The Internet continues to connect individuals, businesses, communities, and countries on shared platforms that enable scaled business solutions and international exchange. But this accelerating global interconnectivity also introduces risks. An attack on one organization, sector, or state can rapidly spill over to other sectors and regions, as happened during Russia’s 2017 “NotPetya” cyberattack on Ukraine, which spread across Europe, Asia, and the Americas, causing billions of dollars in damage. The potential cost of attacks like this will only grow as interdependencies increase. National Cybersecurity Strategy
It comes as no real surprise that the threat of cybers atacks on public and private sector organizations connues to increase in both prevalence and sophistication. A trend that has been ongoing for decades, it is no longer a question of ‘if’ an organizaon will be atacked and suffer a breach but one of ‘when’ and ‘how bad.’ While this seems rather dire on its face, knowing one will be atacked and potenally suffer a breach can also be empowering in that such certainty can help facilitate an organizaon’s change or shiti in the old paradigm28 of preventative cybersecurity to a new one of cyber resilience.
The U.S. government’s recent foray into the push for cyber resilience in the private sector nominally began with Presidential Policy Directive 21 – Crical Infrastructure Security and Resilience, Executive Order (EO) 13636 – Improving Crical Infrastructure Cybersecurity, and the Cybersecurity Enhancement Act of 2014 that formalized publicaon of the voluntary cybersecurity guidance required under the EO, which is now widely known as the NIST Cybersecurity Framework.
However, “while voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, [the U.S. government is of the opinion that] the lack of mandatory requirements has resulted in inadequate and inconsistent [cybersecurity] outcomes.”
To address these issues, government intends to:
- Use exisng statutory authories to issue new or updated cybersecurity regulaons,
- Idenfy and close gaps in exisng statutory authories to regulate the private sector, and
- Encourage state or independent regulators to use their authories in “a deliberate and coordinated manner”35 to support these efforts.
Views: 0