Governance, Risk and Compliance, Content, Networking

How the White House’s New National Cybersecurity Strategy Impacts MSPs

Washington DC, USA skyilne on the Potomac River with Lincoln Memorial, Washington Memorial, and Arlington Memorial Bridge. (Washington DC, USA skyilne on the Potomac River with Lincoln Memorial, Washington Memorial, and Arlington Memorial Bridge., ASC

The White House’s new National Cybersecurity Strategy will have a profound impact on many managed services providers (MSPs).

The strategy, released last week, is focused on shifting the burden of defending the country’s cyberspace toward software vendors and service providers and away from individuals, small businesses, and local governments.

"We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us," the White House said.

The plan is centered around five pillars:

  • Defend critical infrastructure;
  • Disrupt and dismantle threat actors;
  • Shape market forces to drive security and resilience;
  • Invest in a resilient future; and
  • Forge international partnerships to pursue shared goals implementation.

The 35-page document provides recommendations on a range of cybersecurity policies and replaces a document issued by the Trump administration in 2018. While certain sections of the document are speculative – including that the federal government should consider creating a government backstop for cyberinsurers – other elements are more specific, including regulations in critical infrastructure sectors, including healthcare, financial services, and water.

Naming Bad Actors

The strategy seems to have been shaped by major hacking incidents in the first year of the Biden administration that threatened key public services. As CNN points out, “ reflects a widely held belief in the U.S. government that market forces have failed to keep the nation safe from cybercriminals and an array of foreign governments such as Russia and China.”

The new strategy also underlines ransomware as a major threat and stresses how the administration "strongly discourages the payment of ransoms" and will continue targeting ransomware gangs operating from safe havens like Russia, North Korea, and Iran.

The office responsible for coordinating the efforts to implement this new strategy are the Office of National Cyber Director (ONCD) in coordination with the Office of Management and Budget (OMB), under the oversight of the National Security Council (NSC).

The collected group will provide federal agencies with yearly guidance on cybersecurity budget priorities to ensure goals are achieved and make regular reports on progress.

Potential Impacts on MSPs

The plan reiterates cybersecurity regulations that already exist for highly-regulated critical infrastructure sectors like oil and natural gas pipelines, aviation, rail and water systems. But the White House noted that more will be needed and the White House plans to work with Congress to fill 'gaps in statutory authorities to implement minimum cybersecurity requirements or mitigate related market failures.' MSPs will need to watch closely for regulations that could impact their customers in these sectors.

Healthcare, too, is included in the plan as a segment of critical infrastructure. That means MSPs working in the sector can expect the regulatory requirements to increase, especially around third-party risk management. Because healthcare entities are often targeted through third-party partners, third-party risk management could be an additional regulatory task.

A key focus area of the strategy is a focus on vendor accountability and shifting cybersecurity liability to the owners and operators of the systems that hold our data and make our society function and the technology providers that these owners and operators rely on. This could be problematic for MSPs. Could they be held liable in the event of a security breach or data loss or theft? We'll have to see how this plays out.