New National Cybersecurity Strategy: resilience, regs, collaboration and pain (for attackers)
Michael
Traitov/Adobe
Stock
In
the
first
cybersecurity
framework
since
2018,
the
White
House
has
released
to
the
wild
its
new
National
Cybersecurity
Strategy,
articulating
a
need
for
public
and
private
partnerships,
international
collaboration
and
going
on
the
offensive
against
threat
actors
using
diverse
attack
vectors.
President
Biden,
in
the
report’s
frontispiece,
said
the
administration
will
realign
incentives
for
long-term
investments
in
security,
resilience
and
promising
new
technologies;
hold
countries
accountable
for
irresponsible
behavior
in
cyberspace;
and
disrupt
the
networks
of
criminals
behind
dangerous
cyberattacks
worldwide.
“We
will
work
with
Congress
to
provide
the
resources
and
tools
necessary
to
ensure
effective
cybersecurity
practices
are
implemented
across
our
most
critical
infrastructure,”
he
said,
in
the
statement.
“We
must
ensure
the
Internet
remains
open,
free,
Global,
interoperable,
reliable
and
secure
–
anchored
in
universal
values
that
respect
human
rights
and
fundamental
freedoms.”
The
report
lays
out
five
key
strategic
pillars:
-
Defend
critical
infrastructure. -
Disrupt
and
dismantle
threat
actors. -
Sharpe
market
forces
to
drive
security
and
resilience. -
Invest
in
a
resilient
future. -
Forge
international
partners
to
pursue
shared
goals.
Jump
to:
Resilience
is
the
new
white
hat
Strategy
statement
asserted
that
the
administration
championed
a
collaborative
approach
across
the
digital
ecosystem
as
“The
foundation
upon
which
we
make
it
more
inherently
defensible,
resilient,
and
aligned
with
U.S.
values.”
The
administration
also
laid
out
a
set
of
cyber-specific
resilience
goals:
-
Secure
the
technical
foundation
of
the
internet:
The
announcement
said
steps
to
mitigate
concerns
like
Border
Gateway
Protocol
vulnerabilities,
unencrypted
Domain
Name
System
requests,
and
slow
adoption
of
IPv6
are
critical. -
Reinvigorate
federal
R&D
for
cybersecurity:
The
federal
government
will,
said
the
Strategy
announcement,
identify,
prioritize
and
catalyze
the
research
development
and
demonstration
community
to
proactively
prevent
and
mitigate
cybersecurity
risks
in
current
next
generation
technology. -
Prepare
for
our
post-quantum
future:
The
administration
noted
that
quantum
computing
has
the
potential
to
break
some
of
the
most
ubiquitous
encryption
standards. -
Secure
clean
energy
future:
bringing
online
interconnected
hardware
and
software
systems
that
have
potential
to
strengthen
the
resiliency,
safety
and
efficiency
of
the
U.S.
electric
grid. -
Support
and
development
of
a
digital
ID
ecosystem:
The
Admin
noted
that
there
is
a
lack
of
secure,
privacy
preserving,
consent
based
digital
identity
solutions. -
Develop
a
national
strategy
to
strengthen
our
cyber
workforce.
SEE:
Quantum
computing:
Should
it
be
on
IT’s
strategic
roadmap?
(TechRepublic)
Gene
Fay,
chief
executive
officer
of
ThreatX,
said
the
last
point
is
especially
pertinent,
given
the
ongoing
conundrum
of
too
few
security
experts.
“Amidst
the
ongoing
cybersecurity
skills
gap,
cyber
leaders
must
stop
looking
for
‘unicorn’
candidates
who
are
in
short
supply
and
demand
exorbitant
salaries,”
he
said.
“Instead,
leaders
need
to
shift
their
recruiting
practices
to
include
different
backgrounds,
skill
sets,
education
levels,
genders,
and
ethnicities,
and
be
willing
to
invest
in
training.”
SEE
10
cybersecurity
predictions
for
tech
leaders
in
2023
|
TechRepublic
(Security)
Desperately
seeking
regulatory
baseline
for
infrastructure
Noting
that
collaboration
to
address
threats
will
only
work
if
owners
and
operators
of
critical
infrastructure
have
cybersecurity
protections
in
place,
the
administration
said
it
is
advancing
on
its
newly
established
requirements
in
key
infrastructure
sectors.
“Regulation
can
level
the
playing
field,
enabling
healthy
competition
without
sacrificing
cybersecurity
or
operational
resilience,”
said
the
announcement,
which
maintained
that
security
regulations
will
be
hashed
out
via
collaboration
between
industry
and
government,
resulting
in
requirements
that
are
operationally
and
commercially
viable.
Experts:
Without
collaboration,
regulations
could
hurt
more
than
help
Ilia
Kolochenko,
founder
of
ImmuniWeb
and
a
member
of
Europol
Data
Protection
Experts
Network,
said
unilateral
regulations
would
shackle
advances.
“Most
industries
—
apart
from
software
—
are
already
comprehensively
regulated
in
most
of
the
developed
countries,”
he
said.
“You
cannot
just
manufacture
what
you
want
without
a
license
or
without
following
prescribed
safety,
quality
and
reliability
standards.
Software
and
SaaS
solutions
shall
be
no
exception
to
that.”
He
maintained
that
overregulation
and
bureaucracy
would
be
counterproductive.
“The
technical
scope,
timing
of
implementation
and
niche-specific
requirements
for
tech
vendors
will
be
paramount
for
the
eventual
success
or
failure
of
the
proposed
legislation.
Unnecessarily
burdensome
or,
contrariwise,
formalistic
and
lenient
security
requirements
will
definitely
bring
more
harm
than
good.”
But,
he
said,
intensive
and
open
collaboration
of
independent
experts
coming
from
industry,
academia
and
specialized
organizations
would
help
by
producing
balanced
regulations
amenable
to
both
industry
and
government.
The
strategy
statement
said
regulations
should
be
performance
based,
leveraging
existing
cybersecurity
frameworks,
voluntary
consent
suspended
standards
and
guidance
involving
the
Cybersecurity
and
Infrastructure
Security
Agency
and
National
Institute
of
Standards
and
Technology.
Sean
Tufts,
operational
technology/IoT
practice
director
at
security
firm
Optiv,
said
that
public
infrastructure
in
the
public
sphere
—
electric
utilities
and
oil/chemical
companies,
for
example
—
have
binding
cyber
regulations.
“This
is
helpful
but
isolated
to
these
industries,”
he
said,
noting
that
CISA
defines
16
total
industries
as
critical,
but
the
majority
have
no
defined
OT
cyber
regulations.
“Our
food
and
beverage
production,
transportation
systems,
manufacturing
firm
and
many
others
need
formal
guidance
and
regulation
in
the
same
vein,”
he
said,
lauding
federal
involvement
to
encourage
investment
in
people,
process
and
technology
for
all
critical
industries.
SEE:
Digital
forensics
and
incident
response:
The
most
common
DFIR
incidents
(TechRepublic)
Bringing
the
pain
to
threat
actors
Besides
the
best-known
exploits
in
recent
years,
e.g.,
the
attack
against
SolarWinds
Orion
platform
by
Russian-aligned
attackers,
was
China’s
Microsoft
Exchange
exploit,
and
too
many
ransomware
and
data
exposure
hacks
to
count,
though
one
number
might
be
around
2.29
billion
records
exposed
in
2022,
representing
257
terabytes
of
data,
according
to
a
report
by
security
firm
SonicWall.
The
announcement
on
the
new
cyber
strategy
said
it
will
“Use
all
instruments
of
national
power
to
disrupt
and
dismantle
threat
actors
whose
actions
threaten
our
interests”
via
diplomatic,
information,
monetary,
financial,
intelligence
and
law
enforcement.
The
Strategy’s
objectives
include,
per
the
announcement,
integrating
federal
disruption
activities,
enhance
public
private
operational
collaboration
to
disrupt
adversaries,
increase
speed
and
scale
of
intelligence
sharing
and
victim
notification,
prevent
abuse
of
US
based
infrastructure
and
counter
cybercrime
and
ransomware.
Aakash
Shah,
CTO
and
co-founder
at
Chicago-based
oak9,
said
investing
more
in
public-private
partnerships
is
definitely
the
way
to
go.
“Attribution
is
a
very
hard
problem
in
cyberspace
but
there
are
lots
of
examples
like
the
Trickbot
hacking
group
where
a
combination
of
the
public
and
private
organizations
were
able
to
put
together
the
intelligence
necessary
to
identify
the
actors
and
lead
to
sanctions
against
7
individuals,”
he
noted.
“In
this
example,
CrowdStrike’s
researchers
along
with
independent
researchers
were
tracking
this
group
for
some
time.
The
U.S.
Cybercommand
were
able
to
coordinate
an
attack
on
this
group
to
identify
the
key
individuals
and
dismantle
it,”
he
said.
Integrating
federal
disruption
activities
The
key
to
disrupting
global
cybersecurity
exploits,
according
to
the
announcement,
is
sustained
and
targeted
offense,
so
that
“Criminal
cyber
activity
is
rendered
unprofitable
and
foreign
movement
actors
engaging
in
malicious
cyber
activity
no
longer
see
it
as
an
effective
means
of
achieving
their
goals.”
As
part
of
that,
the
U.S.
Department
of
Defense
will
develop
an
updated
departmental
cyber
strategy
clarifying
how
the
U.S.
cyber
command
and
other
DoD
components
will
integrate
cyberspace
operations
into
their
defensive
efforts,
according
to
the
announcement.
Shah
said
federal
agencies
cannot
keep
up
with
the
volume
of
threats
that
impact
the
private
and
public
sector.
“Today
a
number
of
federal
agencies
have
independent
efforts
to
address
cybercrime
related
cyber
threats.
What
the
strategy
is
doing
is
investing
further
in
NCIJTF
—
the
National
Cyber
Investigative
Joint
Task
Force
—
to
coordinate
these
disruption
activities
more
effectively
along
with
investments
in
further
public-private
partnerships,”
he
said.
China
will
continue
to
be
a
threat
for
data
theft
Adam
Meyers,
head
of
intelligence
at
CrowdStrike,
said
the
administration
and
companies
must
be
particularly
aware
of
state
actor
data
theft
from
China,
noting
that
while
last
year
much
of
the
media
and
defensive
focus,
particularly
in
Europe,
were
on
Russia
state
actors
and,
while
Americans
this
year
are
focused
on
spy
balloons,
the
real
crisis
is
data
exfiltration.
“China
since
the
mid
2000’s
has
been
eviscerating
corporate
America,
and
that
is
just
continuing.
Last
year
we
saw
Chinese
threat
activity
in
every
business
vertical,
collecting
data
on
a
massive
scale,”
he
said,
adding
that
the
goal
is
not
compromising
U.S.
business,
services,
and
infrastructure
but
stealing
massive
amounts
of
intellectual
property.
“They
are
using
espionage
to
win
building
projects
and
create
dependency,
which
they
translate
to
influence.
So
exposing
what
they
are
doing
and
how
they
are
operating
is
critical,”
he
said.
Other
key
strategic
objectives
for
defending
against
attacks
include:
-
Enhancing
public-private
operational
collaboration
to
disrupt
adversaries. -
Increasing
speed
and
scale
of
intel
sharing
and
victim
notification. -
Prevent
abuse
of
U.S.
based
infrastructure. -
Countering
cybercrime
and
defeating
ransomware.
Drew
Bagley,
vice
president
and
counsel
for
privacy
and
cyber
policy
at
CrowdStrike,
welcomed
the
strategic
platform.
“It’s
clear
that
the
cyber
threat
landscape
has
evolved
significantly
over
recent
years
with
adversaries
proving
more
sophisticated,
relentless
and
brazen.
But,
so
too,
has
the
policy
environment
in
the
United
States
—
with
new
players,
new
authorities,
and
new
types
of
missions.”
He
said
the
strategy’s
emphasis
on
being
proactive
in
disrupting
threat
actors
is
especially
important,
adding,
“Continued
stakeholder
collaboration
with
successful
initiatives
like
CISA’s
Joint
Cyber
Defense
Collaborative,
and
mitigating
risk
as
a
shared
responsibility,
is
timely
and
important.”
He
also
lauded
the
program’s
emphasis
on
centralizing
cybersecurity
shared
services
and
adopting
cloud
security
tools.
“Notably,
the
strategy
recognizes
the
significant
risk
to
privacy
posed
by
cyber
threats
and
the
importance
of
using
federal
privacy
legislation
as
a
vehicle
to
achieve
stronger
data
protection
outcomes.”
About Author
