Changes to cybersecurity policy and strategy at the Federal Government level means MSPs will have to navigate an increasingly complex regulatory environment in the years ahead. “That is not surprising as it often takes a little while for the law and policy to catch up to technology, but I think you’ll start to see that happen,” says Matt Weaver, a cybersecurity and law expert in Seattle.
The White House released a 40-page blueprint for fortifying cybersecurity in the United States.
The plan builds upon cybersecurity strategies established by previous administrations.
“That blueprint will probably spur more laws, and MSPs, CISOs, and others are going to have to keep up,” Weaver warns.
He also explains that a robust National Cybersecurity Strategy is a comprehensive plan developed by a government to protect its citizens, critical infrastructure, and information technology from cyber threats. It should outline the government’s approach to managing cybersecurity risks and set out the goals and actions necessary to achieve these objectives. “We’ve been a little behind other countries in this, but the White House strategy released last week is a great start,” Weaver explains.
According to Weaver, a good National Cybersecurity Strategy typically includes a range of measures aimed at strengthening the cybersecurity posture of a country, such as:
- Establishing a legal framework to regulate cybersecurity.
- Developing a national cybersecurity policy and strategy.
- Enhancing collaboration among government agencies, private sector entities, and civil society organizations.
- Promoting awareness and education to improve cybersecurity hygiene.
- Strengthening critical infrastructure protection.
- Enhancing incident response and crisis management capabilities.
- Strengthening international cooperation on cybersecurity.
“The National Cybersecurity Strategy is an essential component of the overall national security framework and is critical to safeguarding national interests in the digital age,” Weaver says.
The White House report identified four key cybersecurity areas that need the most attention from policymakers:
- Defending critical infrastructure
- Disrupt and dismantle threat actors
- Shape market forces to drive security and resilience
- Invest in a resilient future
- Forge international partnerships
“I am not surprised that the first one is defending critical infrastructure because we have seen heightened concern over power grids, transportation, and healthcare facilities,” Weaver emphasizes. “MSPs with these verticals in their portfolio will be among the first to be impacted by new legislation.”
Some other highlights from the report:
- We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments and onto the organizations that are most capable and best positioned to reduce risks for all of us.
- We must realign incentives to favor long-term investments by striking a careful balance between defending ourselves against urgent threats today and strategically planning for and investing in a resilient future.
“By ‘rebalancing’, the government is trying to shift the responsibility for cybersecurity from the individual user to larger actors in the ecosystem,” Weaver explains.
What This Means for MSPs and Other Stakeholders
“The strategy released by the White House is just that: a strategy report,” says Weaver. “But I would expect it to be debated and discussed and dissected over the next year or so, and MSPs need to stay on top of legislative developments because new laws will almost certainly arise from this, so be thinking now about ways to implement strategies in the report.”
Software companies and others in the ecosystem should also begin discussing how to comply with future legislation, and according to the report:
“Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract and establish higher standards of care for software in specific high-risk scenarios.”
It goes on to say:
“To begin to shape standards of care for secure software development, the Administration will drive the development of an adaptable, safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.”
Weaver notes the safe harbor framework is one of many granular details that will have to be hashed out in the months ahead.
“The White House strategy speeds up existing trends around more regulation and compliance and brings in new wrinkles in vendor accountability and cyber insurance,” Weaver adds, sharing that these will all take years to play out.
“The law moves slowly, but cybersecurity and technology do not, so in some ways, legislation is always playing catch-up,” he concludes.
Photo: Zoomik / Shutterstock
Exactly why the NSITSP (National Society of IT Service Providers) is working to give our profession a voice in the regulatory and legislative process. (https://nsitsp.org)
Great collection of information.
Interesting perspective. Never gave a thought to how MSPs play a role in national cybersecurity.
I think this is partially overdue. At the same time, there are so many organizations who already exist in a mindset of ‘compliance denier’, I question whether more laws are actually going to move the needle. I think it is up to the MSP industry to continue to loudly beat the cybersecurity resiliency drum.
a good heads up on things that needs to be covered off
Informative article on things we have to keep up with regarding cybersecurity.
I’ll keep these things in mind as I move forward
Very insight full, will keep this in mind.