In the first cybersecurity framework since 2018, the White House has released to the wild its new National Cybersecurity Strategy, articulating a need for public and private partnerships, international collaboration and going on the offensive against threat actors using diverse attack vectors.
President Biden, in the report’s frontispiece, said the administration will realign incentives for long-term investments in security, resilience and promising new technologies; hold countries accountable for irresponsible behavior in cyberspace; and disrupt the networks of criminals behind dangerous cyberattacks worldwide.
“We will work with Congress to provide the resources and tools necessary to ensure effective cybersecurity practices are implemented across our most critical infrastructure,” he said, in the statement.
“We must ensure the Internet remains open, free, Global, interoperable, reliable and secure – anchored in universal values that respect human rights and fundamental freedoms.”
The report lays out five key strategic pillars:
- Defend critical infrastructure.
- Disrupt and dismantle threat actors.
- Sharpe market forces to drive security and resilience.
- Invest in a resilient future.
- Forge international partners to pursue shared goals.
Resilience is the new white hat
Strategy statement asserted that the administration championed a collaborative approach across the digital ecosystem as “The foundation upon which we make it more inherently defensible, resilient, and aligned with U.S. values.”
The administration also laid out a set of cyber-specific resilience goals:
- Secure the technical foundation of the internet: The announcement said steps to mitigate concerns like Border Gateway Protocol vulnerabilities, unencrypted Domain Name System requests, and slow adoption of IPv6 are critical.
- Reinvigorate federal R&D for cybersecurity: The federal government will, said the Strategy announcement, identify, prioritize and catalyze the research development and demonstration community to proactively prevent and mitigate cybersecurity risks in current next generation technology.
- Prepare for our post-quantum future: The administration noted that quantum computing has the potential to break some of the most ubiquitous encryption standards.
- Secure clean energy future: bringing online interconnected hardware and software systems that have potential to strengthen the resiliency, safety and efficiency of the U.S. electric grid.
- Support and development of a digital ID ecosystem: The Admin noted that there is a lack of secure, privacy preserving, consent based digital identity solutions.
- Develop a national strategy to strengthen our cyber workforce.
SEE: Quantum computing: Should it be on IT’s strategic roadmap? (TechRepublic)
Gene Fay, chief executive officer of ThreatX, said the last point is especially pertinent, given the ongoing conundrum of too few security experts.
“Amidst the ongoing cybersecurity skills gap, cyber leaders must stop looking for ‘unicorn’ candidates who are in short supply and demand exorbitant salaries,” he said.
“Instead, leaders need to shift their recruiting practices to include different backgrounds, skill sets, education levels, genders, and ethnicities, and be willing to invest in training.”
SEE 10 cybersecurity predictions for tech leaders in 2023 | TechRepublic (Security)
Desperately seeking regulatory baseline for infrastructure
Noting that collaboration to address threats will only work if owners and operators of critical infrastructure have cybersecurity protections in place, the administration said it is advancing on its newly established requirements in key infrastructure sectors.
“Regulation can level the playing field, enabling healthy competition without sacrificing cybersecurity or operational resilience,” said the announcement, which maintained that security regulations will be hashed out via collaboration between industry and government, resulting in requirements that are operationally and commercially viable.
Experts: Without collaboration, regulations could hurt more than help
Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network, said unilateral regulations would shackle advances.
“Most industries — apart from software — are already comprehensively regulated in most of the developed countries,” he said.
“You cannot just manufacture what you want without a license or without following prescribed safety, quality and reliability standards. Software and SaaS solutions shall be no exception to that.”
He maintained that overregulation and bureaucracy would be counterproductive.
“The technical scope, timing of implementation and niche-specific requirements for tech vendors will be paramount for the eventual success or failure of the proposed legislation. Unnecessarily burdensome or, contrariwise, formalistic and lenient security requirements will definitely bring more harm than good.”
But, he said, intensive and open collaboration of independent experts coming from industry, academia and specialized organizations would help by producing balanced regulations amenable to both industry and government.
The strategy statement said regulations should be performance based, leveraging existing cybersecurity frameworks, voluntary consent suspended standards and guidance involving the Cybersecurity and Infrastructure Security Agency and National Institute of Standards and Technology.
Sean Tufts, operational technology/IoT practice director at security firm Optiv, said that public infrastructure in the public sphere — electric utilities and oil/chemical companies, for example — have binding cyber regulations.
“This is helpful but isolated to these industries,” he said, noting that CISA defines 16 total industries as critical, but the majority have no defined OT cyber regulations.
“Our food and beverage production, transportation systems, manufacturing firm and many others need formal guidance and regulation in the same vein,” he said, lauding federal involvement to encourage investment in people, process and technology for all critical industries.
SEE: Digital forensics and incident response: The most common DFIR incidents (TechRepublic)
Bringing the pain to threat actors
Besides the best-known exploits in recent years, e.g., the attack against SolarWinds Orion platform by Russian-aligned attackers, was China’s Microsoft Exchange exploit, and too many ransomware and data exposure hacks to count, though one number might be around 2.29 billion records exposed in 2022, representing 257 terabytes of data, according to a report by security firm SonicWall.
The announcement on the new cyber strategy said it will “Use all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests” via diplomatic, information, monetary, financial, intelligence and law enforcement.
The Strategy’s objectives include, per the announcement, integrating federal disruption activities, enhance public private operational collaboration to disrupt adversaries, increase speed and scale of intelligence sharing and victim notification, prevent abuse of US based infrastructure and counter cybercrime and ransomware.
Aakash Shah, CTO and co-founder at Chicago-based oak9, said investing more in public-private partnerships is definitely the way to go.
“Attribution is a very hard problem in cyberspace but there are lots of examples like the Trickbot hacking group where a combination of the public and private organizations were able to put together the intelligence necessary to identify the actors and lead to sanctions against 7 individuals,” he noted.
“In this example, CrowdStrike’s researchers along with independent researchers were tracking this group for some time. The U.S. Cybercommand were able to coordinate an attack on this group to identify the key individuals and dismantle it,” he said.
Integrating federal disruption activities
The key to disrupting global cybersecurity exploits, according to the announcement, is sustained and targeted offense, so that “Criminal cyber activity is rendered unprofitable and foreign movement actors engaging in malicious cyber activity no longer see it as an effective means of achieving their goals.”
As part of that, the U.S. Department of Defense will develop an updated departmental cyber strategy clarifying how the U.S. cyber command and other DoD components will integrate cyberspace operations into their defensive efforts, according to the announcement.
Shah said federal agencies cannot keep up with the volume of threats that impact the private and public sector.
“Today a number of federal agencies have independent efforts to address cybercrime related cyber threats. What the strategy is doing is investing further in NCIJTF — the National Cyber Investigative Joint Task Force — to coordinate these disruption activities more effectively along with investments in further public-private partnerships,” he said.
China will continue to be a threat for data theft
Adam Meyers, head of intelligence at CrowdStrike, said the administration and companies must be particularly aware of state actor data theft from China, noting that while last year much of the media and defensive focus, particularly in Europe, were on Russia state actors and, while Americans this year are focused on spy balloons, the real crisis is data exfiltration.
“China since the mid 2000’s has been eviscerating corporate America, and that is just continuing. Last year we saw Chinese threat activity in every business vertical, collecting data on a massive scale,” he said, adding that the goal is not compromising U.S. business, services, and infrastructure but stealing massive amounts of intellectual property.
“They are using espionage to win building projects and create dependency, which they translate to influence. So exposing what they are doing and how they are operating is critical,” he said.
Other key strategic objectives for defending against attacks include:
- Enhancing public-private operational collaboration to disrupt adversaries.
- Increasing speed and scale of intel sharing and victim notification.
- Prevent abuse of U.S. based infrastructure.
- Countering cybercrime and defeating ransomware.
Drew Bagley, vice president and counsel for privacy and cyber policy at CrowdStrike, welcomed the strategic platform.
“It’s clear that the cyber threat landscape has evolved significantly over recent years with adversaries proving more sophisticated, relentless and brazen. But, so too, has the policy environment in the United States — with new players, new authorities, and new types of missions.”
He said the strategy’s emphasis on being proactive in disrupting threat actors is especially important, adding, “Continued stakeholder collaboration with successful initiatives like CISA’s Joint Cyber Defense Collaborative, and mitigating risk as a shared responsibility, is timely and important.” He also lauded the program’s emphasis on centralizing cybersecurity shared services and adopting cloud security tools.
“Notably, the strategy recognizes the significant risk to privacy posed by cyber threats and the importance of using federal privacy legislation as a vehicle to achieve stronger data protection outcomes.”