As digitization and the shift to the cloud gain momentum, regulation is trying to catch up with its accelerated pace, especially post the pandemic, which highlighted the increasingly critical nature of the digital and cloud ecosystem and the massive impact and costs of cyber incidents such as the Solar Winds hack.
The US government has taken significant steps to address cybersecurity concerns. In 2018, the Trump administration issued an executive order to improve the cybersecurity of federal networks and critical infrastructure. In 2019, the Cyberspace Solarium Commission, a bipartisan congressional commission, released a report with 75 recommendations for improving cybersecurity in the United States.
Now, National Cybersecurity Strategy (NCS) is the latest in a series of regulatory steps to spur concentrated and collective public and private defensive and offensive efforts to safeguard the rising digital surface and make cybersecurity more pervasive across different industries. In addition to urging software developers and businesses to assume greater accountability in ensuring the security of their systems against hacking, the strategy also aims to intensify its collaboration with the Federal Bureau of Investigation and the Defense Department in thwarting the operations of hackers and ransomware organizations across the globe.
Read more: A Way Forward: Cybersecurity Trends to Watch out for in 2023
Overview of the Cyber Threat Landscape in the US
The US is the biggest victim of cyber-attacks across the globe. With 46% of all cyberattacks in the world aimed at Americans, the United States continues to be the most frequently attacked nation. While globally, the average cost of a ransomware attack was over $4.5 million, the cost in the US was $9.4 million in 2022, over 2x higher, per IBM
Key statistics around cybersecurity in the US are as follows:
-
Nearly 80% of cyber attackers, according to Microsoft, chose to target governmental institutions, think tanks, and other non-governmental entities
-
Additionally, according to Microsoft, 58% of cyberattacks in the USA have Russian origins
-
In the first half of 2022, phishing attacks rose by 48%, with reports of 11,395 incidents costing companies a total of $12.3 million
-
In 2022, ransomware assaults increased by 41%, and it took 49 more days than usual to identify and fix a breach
Read more: Outlook 2023: Top Strategic Technology Challenges
The shift to cloud-native software development has been a key reason for the rise in complexity and surface area of cyber threats as well as the surge in reported incidences in the last two years. Instead of monolithic applications residing in a single codebase, cloud-based development comprising microservices architecture based on a modular approach – an aggregation of loosely coupled independent functional units/software components – coming from multiple sources, magnifies the risk potential. Accordingly, the cybersecurity strategy and regulatory policies must continue to evolve with new regulations looking to both supplement and address the gaps in the previous legislation.
Figure 1: Cloud Native vs. Monolithic Application
Source: SparkFabrik
Against this backdrop, the NCS is a much-needed step. The latest regulation proposes three policies that could fundamentally alter the cybersecurity space.
Read more: America's TikTok Conundrum - Increasing Scrutiny of TikTok in the US
Firstly, the NCS proposes to shift the responsibility of securing cyberspace away from the users (individuals, enterprises, and governments) to the software vendors. This is a paradigm shift that aligns the interests of both clients and security vendors, in contrast to the earlier approach, where cybersecurity companies avoided all responsibility for any cyber incident that might occur via disclaimers in license agreements. The NCS seeks to make cybersecurity firms accountable for the vulnerabilities/deficiencies in their product that may lead to a breach/hack, which they have so far managed to evade.
“Right now, we have a regime where the costs of liability are borne by the end user. This isn’t just unfair, it's ineffective.” – Kemba Walden, Acting National Cyber Director.
“Software vendors will certainly argue that they will be required to raise their prices, eventually harming the end users and innocent consumers. This is, however, comparable to carmakers complaining about “unnecessarily expensive” airbag systems and seatbelts, arguing that each manufacturer should have the freedom to build cars as it sees fit.” – Ilia Kolochenko, Founder & CEO, ImmuniWeb.
Secondly, the strategy proposes to bring in a sector-specific regulatory framework to ensure mandatory cybersecurity requirements for all industries.
Read more: Investment Trends 2023: Top Tech Stocks to Keep an Eye On
Another key concept, “defend-forward,” adopted as a strategy in NCS, seeks to address the growing use of state-backed rogue agencies to target critical infrastructure in the US or its allies and partners. It proposes to use a collaborative geo-political approach leveraging diplomatic tools and economic sanctions to curb ransomware. There is a strong focus on reinforcing the stipulation in Executive Order 14028 (May 2021) that mandates the adoption of “Zero Trust Architectures.” The government has doubled down on making the Zero-Trust approach a prerequisite for the procurement of cybersecurity products or services by federal agencies from vendors. The move will benefit both established and a slew of emerging companies, including CrowdStrike, Palo Alto, Cloudflare, Zscaler, Okta, Cisco, Forcepoint, Illumio, Perimeter 81, Twingate, and Forcepoint.
Figure 2: Zero Trust Security Framework
Source: Gartner
While the NCS could pave the way for a targeted and highly effective regulatory framework for defending the digital ecosystem, its implementation would be crucial. That said, the focus on long-term investment for developing cutting-edge and innovative technologies to stay ahead of the rapidly evolving threat landscape will spur the startup cyber and cloud security space in the US, making it an attractive private investment target.
With a presence in New York, San Francisco, Austin, Seattle, Toronto, London, Zurich, Pune, Bengaluru, and Hyderabad, SG Analytics, a pioneer in Research and Analytics, offers tailor-made services to enterprises worldwide.
Partner of choice for lower middle market-focused Investment Banks and Private Equity firms, SG Analytics provides offshore analysts to support across the deal life cycle. Our complimentary access to a full back-office research ecosystem (database access, graphics team, sector & domain experts, and technology-driven automation of tactical processes) positions our clients to win more deal mandates and execute these deals in the most efficient manner.