At a glance.
- Tech giants slow to implement secure-by-default features.
- NSA/CyberCom chief nominee appears before US Senate.
- White House publishes National Cybersecurity Strategy implementation plan.
- Implementing the US National Cybersecurity Strategy.
Tech giants slow to implement secure-by-default features.
In April the US Cybersecurity and Infrastructure Security Agency (CISA) issued guidance urging tech companies to incorporate secure-by-default elements in their devices and software, but the Messenger reports that many Big Tech companies are dragging their feet when it comes to implementation. For instance, Amazon Web Services, IBM, and Oracle still have not implemented multi-factor authentication (MFA) on administrator accounts. Microsoft added MFA to new accounts in 2019, but doesn’t require it for accounts before that year. Despite CISA’s guidance urging companies to allow administrators free access to activity logs, Amazon Web Services, Microsoft, and Google are still charging for certain log data. Mark Montgomery, executive director of the Cyberspace Solarium Commission stated, “We're exceptionally vulnerable. These companies should be held accountable. But they're not.” When asked about the delay, a CISA spokesperson said, “We do expect to see changes in the very near term, particularly in some of those areas that require less engineering investment and less architectural change.” To encourage the process, the agency plans to publish updated guidance this summer with commentary from industry partners. But so far tech firms have been reluctant to address security gaps in their products, and Trey Herr, director of the Atlantic Council’s Cyber Statecraft Initiative, posits the reason why. “Anything that would cost them any money unless there's a hard requirement for it isn't something they're likely to do unless they see a clear [business] case for it.”
NSA/CyberCom chief nominee appears before US Senate.
As we noted yesterday, US President Joe Biden’s nominee to head Cyber Command (CyberCom) and the National Security Agency (NSA), Air Force Lt. Gen. Timothy Haugh, appeared before the Senate Intelligence Committee yesterday to discuss his plans if confirmed. The Record reports that Haugh spoke about Section 702 of the Foreign Intelligence Surveillance Act, which allows intelligence agencies to conduct warrantless searches of foreign communications, and is set to expire at the end of this year. “In my experience it’s absolutely essential,” Haugh said. “It is extensively used and it is an irreplaceable authority for the intelligence community.” However, some officials felt Haugh lacked in-depth knowledge about the measure, instead deferring to the opinions of current leadership. Haugh was also asked about concerns that CyberCom and the NSA might implement backdoors to override encryption tech in devices and software. Haugh stated that encryption is “critical to defend our national security systems and our weapon systems. If confirmed, we will not weaken encryption for Americans.” He also spoke about the US’s dedication to supporting Ukraine in defending itself against Russian cyber warfare, and he expressed his commitment to tightening up security at the NSA to prevent leaks of classified information. When asked about the benefits of the dual-hat nature of his prospective position, he said it allows for collaborative action. He stated, “In my experience, there is really good alignment between the law and what has been produced by the Congress by our national policy and by the authorities that have been given to U.S. Cyber Command the National Security Agency.” Haugh is scheduled to appear before the Senate Armed Services Committee later this month.
White House publishes National Cybersecurity Strategy implementation plan.
Four months after the release of the US’s National Cybersecurity Strategy, the White House today issued its implementation plan, detailing what government agencies will be responsible for handling particular cyber initiatives. A fact sheet accompanying the document states, “This plan details more than 65 high-impact Federal initiatives, from protecting American jobs by combating cybercrimes to building a skilled cyber workforce equipped to excel in our increasingly digital economy.” The initiatives fall in line with two overriding shifts encouraged by the strategy: assuring the largest entities assume the greatest burden in cyber risk mitigation, and incentivizing long-term investment in cybersecurity. The majority of the initiatives are to be implemented in fiscal year 2024, eleven are scheduled to be completed by the end of FY23, and the remainder in FY25 and FY26. Cybersecurity Dive notes that a single responsible agency will oversee all of the initiatives, with eighteen individual agencies taking on at least one, in an effort to support a whole-of-government approach to implementation. Kemba Walden, acting national cyber director, told the press, “If the strategy represents the president’s vision for the future, then this implementation plan is the roadmap to get there.”
Implementing the US National Cybersecurity Strategy.
Drew Bagley, VP, Counsel, Privacy and Cyber Policy at CrowdStrike, wrote to express general approval of the plan. “We welcome today’s release of the Implementation Plan for the National Cybersecurity Strategy and the clear roadmap it provides for the cybersecurity community. While some initiatives described in the strategy have already been completed, we now understand the Federal Government’s ‘order of operations’ through FY2026. This is especially important because many items in the Strategy include multiple dependencies," Bagley said. The techniques it outlines are sound. "While the Implementation Plan covers a lot of ground, it’s clear that the authors applied significant focus on the broad application of Secure-by-Design/Secure-by-Default principles. The Plan dedicates meaningful attention to critical infrastructure cybersecurity generally, and clarifies the roles of Sector Risk Management Agencies and related structures specifically. Federal cybersecurity is also an important theme, and the plan places important responsibilities in the hands of the Office of Management and Budget, highlighting the opportunity to utilize budgetary levers to increase performance." And the plan also has some organizational implications for the Federal Government. "Finally, the release of the Implementation Plan is an important milestone for the Office of the National Cybersecurity Director itself. In addition to providing a coherent depiction of a complex set of related cybersecurity efforts, ONCD will also lead certain key initiatives. These include driving regulatory harmonization, running exercise scenarios, establishing cells to increase adversary disruption efforts, and other strategic initiatives. Government and industry have critical roles to play in enhancing America’s cybersecurity posture, and we look forward to continuing our engagement with stakeholders as the Strategy is implemented.”
Bruce Byrd, Palo Alto Networks’ EVP and General Counsel, draws attention to some of the plan's highlights. “The National Cybersecurity Strategy’s implementation plan highlights the benefits of implementing zero trust principles, employing automation and machine learning, and building the cyber workforce of the future. We look forward to continued partnership with the Administration to secure our critical digital infrastructure.”
Ron Fabela, CTO of ICS/OT cybersecurity firm, XONA Systems, walked through the implications of the plan's pillars, as described during the launch event:
"The National Cybersecurity Strategy Implementation Plan is a detailed and milestone driven followup to the Nation Strategy released earlier this year. Pillar 1 outlines the goals for defending critical infrastructure with the implementation plan detailing action items that fall into common themes: Regulatory harmonization, public-private partnerships, and finalization/codification of key plans and review boards. Overall the plan assigns 69 initiatives to 18 different agencies to action the executive branches strategy. Reading the plan this morning and listening to ONCD Acting Directory Kemba Walden remarks at the ITI hosted press conference, there is a clear flow to the Pillar 1 implementation vision.
"First actions include harmonizing requirements with the eventual release of a NIST Cybersecurity Framework 2.0 that would underpin future regulation. The implementation plan for defending critical infrastructure specifically uses 'requirements' while also stating "use existing authorities to set necessary cybersecurity requirements in critical sectors". The challenge for the implementation plan is that critical sectors, or what CISA defines as 'Sector Risk Management Agencies', may have federal agency oversight but are composed of private industry with few sectors forced to meet cyber regulations. As an example, while some of the nation's electric grid is regulated by NERC most of this critical sector is privately owned, from large investor owned utilities to your local cooperative, and has no overall regulation for secure operations. This challenge is repeated across all 16 SRMAs with this implementation plan looking to set the foundation for new regulation while bolstering "public-private" partnerships.
"Acting Directory Walden closed her remarks this morning with "Please use this document, we wrote it to guide federal government actions, but we published it for you" emphasizing the goal of collaboration. While collaboration efforts have increased in the past decade for critical infrastructure sectors this implementation plan lays out the roadmap for how standards become requirements and then regulation. It shows a path for how information sharing becomes federal reporting. The National Cybersecurity Strategy and its implementation plan makes it clear to private critical sectors: Regulation is coming, get involved now."
Chris Gray, AVP of Deepwatch, offered a quick set of bullets commenting on the plan:
- "Stated 'aggressive' activities. We've known these are happening, but the strategy lays out a formal approach for intentional work toward the disabling/breakup/pursuit/prevention of malicious actors (including ransomware).
- "Discussion of 'safe harbor' for companies that follow secure software development. This implies that there may be an increase in litigation against companies that DON'T practice such secure processes.
- "Open discussions toward the potential for a Federal cyber insurance backstop.
- "Language referencing the enforcement' of minimum cyber standards (aligned to formal frameworks) by various agencies. There have been a lot of "recommendations" so far. This sounds like they are intentionally setting the stage to remove the voluntary nature of adherence.
- "Similar to #4, there is language regarding holding irresponsible states accountable for failing to uphold commitments.
- "SBOM and SCRM initiatives throughout. This is a level of transparency that has been discussed for some time. It's good to see that they are pushing the initiatives forward to better understand vulnerable points and previously undiscovered content.
- "Times and dates. Good to see that we've got formal dates and assigned responsibilities. These are requirements that can't be ignored easily. Some of the dates are far enough forward that I fear we will end up with standards that are already 2 years outdated, but....beggars/choosers."
Bill Bernard, AVP of Deepwatch, added his own bulletized reactions to those of his colleague:
- "None of these are 'easy' things to do - they're all going to take effort, public/private cooperation, and resources.
- "''Eighteen agencies are leading...' - this is a direct indicator of one of the biggest problems with making this all work - so many cooks in the kitchen
- "SBOM is going to be especially difficult - software vendors are not just going to be creating an 'ingredient list' like they're preparing a recipe, they're going to likely have to significantly change how they build software. This is an industry change, not an accounting process.
- "Pillar 5 - Forging International Partnerships to Pursue Shared Goals is a huge goal for me. The Internet is borderless, but law enforcement is restricted between borders. Reducing the places in the world where bad actors are protected from the legal ramifications of their actions is one of the most important things we can do - to my mind - to limit the impact of major cybercrime groups."
Amy Baker, Security Education Evangelist at Security Journey, sees promise in the plan. "There are a number of promising takeaways from the implementation plan for the Whitehouse Cyber Strategy, particularly given the significant software security focus. It’s great to see not only initiatives directed at leveraging SBOMs to mitigate risk and shift liability for insecure products, but also dedicated plans for improving IoT security. This is a crucial step given that in the healthcare industry for example, the safety of connected devices continues to cause serious concerns – around 53% of IoT devices in hospitals have known critical vulnerabilities – and could even pose a threat to life," Baker said. "Yet the plan does miss a key component: training. How can developers deliver more secure software, use SBOMs and ensure the safety of IoT devices without being empowered by knowledge of secure coding. When secure coding isn’t prioritized by higher education or industry, developers aren’t an active part of the solution for reducing vulnerabilities. Without prioritizing education for developers and everyone that supports them across the software development lifecycle, application security may not be achievable and implementing these initiatives will simply not be effective."
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, strongly approved of the plan. "Where do I start? This is a landmark good! There are so many great pearls of wise strategy that I hardly know where to start. It is easily the best piece of cybersecurity guidance to come out of the federal government. CISA and Jen Easterly's fingerprints are all over this document and she knows better than anyone else what it is going to take to pull off federal-scale cybersecurity solutions. I'm in love with all the agility they are putting into the plan, putting a priority on speed. I'm in love with the idea of proactively taking away cybercriminal safe havens. I'm in love with the idea of an annual assessment and taking the lessons learned to update the next plan."
Avishai Avivi, CISO at SafeBreach, also approves of the plan as an important step forward. "With the release of the National Cybersecurity Strategy Implementation Plan, the Biden-Harris Administration took a critical step most organizations fail to take after creating a strategy. The Administration created a crucial mapping of each of the strategic objectives it established earlier in the year (for more, please refer to: https://www.safebreach.com/resources/blog/unpacking-the-national-cybersecurity-strategy-part-1/) to an implementation plan. Each objective contains one to five specific initiatives. These initiatives are described at a high level, along with the agency that owns the initiative, the different agencies that will contribute, and a specific timeline for the initiative to be completed. Most of the initiatives are set to complete by the end of 2024 and the beginning of 2025, with only two initiatives set out to complete in 2026. As a lifelong leader, I am truly impressed with the level of detail and specificity that The Administration set forth in this document. It provides quite a bit more clarity as to how it intends to convert strategy into action. In the next week, I will do a deep dive to unpack this plan along the same lines I unpacked The Administration’s cybersecurity strategy."
Paul Bischoff, Consumer Privacy Advocate at Comparitech, in particular liked the National Cyber Incident Response Plan. "A few parts of this plan stick out to me for going further than previous efforts to shore up national cybersecurity. The first is a National Cyber Incident Response Plan. This will allow the government and its partners to respond in unison against a threat, rather than each organization going it alone. This will improve transparency and awareness of the threat landscape and hopefully prevent multiple orgs from falling victim to the same attack. Increasing transparency by promoting software bills of materials. A bill of materials is like a recipe listing all the ingredients used to create software. Most software contains a mix of open-source and proprietary third-party components. If any of those ingredients are compromised, all of the developers who incorporate them into their software can be alerted and take action. This will help prevent widespread software supply chain attacks like Solarwinds in 2020. NIST has been tasked with standardizing a quantum-resistant public key cryptography algorithm. This will be an important part of future-proofing our encryption standards."
Chris Hauk, Consumer Privacy Champion at Pixel Privacy, offered a dissenting note of caution. "One of the three biggest lies is 'I'm from the government, and I'm here to help.' So I am admittedly suspicious of any regulations or agreements any government puts into place. Relying on the government or big tech to protect users' privacy or to protect against cyber attack is a fool's errand. It appears that the initiative may require software and operating system vendors to automatically update their software and OS with little to no effort on the user's part. While this would help protect against future cyberattacks, it could also cause trouble for corporate IT departments. As a former IT worker, I know that the companies I have worked for first run any patches or updates on test machines to ensure that the updates do not break other software or cause issues with hardware. If automatic updates and patches are a part of the future, users should have the opportunity to delay such updates so that they may be tested."
John Hernandez, President & GM, Quest Software, sees the document as particularly valuable in helping manage transitions. “The White House’s new national cybersecurity strategy implementation plan helps fill a crucial gap in guidance and education regarding protecting cloud and hybrid environments, especially as organizations like federal agencies, hospitals and schools move away from legacy infrastructure. The federal government has been boosting cloud-first initiatives since 2016 and made a push on zero trust in recent years, but they’ve taken even greater strides in promoting cyber protection by investing in updating the National Cyber Incident Response Plan, working with other agencies to fully implement cyber incident reporting requirements through CIRCIA, and prioritizing holding IaaS providers and software makers to secure-by-design standards. However, while the strategy can take away much of the burden of setting cybersecurity standards and helping organizations with limited resources, private-sector leaders still need to hold themselves accountable and create a proactive, long-term resilience strategy. My recommendation is for enterprises with legacy infrastructure to invest in resilience from the inside-out, from both a technology and culture perspective, and ensure everyone has a stake in adapting to the latest ups and downs in the security ecosystem.”
ForgeRock CEO Fran Rosch, sees the plan as evidence of a shift away from the voluntary and advisory. “Until now, the U.S. government has viewed cybersecurity as voluntary. Today’s plan demonstrates that it has shifted to viewing these cybersecurity policies as mandatory because attackers continue to have the upper hand when it comes to cybercrime and fraud. The entire world has become even more digital - including our critical infrastructure. Our nation’s most relied upon resources are all connected and, if hacked, the consequences are catastrophic to our economy and way of life. I believe that Federal oversight will help improve the baseline for our country as a whole. It isn’t uncommon for the government to enforce new regulations to ensure public safety and national security. Software shouldn’t be any different. While this plan is a great place to start, ultimately it will require the industry and companies within the private sector to take responsibility for the consequences of cyberattacks. Implementing new solutions like passwordless authentication are going to be important to improving security and reducing fraud. We’ve already seen companies like Google, Apple and Microsoft band together under the FIDO Alliance to reduce the world’s dependence on passwords, and ForgeRock is part of that mission.”
And Ron Nixon, Federal CTO at Cohesity, offered this reaction. “I’m glad to see the White House prioritizing the standardization of best practices for cyber resiliency and creating a foundation for trust between different government agencies and the private sector. Implementing a strong foundation for information exchange between these different groups (such as CISA’s effort to improve information exchange platforms) will make it easier for organizations with fewer resources to understand, prioritize and respond to threats. Initiatives like the one CISA is taking to provide resources, training and threat scanning to high-risk ransomware targets, like hospitals and schools, are a great thing to see. However, the balance between accountability for security best practices and not over-regulating remains tricky. I’d like to see more clarity around how different agencies will lay down industry-specific guidance, as groups like hospitals, banks and SaaS startups will all have different assets, talent and capabilities. My hope is that once the National Security Council clarifies this, and private-sector organizations are clear on best practices and nuances for their specific industry, they can then bring their entire organization up to par, holding their leadership - from cyber, to IT, risk, legal and HR - accountable for fulfilling their end of the bargain.”
(Added, 3:45 PM ET, July 13th, 2023. Ilona Cohen Chief Legal and Policy Officer at HackerOne, offered a positive review of the implementation plan. "HackerOne congratulates the Biden-Harris Administration for the release of the National Cybersecurity Strategy’s Implementation Plan. This comprehensive plan demonstrates an ongoing commitment to bolstering cybersecurity measures and strengthening digital defenses. I’m thrilled to see that, in line with the Strategy, the Implementation Plan includes a focus on Coordinated Vulnerability Disclosure (CVD). As detailed in the Implementation Plan, Cybersecurity and Infrastructure Security Agency (CISA) will be the responsible agency working to build domestic and international support for CVD across all technology and sectors, including through the creation of an international vulnerability coordinator community of practice. The prioritization of CVD as a national and global cybersecurity initiative reflects the importance of identifying and mitigating vulnerabilities effectively, ultimately enhancing the overall security posture of critical infrastructure, government systems, and the private sector. To embrace the best practice of CVD, I recommend organizations adopt vulnerability disclosure programs to remain proactive in their security as the Administration moves forward with their strategy. HackerOne looks forward to working with The White House, CISA, and our international partners on implementing this initiative to raise global awareness and promote the widespread adoption of CVDs."
Jeannie Warner, Director of Product Marketing at Exabeam, wrote to offer a positive appraisal, and a sense of the obstacles those following the implementation plan will have to overcome. “The Biden-Harris Administration's new policy implementation is the latest step toward ensuring transparency and a continuous path of coordination. It's encouraging to see such a high-level commitment to relevant challenges in the sector, particularly addressing threat actors through the strategy's Joint Ransomware Task Force to tackle the epidemic of ransomware and other cybercrime. Organizations continue to have a diluted perspective on ransomware. There is enough out there on what it is, how it works, and a massive push to "stop" it, but we never solved the foundational problems that make it possible: Ransomware is combination of insufficiently hardened systems and a missed intrusion. The attacks are only possible because of a weakness in an environment that begins with or later involves compromised credentials. If you unsuccessfully manage your environment hardening and cannot effectively monitor intrusions, you will eventually fall victim to ransomware. Many agencies and organizations have not yet invested in the credential-protecting and monitoring software that could slow or stop attacks. Without patching these core vulnerabilities and setting up monitoring properly, it’s very hard to break the cycle of compromise.
- "Organizations lack budgets and don’t focus on credential behavior detection/protection software
- "Ransomware software is becoming easy to use – there are literally videos showing a would-be threat actor what to do
- "Ransomware “detects itself,” so the reported numbers will only increase.
"This implementation will undoubtedly set the tone for other firms to follow suit and improve their cybersecurity posture. The actual implementation emphasizes the federal government's commitment to make networks more resilient, which must trickle down to the private sector, making cybersecurity a requirement rather than a nice to have.”
Robert DuPree, Manager of Government Affairs at Telos, also offered some insight into difficulties implementation may encounter. A few of these are financial:
“This roadmap to implement the Cybersecurity Strategy continues to point in the right direction, but there are some financial potholes.
"For instance, the implementation plan calls for “development of a multi-year lifecycle plan” to eliminate insecure legacy systems in government through accelerated technology modernization. However, since it was approved in 2017, the Technology Modernization Fund (TMF) has never received sufficient funding, either in budgets proposed by the White House or approved by the Congress. The government spends roughly $90 billion each year on IT, much of that on maintaining legacy systems. Yet, the proposed budget for FY 2024 only requested $200 million for the TMF, and the House appropriations bill doesn’t even provide that – it completely zeroes out new funding for the TMF. It’s impossible to accelerate technology modernization with so little funding and especially if no new funding is provided, so the Administration is going to need to find a new way forward in its multi-year plan.
"The plan also ignores the price of effectively dealing with ransomware. It calls on CISA to offer resources – training, pre-attack planning, incident response and more – to help ransomware targets like state and local governments and critical infrastructure organizations. Yet the House is proposing to keep CISA’s funding level flat, without even an increase for inflation. Something will have to give to provide — in any meaningful way — the resources called for in the implementation plan and needed to really assist these organizations.”)
(Added, 4:00 PM ET, July 13th, 2023. VMware Principal Cybersecurity Strategist Rick McElroy, likes the plan, but would like some clarification of what a cloud software bill of materials might consist of. “The current NCSIP shows this administration’s commitment to cybersecurity, building on executive orders and funds dedicated to transforming and modernizing the federal government’s cybersecurity posture - which is long overdue. It’s great to see building skilled cyber defenders as part of the Plan. All of the technology in the world cannot address these issues without an adequately trained force of cyber defenders to achieve these goals. Pillar three, which is focused on digital supply chain risk and driving up resilience during the software design phase, is also encouraging. One consideration for this, however, is a Software Bill of Materials for Cloud software. What is a Cloud SBOM? What does that look like? Conversely, how can SBOMs be applied to practical cybersecurity defense to take advantage of that data to cut down noise? The current working group being led by CISA is working to address this, but it remains a gap in SBOM discussions. SaaSBOM is a must in a cloud-first world.”
Sabeen Malik VP of Global Government Affairs and Public Policy at Rapid7, hopes that implementation will live up to its promise with respect to public-private cooperation. "The National Cybersecurity Strategy Implementation Plan is a great step for both the government and the private sector to find ways to continue partnering together to help the President execute on his vision for cyber. The plan does a good job of identifying areas in which the private sector can continue to help, including ransomware, vulnerability disclosures, and risk management strategies. Rapid7 will continue to engage with the agencies tasked with moving these initiatives forward, playing a role as a thought leader and convener.")
(Added, 4:30 PM ET, July 23rd, 2023. Attribute to Gary Barlet, Federal Field Chief Technology Officer at Illumio, thinks government agencies will benefit from the implementation guidance. “The National Cybersecurity Strategy Implementation Plan (NCSIP) gives much-needed guidance for agencies on improving cyber resilience. It assigns timebound goals and initiatives to each agency – giving them direction on how to reach the strategy’s clear objectives. These goals and initiatives also display a sense of urgency, which is important, as the pace of technology makes it impossible to imagine the impact it will have on security in three, five, or ten years. It focuses on building cyber resilience now as well as down the road." Barlet added, "This plan reflects the urgency of today’s cyber threats, and also demonstrates an understanding of the resource and fiscal challenges agencies face in overcoming these dangers. While the NCSIP doesn’t include direct funding, it does align with the administration’s cyber budget priorities to better position agencies to achieve their objectives and combat cyberattacks. If agencies can align their budgetary responsibilities and resources with these initiatives, then they will be well equipped to bolster their cyber resilience today and tomorrow.”
Nick Schneider, CEO of Arctic Wolf, pointed out the ways in which the forward-looking aspects of the strategy and its implementation will benefit from public-private cooperation. “Securing the digital future requires alignment of the public and private sector, as we contend with a rapidly evolving threat landscape dominated by ruthless threat actors, state-sponsored cyber criminals, and the advancement of AI for both good and evil. Today’s released National Cybersecurity Strategy Pillars outline what the private sector has been ringing alarm bells on for years, and lay the groundwork for unprecedented opportunity for the cybersecurity industry to lead the way to an era of business resilience for all American companies." He also pointed out that ransomware remains the biggest threat to businesses. "Despite the persistent threat of geopolitical state-sponsored cyber activities, ransomware is arguably the greatest threat facing American businesses, financially and reputationally. After a lull last year, ransomware attacks are on the rise again, and the disruption and dismantling of the nefarious actors targeting American businesses should absolutely be a priority this year. It’s time for the cybersecurity industry to step up and put the customer first; organizations are struggling, despite their investment in a multitude of niche point solutions. An effective defense against today’s cyber threats requires a unified approach to tackle these critical areas of investment, and it’s encouraging to see continued alignment between private sector goals and those of the public sector. No business should be left behind in today’s cyber war due to their size or scale, and it’s on the private sector to bridge the gap for businesses that may not have the talent or resources to advance these initiatives.”)
(Added, 5:30 PM, July 13th, 2023. Tom Kellermann, Senior Vice President of Cyber Strategy at Contrast Security, who served on the Commission on Cybersecurity during the Obama administration, thinks the implementation plans suggest that claims of ignorance will no longer wash with respect to security lapses. “Plausible deniability is dead. Liability regimes will now be expended. You can no longer just say you’re a victim when you’ve been negligent with cybersecurity in the private sector. Cybersecurity sectors will modernize in parallel," he wrote. "The U.S. government will invest more robustly in cybersecurity. U.S. government is demanding that agencies utilize existing authorities to regulate cybersecurity within critical infrastructure. I’m most enthusiastic about the functional shift in agencies who now have the authority to go on the offensive and disrupt and dismantle cybercrime cartels and spies around the world forcing the once untouchable adversaries to play defense. To be clear, there has never been a holistic proactive national cybersecurity strategy ever enacted. But in the same vein, the cyber insurgency and gorilla war in American cyberspace has reached a tipping point.”
Colin Little, Security Engineer with Centripetal, approved of the plan, and hopes it will represent a step toward catching up with the criminals. “I applaud the Biden-Harris administration for putting cybersecurity and the awareness for cybersecurity at the forefront. As an industry, we are failing to keep up with the cybercriminals. By 2025, cybercrime will cost the world $10.5 trillion annually, and every day we read about a cyber incident that has major implications to enterprises, consumers and communities around the globe. The recent cybersecurity strategy that has been outlined by the administration is a good first step but it’s missing some core details. Cyber threat intelligence needs to be at the center for all enterprises because we know that 95% of all breaches had available threat intelligence and therefore could have been prevented." Little went on to suggest ways in which organizations might use threat intelligence to increase their security. "Organizations need to explore what their threat intelligence feeds do for them and what they protect from. The fundamentals of working with intelligence of any kind is to gather the intelligence from multiple sources. Some feeds only focus on malware or phishing attacks. It’s imperative that companies implement more than one threat provider to protect themselves from emerging cyber threats. Education and awareness around this is a great first step, but what’s more important is putting this into action and implementation.”)
(Added, 7:30 PM ET, July 13th, 2023. Ani Chaudhuri, CEO of Dasera, called the implementation plan a "bold and essential step." Chaudhuri said, "The NCSIP correctly places considerable emphasis on collaborative efforts between the public and private sectors. Such a partnership is absolutely necessary considering the crucial role that private corporations play in running vital components of our nation's infrastructure, as well as housing a large share of our sensitive data." But this praise is qualified. "However, I would like to challenge the primary emphasis on the responsibilities of the 'biggest, most capable, and best-positioned entities.' While these entities undoubtedly have a role to play, it's crucial to remember that cybersecurity is not merely the domain of the large and powerful. Small and medium enterprises (SMEs), which constitute the vast majority of businesses and are often part of the supply chains of larger corporations, must also be equipped with the tools and knowledge to defend against cyber threats. The plan also recognizes the importance of incentivizing long-term investments into cybersecurity. I wholeheartedly agree with this approach. Cybersecurity is not a one-time investment but an ongoing process that requires continuous updating, monitoring, and proactive measures. Long-term planning and investment will be more effective than reactive measures taken after an incident has already occurred. Another crucial aspect of the plan I strongly agree with is the importance of training a skilled cyber workforce. Cybersecurity is not a static field. The nature of threats we face is continuously evolving, requiring us to constantly upgrade our knowledge and skills. Hence, it's not just about creating more cybersecurity jobs, but about ensuring that those in these roles are equipped with the most up-to-date skills and knowledge. However, despite the ambitious plan laid out, execution will be key. The question now is whether these policies will be implemented in a way that effectively reduces cyber risk. As a cybersecurity professional, I look forward to seeing these initiatives take shape and am hopeful about the impact they could have on our nation's cyber defenses.")