The Biden/Harris Administration’s updated National Cybersecurity Strategy includes many practical and straightforward solutions that build on pathways outlined by previous administrations; however, it also takes ambitious steps toward a more collaborative and intentional future.
Unpacking the National Cybersecurity Strategy is a three-part thought-leadership series analyzing the initiatives outlined in the Biden Administration’s updated cybersecurity strategy document. Our first post covers strategy’s first major theme: defending critical infrastructure; the second post discusses the next two themes: preventing attacks and disrupting and dismantling threat actors. For the final installment, we address the final themes of investing in cyber resiliency and collaboration among organizations and between nation states.
As with the previous posts, I will continue to analyze the initiatives through the lenses of the different roles I play at SafeBreach, namely: a CISO for a cloud-first company who needs to protect their own organization, a CISO for a technology company who needs to protect their customers from potential supply chain risks, a CISO who is acting in the capacity of a trusted advisor, and finally as SafeBreach, a company that needs to understand what the National Cybersecurity Strategy means for our own security posture and program.
Theme 4: Invest in Cybersecurity Resilience
This theme is an important one. While the formal title of this section refers to the future, this theme largely looks at the present day. More specifically, it discusses investing in cybersecurity today to secure the future.
Initiative 4.1: Back to basics—cyber hygiene.
As a security professional with over three decades of information security experience, I believe that this is one of the most important initiatives. One truly pervasive challenge facing organizations is their ever-growing technical debt. In the rush to get new features and capabilities out to market, many companies let old vulnerabilities and code pile up. This initiative states that “Such a ‘clean-up’ effort to reduce systematic risk requires identification of the most pressing of these security challenges, further development of effective security measures…to reduce our risk exposure without disrupting the platforms and services built atop this infrastructure.”
As an internal and product CISO, this problem is near and dear to me. We often must balance addressing vulnerabilities and technical debt, securing and reducing risk, and facilitating the company’s need to take on new initiatives and risks. As a trusted advisor, I have an opportunity to help my customers identify where basic cyber hygiene can yield coverage gains without the need for additional investment of funds.
This initiative is critical for SafeBreach and all companies that rely on the Internet. 2023 is the 40th year since the “birth” of the Internet. It is also marks over a decade since IPv6 was launched. Every year we experience at least one outage in parts of the network caused by issues that stem from some of the known risks and vulnerabilities in the current foundation. Think of it as trying to build modern high rises atop wooden foundations.
Initiative 4.2: Explore new directions to mitigate cybersecurity risks.
With this initiative, the Biden Administration is looking to invest in research for new ways to proactively prevent and mitigate cybersecurity risks in existing and next-generation technologies. The initiative is looking to advance the state of cybersecurity across the board. The somewhat-peculiar part about this initiative is that the final paragraph indicates that the Administration will focus their efforts on three main families of technologies: computing-related, biotechnology and biomanufacturing, and clean energy. It states that these three are important to US leadership in the future. The paragraph concludes with the statement that the Administration will do this by “comprehensively leveraging Federal investment vehicles, Federal purchasing power, and Federal regulations,” without going into any detail.
As the internal and product CISO, I consider this initiative a natural progression from the former initiative. As the technologies and systems we use evolve, so do the threats and the malicious actors who look to abuse them. We must continuously explore new directions to mitigate both existing and emerging risks. This exploration does need to happen in concert with previous efforts. That said, we need to be careful not to waste efforts on risks we already mitigate well. A common issue is a solution looking for a gap. As a trusted advisor, I recommend to our customers that they should make sure they have a gap before exploring technologies and solutions. We recommend leveraging the SafeBreach platform to identify these gaps.
As SafeBreach, we generally like this initiative. Our platform and others like ours are solutions that need to be more widely adopted and used to identify risks and gaps proactively.
Initiative 4.3: Consider the evolving cybersecurity landscape.
This particular initiative in the Administration’s strategy focuses on future challenges to encryption mechanisms. I admit that this issue is certainly a concern at the national level. Encryption, while a valuable security measure, is less of a risk factor to the private sector. Without getting into a philosophical debate about the merits of strong encryption, this is an important initiative for the US.
As an internal and product CISO, I need to think about how we adapt to new technologies and what new and novel risks are on the horizon. I remember in 2001 when one of my customers was worried about the threat of Van-Eck emissions. Neglecting the ‘likelihood’ factor in the risk equation is sometimes too easy. CISOs often need to balance competing risks based on their likelihood, impact, and cost to mitigate them, while measuring the relative value in risk reduction. As a trusted advisor, I partner with my customers to identify what threats they see on the horizon and figure out how to help them with those.
From the SafeBreach point of view, as stated above, this is an important strategic initiative for the Administration, especially when considering the global adversaries the US is dealing with at the macro level. At the micro level, the Administration, through initiatives 4.1 and 4.2, must also work to solve the fact that roughly 20% of sites on the Internet still use bare HTTP, and over 60% of web servers still support TLS 1.0 and 1.1.
Initiative 4.4: Secure smart technologies.
The actual title of this initiative in the Administration’s strategy focuses on a clean energy future. When you read the specifics, it becomes apparent that the Administration is looking at the wider category of “smart” technologies. The evolution of traditional information technologies (IT) and operations technologies (OT) arrives at this nexus we label as “smart.” Clean energy, with advanced technology supporting it, needs smart technologies. We already see cities developing and adopting smart grids, and smart cars being built with vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications. The issues facing traditional IT/OT systems will certainly get a new twist with this next-generation set of technologies, and we already see malicious actors able to hold cities’ smart grids hostage.
As the internal CISO, this is another external challenge to pay attention to. How will smart technologies impact my current environment? Consider for a minute all the efforts that companies have put in to block the print-screen function when today, any employee can take a snapshot with their smartphone. As a trusted advisor, my focus with customers will be to understand how traditional attack methods, much like those used in IoT (see strategic initiative 3.2), evolve to take advantage of smart technologies and how to defend and validate their defenses against them.
While SafeBreach is not a clean energy vendor, nor do we develop smart grid products, we are becoming more dependent on these technologies. This initiative is yet another attempt to address another failure to build security-by-design into some of these newer technologies. Sadly, the larger technology ecosystem needs to learn from its past mistakes.
Initiative 4.5: Invest in our cybersecurity program’s privacy-by-design and identity-centric model.
This initiative is another one I took some liberties on when interpreting the Administration’s phrasing. Specifically, the use of the term “Digital Identity Ecosystem.” Next to strategic initiative 3.1, this initiative addresses information privacy. It attempts to address the challenges of digital identities and the associated identity fraud. This initiative is very ambitious, considering the US still struggles with a physical national identity. This initiative addresses how digital identities are created, verified, protected, and trusted, as more of our technologies and services need to rely on them. I see this as a privacy-oriented initiative because digital fraud largely depends on failing to protect digital identities properly.
As the internal and product CISO, the identity-centric security model is one of the building blocks I use to implement a zero-trust architecture (ZTA). Any system I buy or build must support strong digital identity verification and privacy. As a trusted advisor, I help our customers understand the benefits of integrating user impersonation capabilities into our platform. This way, they can also understand the impact different types of users can have on their infrastructure, especially when it comes to lateral movement and data exfiltration.
At SafeBreach, we see this as an important initiative, especially if it can drive toward a universal digital identity ecosystem.
Initiative 4.6: Invest in our cyber workforce.
This initiative attempts to address the talent shortage in the cybersecurity sector. Using various incentives, the Administration seeks to increase the available talent pool by expanding programs to develop more cybersecurity talent. It also looks at increasing workforce diversity and addresses some systematic inequities that may be barriers to entry.
As an internal and product CISO, it is my experience that hiring someone with the skills and mentality that fit the role rather than focusing on certifications and existing experience is better. With that, I must challenge my existing cyber workforce and let individuals develop to the next level in their careers. This approach opens the door for new talent to come in. As a trusted advisor, this issue is outside the scope of what we cover. That said, I can always assist and advise in identifying our customers’ cyber workforce.
Overall, SafeBreach is a big proponent of diversity and inclusion. We support grassroots efforts to develop a more diverse, equitable, and inclusive workforce. Having Federal support will give these efforts an important boost.
Theme 5: Collaborate to Build Better-Together Cybersecurity
This final theme or pillar is unique to a nation-state. That said, certain initiatives can be taken to help bolster the state of our overall cybersecurity. With this in mind, I will discuss these initiatives from a single point of view.
Initiative 5.1: Build partnerships to address threats.
In this initiative, the Biden Administration addresses the need to build coalitions with like-minded countries to help counter cybersecurity threats. The idea is that these coalitions will help in both prevention of threats and enhanced enforcement of cybersecurity measures around the globe.
I see partnerships with like-minded organizations as very powerful. To the extent possible, I work to be involved in multiple CISO communities to discuss common challenges, common approaches, and potential solutions. This allows me to learn when I don’t know, assist and guide where I can, and facilitate partnerships where possible.
Initiative 5.2: Enhance our partner ecosystem.
With this initiative, the Administration recognizes that different partners have different capabilities and cybersecurity capacities. For that, the Administration is working to help its international partners build and develop their respective capabilities.
I am constantly looking for opportunities to partner with others in our ecosystems. Keep in mind that we exist in multiple ecosystems. For example, SafeBreach is a technology company. It is a security vendor. It is a cloud-first company and a software-as-a-service (SaaS) provider. It also has an advanced threat research group. With that, we look to actively participate in each of these ecosystems and provide our insights and assistance where possible. We also work to encourage innovation by being design partners for startups with a novel approach to the challenges we face in our cybersecurity program. This partnership is typically a win-win relationship, allowing us to address the challenge and help shape a future product toward our needs. It helps startup design partners build their product based on a real gap and challenge. If successful, we also help startups connect with peer CISOs that face similar challenges.
Initiative 5.3: Expand our ability to assist customers and partners.
In this initiative, the Biden Administration seeks to enhance its assistance to international partners. It recognizes that providing such assistance ultimately helps the US as well. Reading between the lines, providing such assistance can often run into financial and procedural barriers. This initiative looks to find ways around these barriers by framing the assistance as vital for the national interests of the US.
This problem is unique to large and bureaucratic organizations. I am a big proponent of working to assist the greater good. I can think of a very recent example where one of our technology partners discovered a very serious vulnerability in their products. SafeBreach worked with the partner to develop content that will allow our customers to determine if they were exposed to this issue quickly. We then realized that some customers could only partially simulate these attacks in large networks, primarily because of license limitations. To assist our customers, we temporarily suspended license restrictions so that they could validate their infrastructure’s resiliency to this issue.
Generally speaking, when SafeBreach Labs identifies a previously undisclosed vulnerability, we work closely with the impacted vendor to remediate it rather than announce it online. As CISO, I am always on the lookout for more opportunities to promote this type of assistance, and I am glad the Administration is heading in the same direction.
Initiative 5.4: Build collaboration and promote pragmatic cybersecurity coalitions.
In this initiative, the administration seeks to promote coalitions to advance the peacetime norms around responsible cybersecurity behaviors.
One of the roles I enjoy the most at SafeBreach is providing thought leadership. Because of this, I appreciate this initiative. I give many presentations to technical audiences that address pragmatic approaches to cybersecurity. Rather than be SafeBreach-centric, I work to promote pragmatic approaches to various topics and challenges in cybersecurity.
Initiative 5.5: Build a trusted and secure supply chain.
With this final initiative of Biden’s cybersecurity strategy, the Administration recognizes the complexity of the global supply chain of information, communication, and technology products and services. It also recognizes the risk of depending on untrusted suppliers as part of this supply chain. The Administration aims to work and collaborate with trusted, like-minded partners in building a trusted global supply chain. It also looks to enhance long-term strategic public and private sector collaboration to support this effort further.
This macro initiative can still apply at the micro and local levels. I urge all CISOs and cybersecurity professionals to collaborate and build trusted partnerships and networks with each other. These trusted ‘supply chains’ will do more to advance the state of cybersecurity than any single strategic initiative.
Implementation
This last section of the National Cybersecurity Strategy discusses general guidelines for implementing the strategy. I like to think of the strategy as the “what” we want to do and the implementation as the “how” we will do it. Trying to fit both into one document would be nearly impossible, especially considering how wide-ranging all 27 strategic initiatives are across the five different themes, where each initiative can encompass multiple projects. It is also important to understand that different individual projects for each strategic initiative may need to change to accommodate changes in the strategic environment. The strategy itself should stay the same.
With this in mind, this section provides three important guidelines for implementing the strategy into action. None of these guidelines is unique to the government. Nor are these guidelines specific to cybersecurity.
Measuring Effectiveness
The first guideline states that these efforts should all be data-driven and that progress is measured. It also states that “management” then reviews the progress to enable follow-up actions to adjust the initiatives as needed. The Administration says it will require key performance indicators (KPIs).
Learning from Experience
The next guideline is just as important as the previous one. As the Administration implements this strategy, it will prioritize “lessons learned” and apply them to ongoing efforts. While the document does dive into a specific example around the Log4j vulnerability, the larger guideline is simple—learn from your successes and failures.
Investing in the Program
The third and final guideline may be obvious to some, but it should still be stated. Implementing this strategy will require investment. This investment can come through funding, resource, or time. Without such investment, this strategy document is just another document.
Parting Thoughts
For the most part, I found the National Cybersecurity Strategy to be well-written and thorough. Evaluating each initiative from four different points of view shows that this policy has the potential to make a tangible impact on the way public and private organizations operate within the current cybersecurity environment and work together to create a more ideal environment for the future. But, as is true for all strategies, the devil will be in the implementation and the details.
Thinking about initiatives that may have been missed or passed over, there are a couple of areas I wish had been addressed at a deeper level, including:
- Misinformation and censorship
- Support and protections for vulnerable or non-technical populations
- Universal information privacy
To my CISO peers who still need to build their own company’s cybersecurity strategy, I do recommend that you consider this blog series as a bit of a template. Remember that you don’t need to have a one-to-one match to the set of themes and objectives. For SafeBreach, our cybersecurity strategy is comprised of three pillars and has only three strategic objectives for each pillar. I realized that my strategic environment, desired end-state, and ability to implement this strategy differ from the US Government’s, so I wanted a slightly narrower strategy. In the same way, it’s important for you to tailor your strategy to fit the environment and capabilities of your organization in order to ensure it is realistic and executable.