Cyber Experts Give Thumbs Up to National Cybersecurity Strategy
One expert says baseline regulation of critical infrastructure is long overdue.
![Six thumbs up Six thumbs up](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt7f0a5902a650bd42/652404d4dbf7e62d3cbc2c73/six-thumbs-up.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Forrester’s Allie Mellen said the cybersecurity strategy will make a difference in terms of curbing cybercrime.
“In countries like the United States, private sector technology underpins vital services afforded to citizens,” she said. “For years – dating back to Moonlight Maze in 1999 – the responsibility to protect that technology was placed on the private enterprise. However, they have had limited support from the government to address it. Now, they are stepping up in a big way to help the private sector address these threats and to establish norms for how they should be addressed.”
Sam Ruggeri is founder of Advanced Vision Technology Group, an MSP that provides IT consulting, security, support and technology management.
“Given the speed and frequency of cyber threats and breaches, I believe that implementing a comprehensive national cybersecurity strategy is essential,” he said. “While there is no single solution to this complex issue, announcing such a strategy can serve as a call to action for individuals and organizations alike to enhance their security posture. However, we must remain aware that malicious actors may seek to exploit any vulnerabilities in any of our defenses. By raising awareness of these threats, businesses will be motivated to review and reinforce their existing security measures, and in some cases, implement new ones. While this effort may present challenges, it also creates opportunities for innovation and growth across our industry.”
Ruggeri said the new cybersecurity strategy could create new challenges for cybersecurity providers.
“As we assist our clients in navigating the evolving regulatory and compliance landscape, we recognize that the unknown factor is the changes that may occur,” he said. “Regulations and compliance requirements can shift frequently, and we may need to adjust our approach and investments to ensure continued compliance. We, too, may have to meet certain regulations and be complaint to assist clients. However, by doing so we can help our clients in these areas, we can ensure that they are well-positioned to meet any regulatory challenges that lie ahead.”
Having cybersecurity awareness at all levels — global, national and local — is always beneficial, Ruggeri said.
“While a comprehensive approach is necessary, there is no single solution to cybersecurity,” he said. “It is up to all of us, whether in government, business or our personal lives, to remain vigilant and maintain a strong security posture. In my opinion, practicing good cybersecurity hygiene is an ongoing journey that requires continuous effort and improvement. While we can take steps to mitigate risk, we must also be prepared for the unexpected. This is not a task that can be accomplished overnight, but with persistence and dedication, we can improve our overall cybersecurity posture.”
Landen Brown is federal field CTO at Symmetry Systems. He said with the launch of the cybersecurity strategy, “we are starting to see a massive shift in perspective in how critical cybersecurity is becoming, and how intimate our federal cybersecurity goals are with broader national security.”
“This requires a shift in cybersecurity priorities, with a focus on the national cyber strategy plan, and on the evolving technology and threat landscapes, to ensure the federal government doesn’t continue to suffer from the same legacy problems that have persisted for decades,” he said. “As we look to recent breaches at the U.S. Marshals Service, the U.S. Department of Defense (DoD) email server compromises, and even all the way back to SolarWinds, these unfortunate circumstances repeatedly circulate around two major problem. The political and cultural management of cybersecurity needs to improve. Many of these breaches occur due to problems that can be fixed, such as unpatched services and infrastructure, as well as misconfigured or improperly utilized security solutions. The challenge that the national cyber strategy plan will have to face is the cyclical nature of procuring tools within the federal government, and the inability to support the implementation and ongoing maintenance of these tools, which if used properly could tangibly improve the attack surfaces that still exist but shouldn’t.”
Rapid technology advancements are bringing in massive increases in attack surface, Brown said. However, this is set against a backdrop of widespread gaps in the cybersecurity skills needed to address them. Digital transformations, like moving mission-critical applications to the cloud, are meant to foster security and protection, but often unknowingly introduce a mountain of previously unknown threats and attack surfaces that, at this point, have not been pinned to a federal process or standard operating procedure (SOP).
“We are at a very interesting point in national security as it relates to the cyber domain, where technology advancements built to serve as force multipliers to our federal cyber analysts are having the opposite effect due to traditional cultural concerns, such as change boards,” he said. “While tools are rapidly being built with effective artificial intelligence/machine learning (AI/ML)-based threat modeling and early warning capabilities, the cultural barrier of actually understanding and rapidly remediating findings is still present. Time and time again, we see new tools being made and purchased, while the findings of that tool are not acted upon or used to make positive change in the overall security posture.”
Agencies like the U.S. Cyber Command are attempting to remove the dysfunction in cultural barriers that allow for analysts, engineers and thought leaders to immediately act on the discrepancies they find in their security posture, rather than forcing them to jump through bureaucratic hoops that take months to approve, and leave vulnerabilities and attack surfaces ripe for the taking, Brown said.
Bryan Cunningham is a former White House lawyer and advisor at Theon Technology. He said recently retired National Cyber Director Chris Inglis, who was instrumental in penning the strategy, and other U.S. government officials have said they believe, as does much of industry now, that there may well be a need for more mandatory regulations. However, they intend this to be a “highly consultative process” within the industry and that they would rather rely first on self-regulation and market forces, and only regulate where there are critical gaps.
“I think this is the right approach and even industry leaders have signaled, at least since the SolarWinds attacks, that they are open to reasonable regulation and that it probably is time,” he said. “That said, any regulations would have to be at a fairly high level of generality and allow different approaches to compliance since the attack vectors and best practices of defense change constantly.”
The strategy almost certainly will endorse more aggressive offensive cyber operations and doctrine by the U. S. government itself to add more emphasis on permanently disabling or dismantling bad actors’ entire operations, in addition to targeted operations where necessary for military or national security purposes, Cunningham said.
“I do not think it will, nor necessarily should, push for legalization of offensive cyber operations by private organizations, at least not without court orders or other proper legal process,” he said.
James Hayes is senior vice president of global government affairs at Tenable. He said baseline cybersecurity requirements for critical infrastructure are “long overdue,” and time is of the essence.
“Regulatory action needs to come quickly, needs to have teeth and most importantly, cannot exist in a vacuum,” he said. “But industrial control system operators cannot wait until the regulations are in place before further investing in their security infrastructure and processes. Forthcoming regulations will at a minimum include the Cybersecurity and Infrastructure Security Agency (CISA)’s cross-sector cybersecurity performance goals, which critical infrastructure providers should implement now.”
Hayes also said the success of the strategy will rely on Congress properly funding and empowering the Office of the National Cyber Director (ONCD) and CISA in order to help them tackle all of the areas to be addressed.
“CISA needs to have authority so they aren’t a paper tiger,” he said. “It will be a priority to drive alignment not only across federal departments and agencies, but also with state and local governments, and between public and private sectors.”
James Hayes is senior vice president of global government affairs at Tenable. He said baseline cybersecurity requirements for critical infrastructure are “long overdue,” and time is of the essence.
“Regulatory action needs to come quickly, needs to have teeth and most importantly, cannot exist in a vacuum,” he said. “But industrial control system operators cannot wait until the regulations are in place before further investing in their security infrastructure and processes. Forthcoming regulations will at a minimum include the Cybersecurity and Infrastructure Security Agency (CISA)’s cross-sector cybersecurity performance goals, which critical infrastructure providers should implement now.”
Hayes also said the success of the strategy will rely on Congress properly funding and empowering the Office of the National Cyber Director (ONCD) and CISA in order to help them tackle all of the areas to be addressed.
“CISA needs to have authority so they aren’t a paper tiger,” he said. “It will be a priority to drive alignment not only across federal departments and agencies, but also with state and local governments, and between public and private sectors.”
The White House’s National Cybersecurity Strategy will put pressure on security providers and on their customers — private enterprises.
Forrester’s Allie Mellen
That’s according to Allie Mellen, security and risk analyst at Forrester. The cybersecurity strategy will provide a road map for how the Biden administration aims to defend the United States from a rapidly growing number of online threats.
The cybersecurity strategy will affect critical infrastructure providers, including technology companies, and look to establish a minimum set of cybersecurity requirements, Mellen said.
A key element of the new framework shifts the burden of cybersecurity away from individuals, small businesses and local governments. It puts it in the hands of technology firms, software developers and other institutions with the necessary resources and expertise.
5 Focus Areas of Cybersecurity Strategy
The cybersecurity strategy seeks to build and enhance collaboration around five areas:
Defending critical infrastructure.
Disrupting and dismantling threat actors.
Shaping market forces to drive security and resilience.
Investing in a resilient future.
Forging international partnerships to pursue shared goals.
“Our rapidly evolving world demands a more intentional, more coordinated and more well-resourced approach to cyber defense,” the White House said in a statement. “We face a complex threat environment, with state and non-state actors developing and executing novel campaigns to threaten our interests. At the same time, next-generation technologies are reaching maturity at an accelerating pace, creating new pathways for innovation while increasing digital interdependencies. This strategy sets out a path to address these threats and secure the promise of our digital future. Its implementation will protect our investments in rebuilding America’s infrastructure, developing our clean energy sector, and re-shoring America’s technology and manufacturing base.”
Scroll through our slideshow above for more reaction to the new cybersecurity strategy.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like