter threat actors.
- Shape market forces to improve security and resilience
By promoting the security and privacy of personal data. And shifting liability for security risk onto vendors/developers, as well as ensuring federal grants only go to secure and resilient infrastructure.
- Invest in resilience
By reducing systemic technical vulnerabilities across the digital ecosystem, prioritizing security R&D, and developing a robust cyber workforce.
- Forge international partnerships
By increasing countries’ cyber-defense capabilities, and working with global partners to enhance supply chain security.
Why data security matters
Although not mentioned by name, aside from a plan to prioritize post-quantum encryption as part of security R&D efforts, data-centric security runs throughout the strategy. It must surely play a major role in improving the security of critical infrastructure organizations – where stolen data could give attackers an advantage in probing for weaknesses and extorting providers. In fact, encryption is already a key baseline requirement for critical service providers listed in the EU’s new NIS 2 legislation agreed last year.
It is also likely to be a key consideration in the issuing of federal grants for infrastructure. What better way to incentivize better security than by mandating strong data encryption as a baseline requirement for government funding?
But perhaps the strongest link between data-centric security and the new National Cybersecurity Strategy is in the latter’s promise to promote “privacy and the security of personal data.” This pillar of the strategy identifies some key strategic objectives including:
- Holding “the stewards of our data” accountable
- Supporting legislation that provides “strong protections for sensitive data like geolocation and health information”
- Legislating for national standards for securing personal data, which align with NIST standards and guidelines
While such legislation is far from assured given the divided nature of Congress, it shows a clear direction of travel, and builds on that 2021 Executive Order, which mandated all civilian federal agencies to adopt encryption for data at rest and in transit.
Yet it’s not just important to secure sensitive data. It’s also vital that government agencies, critical infrastructure providers and other businesses are able to use that data to generate insight and make better strategic decisions.
That’s why comforte offers data-centric security technologies like tokenization and format-preserving encryption (FPE) that apply strong protection to data without impacting its utility. That’s the way to reduce breach risks whilst driving innovation and growth.
Global organizations could save millions by reducing breach costs, replacing legacy security and simplifying their environments in this way. And in so doing, they’ll be aligning themselves with a vision for the future of cyber-risk management set out at the highest level of government.