Experts provide their insights on various aspects of the US National Cybersecurity Strategy, released yesterday.
More industry perspective on the US National Cybersecurity Strategy.
Experts in cybersecurity shared their perspectives on the US National Cybersecurity Stretegy over the past couple of days with the CyberWire, highlighting the focus on the digital ecosystem, approaches to cyber postures posited by the strategy, the strategy's focus on critical infrastructure, the impact on the labor forces in cyber and related sectors, and geopolitical facets.
Providing a stronger digital ecosystem.
Jordan Burris, Socure’s Vice President and Head of Public Sector Strategy, is excited to see some forward motion in government digital infrastructure:
"Specifically, I’m encouraged to see the U.S. lean into developing a stronger digital identity ecosystem and infrastructure. With the risk in identity theft and fraud, we must focus on strengthening identity verification practices and identity risk signal sharing. Furthermore, we must ground progress in this area around transparency and measurement.”
Richard Bird, CSO at Traceable, is glad for the White House’s step, but shares concern about implementation in practice:
“The recent announcement by the White House concerning a shift in our nation’s cybersecurity strategy has left me concerned about where the responsibility of managing data truly falls. I fear that organizations will consider themselves more vulnerable than the US citizens who have trusted those same companies with their data and personal information. Where consumers are the most vulnerable, accountability lies with corporations. In theory, the White House’s suggestions are a step in the right direction, but we need to be mindful of how we can continue to make our digital ecosystem secure so this works in practice, as well.“
Michael McPherson, SVP of Security Operations at ReliaQuest, notes the strength that comes from public-private partnerships:
"Today’s release of the White House’s National Cybersecurity Strategy affirms the whole-of-government approach to partner closely with the private sector to impose maximum impact on the adversary. Ultimately, the U.S. government wants to degrade the adversary’s ecosystem and impose consequences for their illicit activities. Agencies like the FBI will continue to play a leading role in coordinating efforts and driving these disruption operations. While there will be enormous challenges for collaborating with the private sector, this strategy outlines it is imperative to national security."
Dan Conrad, AD Security and Management Team Lead at One Identity, highlights the focus on securing digital identities:
"The White House is right to call out securing digital identities in its new cyber policy. As people interact more with digital services, it’s crucial that their personal and corporate identities are protected. We tend to throw our hands up when it comes to things like passwords, as it seems they are never really protected. The reality is the industry is developing advanced methods today to keep our identities, and the digital services we log into, protected."
(Added 5:00 PM ET, March 6th, 2023. Sameer Hajarnis, Chief Product Officer of OneSpan, wrote with approval of the importance of digital identities in the Strategy. "It’s promising to see the Biden administration prioritizing the development and advancement of digital identity solutions. Secure digital identity is a fundamental cornerstone of digital economies. Without secure digital identity, consumers are much less likely to conduct sensitive transactions (e.g. banking, payments, telehealth) online. The U.S. has tried to implement a country-wide digital identity system in the past, and though it hasn’t really landed yet, the idea behind it is right: the government defines the rules of the digital identity system and the implementation is performed by private companies. Most similar economies; like the UK, Australia, New Zealand and Canada have introduced or in process of introducing national digital identity systems based on public/private partnership, and I think this is realistically the most likely path for the U.S., too.")
(Added 11:30 AM ET, March 7th, 2023. Gene Fay, CEO, ThreatX, sees the general tendency to shift responsibility for security from users to vendors as a net positive:
“This National Cybersecurity Strategy signals an important step forward in how software developers are held more responsible for managing cyber risk for their customers. Since perfect, vulnerability-free software will never be reality, cybersecurity will always be a joint effort between software creators and users, but the White House’s attempt to lessen the burden on users and shift focus to software creators is appropriate and overdue.
"But none of this defense happens without the right talent, and cybersecurity has a significant talent shortage right now. The White House’s focus on cybersecurity staffing in this strategy is both important and commendable.
"Amidst the ongoing cybersecurity skills gap, cyber leaders must stop looking for 'unicorn' candidates who are in short supply and demand exorbitant salaries. Instead, leaders need to shift their recruiting practices to include different backgrounds, skillsets, education levels, genders, and ethnicities, and be willing to invest in training.”)
(Added 6:45 PM ET, March 7th, 2023. Javed Hasan, CEO and Co-founder of Lineaje, notes that the Strategy comes with deadlines. They're an important step, and meeting them won't be trivial:
“Today’s White House National Cybersecurity Strategy announcement serves as a reminder to organizations that they have until September 2023, which is close to six months away, to comply with guidelines set forth by U.S. Executive Order 14028. Vendors will not only have to scramble to ensure their software is compliant with NIST guidelines, but also will need to provide self-attestation that is reliable and can be independently verified.
"Evaluating the SBOMs of all software they procure will become a risk management and operational efficiency imperative as we move closer to the rapidly approaching September deadline. With more government oversight and regulations coming in the future, it is crucial for companies to know ‘what’s in their software’ to make sure they are compliant and not incur any fines or penalties.
"We welcome this initiative from the White House. Software not built securely, cannot run securely. This strategy commits the government to move responsibility to those who supply software not those who consume it. It’s high time that call was made.”)
(Added 7:45 PM ET, March 7th, 2023. Ben Herzberg, Chief Scientist at Satori, wrote to applaud the higher standards for those who handle and safeguard data. "It's high time that data stewards should be held to a higher standard. Placing access and security controls on sensitive data should be table stakes for any organization entrusted with user data - especially when it is related to the kinds that can do harm to vulnerable populations if stolen, such as health, geolocation, and financial data. These table stakes have not been met because of the strain it puts on security teams, but automation measures can save significant amounts of time for organizations to properly enforce their controls and comply with any new federal standards."
Eyal Benishti, founder and CEO at IRONSCALES, commented that it's not too early to move toward anticipating regulatory requirements. “Organizations that wish to remain on the right side of regulation should begin investing now in the right tools and technologies,” Benishti explains. “While many people today are focusing on artificial intelligence as a source of cyber risk, the truth is, the only way we’ll be able to stay ahead of emerging cyber threats is to lean on AI as a solution to that risk. To that end, AI-enabled security tools and real-time, actionable threat intelligence sharing will be critical for firms to stay informed and ahead of the latest threats. By creating a network of shared threat intelligence, and bolstering artificial intelligence with human insights, organizations will be able to realize the kind of intelligent threat response ‘at machine speed’ that the White House is calling for.”)
Approaches to cyber postures.
Aaron Sandeen, CEO and co-founder at Cyber Security Works, highlights the crucial nature of a strong security posture:
“Today, the Biden-Harris Administration released the National Cybersecurity Strategy in an effort to ensure that every American can benefit fully from a safe and secure digital ecosystem. The announcement states that our rapidly evolving world demands a more intentional, more coordinated, and a well-resourced approach to cyber defense. Therefore, a way that organizations can do that by continuously improving their security posture.
"Leaders must increase their cybersecurity visibility of known and unknowable assets, validate more regularly, and search for early warning capabilities as global cybersecurity concerns rise if they are to truly protect their organizations from future intrusions and vulnerabilities.”
Craig Burland, CISO at Inversion6, wants to wait and see what happens in the days following the release:
"The real test will come in the pronouncements that follow. A strategy by itself won’t compel companies to change how they invest. This strategy is a shot across the bow that signals tougher standards are coming. How those manifest themselves will be fascinating to watch. Will the administration try to enact laws with associated fines? Will they pressure industry groups to do self-improvement? Can they become a catalyst for real change and help get cybersecurity past the tipping point where best practices are the only accepted practices? Hopefully, one way or another, they can spur real change and make all of our lives safer."
Kevin Bocek, VP of Ecosystem and Community at Venafi, says a focus on engineers and engineering will be imperative:
“A national cyber strategy is overdue and it’s very welcome to see White House leadership talking about cybersecurity as a fundamental risk to freedom and order in the world this century. It’s a fundamental risk that threatens every business.
“As recognized by the policy, building in security such as securing the identity of customers or machines, is our only path to success and the future. Engineers decide the success of business and are also the ones who can threaten not only their business but others. This change will not happen by just the new directive, but the good news is that leading businesses have recognized this need already.
Brian Shealey, VP of Public Sector at Immuta discusses the need for "securing by design":
"We need to ensure that “secure by design” is a paramount priority in all aspects of our digital lives, from the applications and systems being built by companies or government agencies, to the laws and policies protecting the privacy of U.S. citizens. Investing in a resilient future is critical, especially with quantum technology just over the horizon. Market forces can be influenced by policy/law (driving fear), but also through incentives (driving intent) – it’s encouraging to see that both are outlined in this strategy.
"This new framework requires additional improvements to meet the growing complexities of the cyber world which, with our increasing reliance on digital technology, is a marathon, not a sprint. We’ll need funding earmarked in our budgets to support strategic shifts and will have to find ways to drive the adoption of these objectives effectively and efficiently. Additionally, we’ll need to ensure that future administrations continue to drive this initiative forward.
Dray Agha, Senior ThreatOps Analyst Team Lead at Huntress, notes that a strong posture is now a necessity in today's climate:
"From page one, there’s recognition that digital connectivity’s benefits to everyday life are inexorable; the digital’s merging with critical national infrastructure and beyond has presented the ultimate fragility to life as we know it. An appropriate cybersecurity posture is no longer an optional nicety, but is an absolute necessity to protect civic society, businesses and administrations from the cascading impact of a cyber attack."
Rob Ellis, Chief Strategy Officer at Reciprocity, says that this is a good start to organizations' implementing more than the bare minimum:
"When it comes to cybersecurity, doing the bare minimum is no longer acceptable – and just checking the SOC2 compliance box is going to be enough to protect an organization. Organizations in these critical sectors, as outlined by the White House, will need to instead move beyond basic compliance and be able to speak to their cybersecurity risk by quantifying, managing and reporting on their cyber risk posture. I would argue that cybersecurity is going to move from a back-office function to a customer facing one – and increasingly the organizations that win business (including that of the government) and grow in this world will be the ones best able to manage and communicate their cyber risk.”
Brandon Pugh, policy director for the R Street Institute's cybersecurity and emerging threats team, highlights areas of concern in future postures:
"The Biden administration’s National Cybersecurity Strategy is ambitious and has many parts that would improve our cybersecurity posture, but there are areas of concern and others that need clarity.
"Key to its success lies within how the strategy will be implemented. For example, it is one thing to call for harmonizing and streamlining regulation, but another to ensure it is actually done. This is especially important when the administration is looking to add new requirements and asking industry to take on more in the cyber realm. Even just looking at incident and breach reporting, there are at least two dozen federally issued requirements. This can result in a compliance nightmare and even limit the goal of improving our cyber posture.
"I urge the administration and Congress to tread carefully as they contemplate action that could undermine free market principles. The strategy currently recommends shifting liability onto manufacturers and software publishers that fail to take precautions to secure their software through legislation that the administration hopes to develop with Congress. This might sound positive in theory, but in practice, there would be large challenges and many questions to answer first.
"I am hopeful that there will be greater collaboration with stakeholders as the strategy is implemented. For a strategy as consequential as this, more robust public engagement would have been helpful. Public engagement from Director Easterly and the Cybersecurity and Infrastructure Security Agency (CISA) is a model for others to follow."
Caroline Seymour, VP of product marketing, at Zerto, a Hewlett Packard Enterprise company, notes the importance of an instant recovery solution:
“The latest Biden administration plan to issue its cybersecurity strategy is welcomed news in that it’s aimed at disrupting hackers and ransomware groups. We know these criminals are relentless, and they are emboldened by the amount of money they can extort. That is why companies' major focus must be getting their system back up and running after an attack. When a service provider is disabled and access to data is held in exchange for ransom, the best way to fight back and get up and running again is to have a recovery solution in place that protects systems from disruption and provides a path to instant recovery."
Nicola Sanna, President at FAIR Institute, commends the administration for their approach, as it benefits organizations in their knowledge:
“We commend the Biden Administration for finally creating a system in which companies will be incentivized from an economic perspective to establish secure development practices and get secure products out the door instead of rushing to market and putting the burden on their customers to discover vulnerabilities. Second, it’s another major step forward for government to encourage reduction of systemic vulnerabilities to make the digital ecosystem more defensible and resilient. Those are two areas where cyber risk quantification can help organizations assess where they are spending today on cybersecurity and understand where they can cost-effectively focus investments going forward to meet those expectations."
Critical infrastructure sees the limelight.
Moty Kanias, Vice President of Cyber Strategy and Alliances for industrial device cybersecurity company NanoLock, notes the high rate at which threat actors are targeting critical infrastructure:
"Adversaries in cyberspace are evolving at an alarming rate and are always looking for new markets to attack. In fact, manufacturing has become the number one target in the past year, according to reports from leading companies. Protecting critical infrastructure and production lines at the industrial device level is an essential next step beyond today’s requirements for common detection, monitoring and segmentation solutions to address a problem that is becoming increasingly more complex.”
Robert Booker, Chief Strategy Officer for cybersecurity risk and compliance framework alliance HITRUST, explains the complicated nature of attacks on critical infrastructure, and their widespread impact:
"The publication of the Biden administration’s national cybersecurity strategy acknowledges the critical and growing importance of digital services across critical infrastructure and pervasive in both government and the private sector. The use of market forces to support and sustain a safe and secure ecosystem is critical to accelerate innovation and consumer engagement in key areas including healthcare, commerce, and financial services. All industries including critical infrastructure exist in a complex threat environment which is dynamic and where security requires collaboration and innovation jointly across and between the government and the private sector.”
Jamie Boote, Associate Software Security Consultant at Synopsys Software Integrity Group sees a connection between #Stopransomare's Royal warning and the Strategy:
“This government warning could be a piece of a larger Cybersecurity Strategy announced yesterday (March 2nd) by the White House. Ransomware presents a unique crossover of the attack surface that wasn’t as noticeable when public-serving operations weren’t as networked or digitized. Attacks like ransomware target private companies like hospitals, factories, and energy companies, but end up being an attack against the American public by depriving them of these vital services. These private-target/public-impact attacks have prompted the White House to build a strategy to go beyond securing government networks and will work to secure the networks of critical infrastructure providers. By highlighting the private targets that have a public impact, such as hospitals and other public facing providers, bulletins like these are raising awareness of the threats posed to the public. These communications and strategy announcements from the government are representative of how the government has made cybersecurity a priority and will continue to work with private and public partners to better mitigate threats like these.”
Duncan Greatwood, CEO of Xage Security, connects the strategy with CISA's recent performance goals:
“The National Cybersecurity Strategy released today is broad and high-level, but nonetheless embodies and foreshadows a number of major advancements.
"The first pillar, focused on defending critical infrastructure, is closely aligned with the cybersecurity performance goals recently released by the Cybersecurity and Infrastructure Security Agency (CISA). The Biden administration’s strategy will enable CISA to turn these requirements into enforceable regulations, spurring real cybersecurity improvements. Equally important, new innovations in cybersecurity are making it practical for critical infrastructure operators to comply with the upcoming requirements without requiring ‘rip and replace’ of existing equipment and networks - so operators can overlay new cyber protection in a timely fashion.
"Another aspect of this first pillar focuses on defending and modernizing federal networks and updating the federal incident response policy. Federal agencies are embracing zero trust with defense-in-depth to ensure there are preventative cyber measures in place to ensure the continuity of key systems and critical infrastructure.
"One of the other key pillars focuses on shaping market forces to drive security and resilience. More granularly, it doubles down on ensuring that federal grant programs promote investments in new infrastructure that are secure and resilient. This is an unprecedented action and a great opportunity for mission-critical sectors to prioritize building cyber resilient infrastructure. These federal grant programs will help modernize existing infrastructure that’s currently vulnerable to attacks.
"Helping critical infrastructure agencies turn directives into effective actions is a responsibility shared by operators, the government and the cyber industry. Cybersecurity companies will need to create practical tools that enable preventative infrastructure cybersecurity.”
Max Shier, CISO at Optiv, discusses how the approach to critical infrastructure can be reflected in other sectors:
"The Strategy further calls for formalizing performance-based cybersecurity requirements across critical infrastructure and government systems (including National Security Systems). There are some initiatives already underway that aim to do just this, including CMMC (Cybersecurity Maturity Model Certification) for those that process or handle government controlled unclassified information (CUI) – and this is a good start. Today’s Strategy, however, takes the principles within CMMC and makes them more widely applicable to all industries deemed “critical.” Among other things, the Strategy emphasizes that regulations must be agile enough to adapt with adversaries’ tactics, there must be a focus on secure-by-design principles, and systems must be designed to fail safely and recover quickly – all of which are a marked change from what have been compliance-based regulations in the past. This points to a continued trend of the government taking a risk-based approach to cybersecurity."
(Added, 4:45 PM ET, March 6th 2023. Jon Geater, Chief Product and Technology Officer at RKVST, sees the central challenge as the ability to identify the origins of security issues:
“Holding vendors liable for software insecurity is a laudable goal and very likely to motivate action: comparisons are often made between building software and building bridges, and we long ago found ways of holding engineering companies accountable for failings if the bridge they build turns out to be unsafe. But. The devil's in the details here. You can't assess liability without finding fault, and even if we can define what "insecurity" means - which is an entire Ph.D. category in itself - we still need to identify where the insecurity originated. Whose mistake led to hackers getting in? Whose negligence let that buggy software out into the world? Who authorized that particular open source package to be used for this use case?
"In the case of a software breach there will be lots of moving parts with software, data, and security operations all at play, and right now it's really hard to know where the critical failure originated because people don't authenticate data, don't track software provenance, and don't record the who-did-what-when of releasing today's complex software into the world. In order to successfully move forward in holding software suppliers accountable we need to make sure that the whole software and data supply chain are traceable and provable in order to efficiently demonstrate fault and bring issues to a conclusion quickly. Initiatives such as IETF SCITT are bringing this essential capability to the world.”)
Impact on the cyber workforce: working behind the scenes, and coming in.
Rick McElroy, Principal Cybersecurity Strategist at VMware, discusses the impact on those having to implement these regulations on a civilian basis:
“The Biden administration continues to show meaningful support for cybersecurity, and is looking to address some fundamental areas of weakness in our national security supply chain to create more resilient digital infrastructure in the future. These efforts are needed - and have been needed - within the government for a long time. However, considerations need to be made for the people of cyber who will be challenged with implementing and maintaining these environments amid a massive shortage of cybersecurity professionals across the globe. What is perhaps more important for a federal cyber effort is the ability to recruit and retain cyber talent. We have to consider the human element of all of this and how it will impact individual professionals. We cannot ramp up technology investment without an investment in the people of cyber. Pay scales are increasing slightly at the federal level, however, we need a national cybersecurity recruiting effort for both the federal agencies and state and local municipalities.”
Marcus Fowler, CEO at Darktrace Federal, says that innovative tools and programs are a necessity for those in the workforce to be able to adequately complete their work:
"As we look towards a future where a hybrid human-AI approach to cyber is absolutely necessary, the pursuit to meet a stronger, more robust, and better enabled cyber workforce must be executed with innovative and accessible programs that are both growing and investing in the next generation of security practitioners and augmenting them to get further faster and increase workload efficiency and accelerate response times.”
Peter McKay, Chief Executive of Snyk, expresses the importance of bringing developer security to the forefront:
“Snyk has seen numerous organizations that are embedding secure software best practices in their development cycles from the start, or the initial line of code. They are doing this by empowering their own developers to create secure applications in a seamless and responsible way. By integrating and automating secure software development practices into their workflows, they are deploying ways to find, fix, and remediate vulnerabilities in both pre-production and production applications, and as a result, bringing developers, IT, and security teams together as one team.
"The new White House cyber strategy is a rallying cry for developer security. Organizations should address developer security now, before rules are put in place that will impose fines and other penalties on organizations that fail to do so.”
Jason Rebholz, CISO at Corvus Insurance, notes the importance of a National Cyber Workforce and Education Strategy, coming just at the right time:
“It’s encouraging to see the Government step in to support businesses in combating cyber security threats. For too long, businesses and individuals have been forced to defend against a well funded, well trained, and well motivated adversary. This is the right next step in keeping American citizens and businesses safe in the escalating cyber war.
"The creation of a National Cyber Workforce and Education Strategy comes at a time when it is needed most. There is untapped potential in the American workforce who are ready and willing to learn the skills necessary to protect the networks of America’s businesses.”
Debbie Gordon, Founder and Chief Executive Officer at cyberattack simulation training company Cloud Range, says that this strategy provides a career path for cybersecurity professionals:
"While we applaud the administration’s goal to build out our national cyber workforce under Strategic Objective 4.6 and develop our nation’s next generation of cyber talent, it unfortunately doesn’t move the needle on what needs to be done to strengthen the workforce we have today. In any type of life safety field—and that is exactly what cyber security of critical infrastructure represents—the need for ongoing training and readiness is integral. The cyber threat landscape changes daily, with critical infrastructure sectors being the targets of the most advanced, nation-state backed APTs, so we can’t depend on a yearly training certificate to be confident that our infrastructure is being protected. Requirements for ongoing training that can measured against industry standard frameworks to validate their effectiveness can not only help organizations ensure they have the right people with the right skills to prevent and respond to attacks in place, they can also provide cybersecurity professionals with a clear pathway to expand their careers with the cyberskills that are unique to OT cybersecurity."
Rob Juncker, CTO at Code42, emphasizes the importance of the security culture within an organization:
"Security leaders need to focus on internally creating a security-aware culture that establishes data ownership policies while empowering employees through consistent and ongoing education to do their part to protect the company and its data. With a focus on education and measured responses to cyber events, a trusted partnership can form between CISOs, their security teams, and the rest of the organization, keeping company data safe from both malicious and accidental breaches."
Nation-state collaboration: a priority for both strength and resilience.
Moty Kanias, Vice President Cyber Strategy and Alliances for industrial device cybersecurity company NanoLock, highlights the fight against nation-state actors and the efforts made by other countries:
"The newly released National Cyber Strategy is a huge step in the right direction for the world in the fight against cybercrime and state-driven adversaries. We commend the work done by the agencies involved and hope that they will continue to prioritize the security of the nation's critical infrastructure. It is crucial for allied countries to work together towards cyber supremacy, to fight cyber criminals and to create new cyber security solutions that will tilt the equation.
"We also acknowledge the efforts made by other countries like Singapore in implementing regulations that can serve as a baseline for the U.S. For example, in July 2022, Singapore took the important step of deepening regulations for critical infrastructure and is now demanding that critical infrastructure prevent cyberattacks on field controllers, such as PLCs, RTUs, industrial computers, and more. Other countries, including the US, must follow this path to protect critical infrastructure from massive cyberattacks."
(Added 3:15 PM ET, March 6th, 2023. Darren Death, ASRC Federal's CISO, wrote to applaud the Strategy's emphasis on cooperation. "“The new U.S. National Cybersecurity Strategy represents a positive step forward in safeguarding the nation's critical infrastructure and digital assets," he commented. "It aims to create a more secure and resilient digital ecosystem by fostering a comprehensive and proactive approach to cyber protection within the federal government and private sector originations. The strategy prioritizes risk management and information sharing, and seeks to establish minimum cybersecurity standards across critical infrastructure and industry. It also emphasizes collaboration and partnership between public and private sector stakeholders, as well as international cooperation and multilateral action to bring about more secure and prosperous outcomes for the nation.”)