At a glance.
- Highlights from the US 2022 National Defense Strategy.
- CISA’s CPGs provide security roadmap for critical infrastructure operators.
- Google supports the Securing Open Source Software Act.
Highlights from the US 2022 National Defense Strategy.
The US Department of Defense yesterday released its 2022 National Defense Strategy (NDS), a plan for maximizing national security with a mind toward progress and promotion of global security. While the focus is on sustaining and bolstering US deterrence, the strategy calls out China as the US’s most important strategic competitor, and notes the importance of collaborating with international allies to respond to Russian aggression. The document emphasizes the fact that the desired modernization of the US’s nuclear command, control, and communications systems will be dependent on the security of the networks that support them and the oversight of “an agile defensive cyber force.”
It also explains that besting rivals like Russia will mean using US cyber capabilities to gain operational, logistical, and information advantages. Applying a holistic approach to joint warfare will require the integration of the space and counterspace domains with the nation’s cyber and electronic warfare capabilities. This synchronization will be intrinsic when it comes to campaigning, one of the three main strategic goals outlined in the accompanying NDS fact sheet. “Campaign initiatives will provide a range of options to oppose select, acute forms of coercion carried out by competitors,” the document reads, noting that campaigning operations in cyberspace will be necessary to weaken competitors’ cyber capabilities and bolster the US’s own cyber defenses in preparation for crisis or conflict.
CISA’s CPGs provide security roadmap for critical infrastructure operators.
The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued new cybersecurity performance goals (CPGs) to help drive the adoption of key security measures by critical infrastructure operators. “The goals were developed to really represent a minimum baseline of cybersecurity measures that, if implemented, will reduce not only risk to critical infrastructure, but also to national security, economic security and public health and safety,” CISA Director Jen Easterly stated. Claroty notes that while critical infrastructure is key to national security and public safety, many operators are small-to-medium-sized entities with fewer resources, making them perfect targets for threat actors. The CPGs can serve as a quick start guide for entities that might be overwhelmed when taking on the arduous task of securing their systems against attack. As the Federal News Network explains, the CPGs are based on the National Institute of Standards and Technology’s Cybersecurity Framework, as well as feedback from hundreds of public sector organizations and government officials. Nozomi Networks outlines four main categories of investment for shoring up critical infrastructure systems: network visibility, vulnerability management, cyber threat intelligence, and improving situational awareness.
SC Media observes that while many industry leaders applauded the effort, some feel there is still a long way to go. Robert Lee, CEO of threat intelligence firm Dragos, stated that the CPGs allow “asset owners and operators to work towards shared goals while giving them the flexibility and expertise to implement them in ways best suited to their organizations and risks." However, Ari Schwartz, executive director of non-profit policy shop the Cybersecurity Coalition, says more work needs to be done. "It is clear that the main thing that stakeholders have been asking for, organization around the NIST Cybersecurity Framework Categories, still needs some work. CISA has told us that their future efforts on the Performance Goals will address this issue and we look forward to working with them to ensure that organizations are most efficiently able to use this product.” Terry Olaes, Director of Sales Engineering, Skybox Security, is among those who had a few cautions to offer on CISA's recently announced Cybersecurity Performance Goals:
“The road to hell is paved with good intentions.” This old adage has many applications and I fear that these Cybersecurity Performance Goals (CPG) may fall into that category. I applaud the aim of the benchmarks and believe their contents are useful. However, my issue lies with the implementation. Since these are merely guidelines (CISA called it a “quick-start guide”), there is no impetus for organizations to enact these goals. Unless there is some mandate like FISMA which will “encourage” action (FedRAMP is a great example), these CPGs will have low adoption.
"Small/Medium Businesses (SMB) typically fill out questionnaires to attest their compliance with industry standards as defined by the governing body (PCI DSS for retail, as an example) and provide supporting documentation as needed. If CISA & NIST want to expand these goals beyond government entities, they should map these goals against industry standard and include them as well so that companies subject to external compliance controls can better optimize their approach (e.g. sending logs to another source can be mapped against CPG, HIPAA, and PCI). Security resources are usually limited at SMB’s so being able to understand which controls address the most requirements relevant to their business can maximize time the spent on compliance activities.
"As for the controls themselves, they’re a decent start and it’s great that there is a planned review/update cycle that occurs at least twice a year. Some of these are quite interesting but my favorite has to be ID.GV-2 which expects the organization to sponsor a pizza party or equivalent off-site social gathering for IT and OT security teams to improve working relationships between the two. It doesn’t address the prevalence of distributed teams and multi-national organizations but how often do you see the government encourage a party? I’m all for it!”
Yotam Perkal, director of vulnerability research for Rezilion, likes the direction CISA is taking, but observes that visibility is a prerequisite for implementing them:
"I think the direction CISA chose to take with the CPG is very good. I hope that having the document written in an approachable language, easy to digest, and focused on the fundamentals, will help with adoption. The main underbelly in terms of cybersecurity risk are not the mature, modern enterprises with huge security budgets and an abundance of security controls. Rather, it is the long tail of organizations, without mature cyber programs or procedures in place. For these organizations, a resource such as the NIST Cybersecurity Framework might be overwhelming. If these organizations adopt and implement the bare-minimum recommendations in the GPG, it could go a long way in terms of improving the overall security posture across the US. I also like the fact that CISA is promoting discussion around the guidelines and soliciting for feedback using the discussion page on GitHub
"I think the recommendations are valid and are reasonably straightforward to implement. That said, in order to implement some of them (such as “mitigating known vulnerabilities” and “no exploitable services on the internet”) there is a preliminary stage that isn’t mentioned in the guidelines which is having visibility into your organization's exploitable attack surface. Assuming that the long tail of less mature organizations have that visibility is a stretch.We have seen evidence to that when we did our Vintage Vulnerabilities research which found over 4.5 million internet-facing devices that are vulnerable to vulnerabilities discovered between 2010 to 2020 that are known to be actively exploited in-the-wild (on the CISA known exploited vulnerabilities catalog). Specifically in the critical infrastructure domain, Security professionals have to be also aware of the capabilities and limitations of their vulnerability scanning tools. As we have shown in our latest research both open-source and commercial scanners and SCA tools are prone to a significant amount of false-positive and false-negative results. For example, when scanning OT assets, a vulnerability scanner without the ability to identify vulnerable components within compiled code will have significant blindspots when it comes to the known vulnerabilities it will be able to identify."
Edward Liebig, Global Director of Cyber-Ecosystem at Hexagon Asset Lifecycle Intelligence, approves of the intention of reviewing these goals regularly to keep them up-to-date:
"It is admirable that CISA’s plan is to update these goals every 6 to 12 months. As technologies evolve, the risks, TTPs and scope will naturally change. This, coupled with the evolution of Industrial Revolution 4.0, will morph the recommendations and outcomes as appropriate.
"However, balancing risk reduction and cost is a common exercise for CISOs, and it starts with visibility into your assets. CPG 3.1 recommends collecting network traffic and communications to and from log-less assets. While visibility is a must, this goal does not reflect the true capabilities of more advanced asset management tools for OT. It’s about getting the most bang for your buck, and I believe that should be one of the first amendments.
"CISA’s plans to draft sector-specific goals with regulatory agencies may become a slippery slope to maintain over time without very intimate involvement with the industry vertical operators. There should be a concerted effort to establish and encourage participation in industry specific ISACs (such as the E-ISAC), as collaboration among vendors will go further in solving the problems within OT security."
Lior Yaari, CEO and co-founder of Grip Security, wrote to approve of the CPG's intentions, but points out that implementation might not be entirely straightforward.
“It’s great that DHS is trying to simplify cybersecurity by providing clear priorities. The problem is it starts with an assumption that is frankly unrealistic. Like many other frameworks, it focuses on strengthening the known attack vectors, which requires a very comprehensive baseline of your current security posture. The recommendation to analyze all unsuccessful login attempts is a great example. In particular with SaaS, most companies don’t even know all the accounts that employees have. Grip often finds that only 20% of the accounts are known by security teams. So, the recommendation doesn’t cover 80% of the problem, which is better than nothing, but far from helping companies become more secure.”
And we also heard from Redacted’s Director of Threat Intelligence Adam Flatley, ("a former NSA hacker"), and he thoroughly approved of the move to establish these goals, and recommends that CISA give some thought to how it might incentivize their adoption:
“These goals are extremely solid and fit very closely with what we recommend to our clients. It's particularly good that they focus mostly, with a few exceptions, on low-cost and high impact solutions that also take complexity of implementation into consideration. None of these best practices are new or surprising, but this set of documents is a great one-stop resource for thinking about security and tracking progress toward improvement. It's also a positive development that these are voluntary goals which will help small and medium sized critical infrastructure organizations to work with their cybersecurity partners to reach their goals. The one thing I'd recommend adding to this framework would be rewards for achieving those goals that could help incentivize more aggressive adoption, such as providing additional funding for organizations that meet certain goals that will help them implement the more complex or costly goals.”
Google supports the Securing Open Source Software Act.
Google issued a statement declaring its support for the US Securing Open Source Software Act, introduced by the US Senate last month. “Open source software — code that is made freely available to the public to use or modify — is the foundation of the modern internet. It’s given us a world that is more innovative and more accessible. Yet the very openness that makes the digital world accessible to everyone, also leaves it uniquely vulnerable to security threats and cyber attacks,” Royal Hansen, Vice President of Engineering for Privacy, Safety, and Security writes. Hansen goes on to note that many important questions about the security of open source software remain unanswered, and that developers cannot carry the burden of finding solutions on their own, noting that Google is committed to helping the open source community create and distribute software securely.