For decades, Washington policymakers have struggled over meaningfully addressing the collective cybersecurity risks that are brought on by the internet and shared by governments, critical infrastructure, private businesses, and individuals alike. Until recently, many of the efforts to solve these cross-cutting, multi-sector security challenges have been handled through a mix of voluntary cooperation, public-private partnerships and occasional financial enticements to more thoroughly incorporate security considerations into the business process.
But a series of high-profile events — from the 2020 SolarWinds incident to the 2021 Colonial Pipeline, Kaseya and JBS ransomware attacks — marked the beginning of what looks to be a new era in cybersecurity policy, one where the federal government increasingly sheds its reluctance to put hard mandates on businesses where voluntary measures fall short.
That approach, largely implemented by the Biden administration on a piecemeal basis across targeted sectors like oil and gas, pipelines and water over the past year and half, looks set to become official U.S. policy as the White House is expected to roll out its new national cyber strategy this week.
Multiple sources tell SC Media the strategy, developed by the Office of the National Cyber Director, is set to be unveiled as early as this week, with Director Chris Inglis set to step down on the 15th.
One of the major themes of the drafts shared with outsiders, according to Michael Daniel, former White House cyber coordinator under President Barack Obama, will be “starting to look at how we are allocating responsibility for cybersecurity across the ecosystem.”
“Right now [that responsibility is] basically pushed entirely down to the end user,” said Daniel, now president of the non-profit Cyber Threat Alliance. “That’s actually a pretty big deal, to say ‘Wait a minute, the way that the market has been going isn’t getting us where we want to go.’”
SC Media spoke with five former government officials and members of industry who have seen draft versions of the document to learn more about what we can expect as the federal government moves forward to build on one of the most ambitious policy efforts around cybersecurity we’ve ever seen.
Note: nearly all of the sources SC Media spoke with provided the caveat that their thoughts and opinions are based on draft versions they have seen of ONCD’s strategy, and it is possible the final, approved version set for release this week will include changes or reworked language.
A new era of hard mandates
Details on one of the most anticipated sections, focused on boosting regulatory efforts within critical infrastructure, were first reported by the Washington Post in January.
Those reached by SC Media say that while the strategy doesn’t propose much in the way of specific restrictions or mandates, it emphasizes the use of existing federal regulatory authorities, as well as potential legislative options where those authorities are weaker.
Last year Jason Tama, director of resilience and response for the White House National Security Council, told SC Media that the administration was stress testing its infrastructure protection framework to see what kind of cyber regulations are possible with “frankly limited authorities and capabilities that vary by agency.”
“Sometimes that ends up in … different approaches based on the authorities you have to try to put the finger in the dike,” Tama said.
Those efforts could start by expanding existing rules developed for the oil, gas and pipeline industries to other sectors. Those regulations required companies to report suspected cyberattacks to CISA, designate a cybersecurity coordinator to interact with the government, develop cyber incident response and disaster recovery plans, and conduct annual third-party cybersecurity architecture design reviews.
Others told SC Media that voluntary cybersecurity performance goals developed by CISA for critical infrastructure last year, which call for things like multifactor authentication, encryption, restricting access to high-privilege credentials, securing and segregating sensitive data, offer a potential roadmap for some of the common cybersecurity practices that the government would like to be mandatory across different industries. Many of those same practices have already been pushed on federal agencies through executive orders and other mandates.
Technologies that have played central roles in facilitating massive or cross-sectoral exploitation — such as software, managed cloud services and Internet of Things devices — were also mentioned as possible regulatory starting points.
To Matt Hayden, a former advisor to the Cybersecurity and Infrastructure Security Agency, who is familiar with recent drafts of the strategy, the push to move towards hard mandates reflects how the federal government — from the White House to agencies to Congress — has become sharper and more educated around cybersecurity policy over the past decade.
“We now see a government that has invested in getting better at the evaluation of cyber to the point where they’ve gotten to the ‘trust, but verify’ side of the coin,” with regard to industry, said Hayden, now vice president of cyber client engagement at GDIT.
While the strategy is expected to call for legislation that would allow similar efforts outside of those sectors, that is widely viewed as a longshot as the administration is expected to run headlong into a narrowly Republican-controlled with little appetite for new government mandates around cybersecurity or anything else.
This week, the U.S. Department of the Treasury announced a new interagency committee to support potential regulatory reforms around cloud services used by the financial services sector.
The announcement was accompanied by a first-of-its-kind report by the department which found that, while third party managed cloud services provide numerous benefits to financial institutions, they also bring a number of challenges around security. Chief among those challenges are a lack of human cyber talent in the financial industry needed to securely tailor and configure cloud services, a lack of visibility and a consolidated cloud service industry that offers few market choices, creating the risk that a breach of a single cloud service provider could have potentially cascading effects across multiple organizations.
Much of the cyber strategy's regulatory focus will be placed on industries and businesses designated as critical infrastructure since that is where much of the collective digital risk lives and because those are the sectors where U.S. federal regulatory powers are typically strongest.The overarching goal will be to establish a common “floor” of cybersecurity expectations across different industries.
“There’s an idea that … some of these sectors have no expectations by their regulators of meeting a certain level of cybersecurity controls,” said Katherine Gronberg, head of government services at NightDragon.
Bird strikes and missile strikes
Even straightforward and well-meaning regulations around cyber — such as requiring critical infrastructure to report cyberattacks to the government — can become ensnared in byzantine debates over language and the types of attacks or entities that will be covered.
Rulemaking around incident reporting rules put in place by CISA have been dominated by questions from industry around things like what, exactly, constitutes a "significant cybersecurity event," what kind of data must be reported within the 72-hour window and how many companies the regulations will touch and how far down the down the supply chain they should go.
As an example, some versions of the draft document have called for a frank discussion around some level of liability for software manufacturers when their insecure products or misconfigurations are used to carry out damaging and far-reaching attacks. While the language seen around that portion was not particularly strong and stopped short of calling for definitive legal changes, it’s potential inclusion nevertheless reflects how the national discussion has evolved to consider more drastic ways to push companies to build better security into the software they build and sell.
Sounil Yu, chief information security officer at Jupiter One, told SC Media that while broadly supportive of the ideas in the draft strategy he has seen, he also cautioned the administration to ensure new regulations or mandates on the private sector recognize the difference between safety issues that companies have broad control over and larger security events where they don’t.
Yu analogized the situation to airplanes: society and the law expects manufacturers to anticipate and design their aircrafts around foreseeable and reasonable safety dangers, like a bird flying into the engine. There is no societal or legal expectation that a commercial airplane should be able to withstand a missile launched by China or Russia.
His point: some cyberattacks are bird strikes, predictable and avoidable with the right planning. Others are the digital equivalent of missiles launched by advanced state actors with exponentially more money, resources and artillery than your average or even large business. Further, he believes that the ever-evolving nature of the offensive cyber landscape, as well as the pace of technological development, means that in cybersecurity, the digital missile strikes of today can quickly turn into the bird strikes of tomorrow, or five years from now.
“If the White House wants to impose liability, there also has be releasable liability when it comes to the discussion between safety and security,” said Yu. “When it’s a safety issue, it’s things that the private sector should be responsible for, but if it’s a security issue, then we should be released from liability.”
While much of the attention and focus from previous reporting has centered on the regulatory section, the strategy also delves into four other “pillars” of action to improve the cybersecurity ecosystem. Sources tell SC Media that these pillars will address a number of shortfalls in the public and private sectors that contribute to our general insecurity.
Those include efforts to better coordinate the disruption of adversary IT infrastructure, build deeper operational collaboration between the government and private companies around cyber threats, shape market forces to build better security and resilience into technology products, invest in long term research and development for emerging technologies like quantum-proof encryption and AI, and strengthen international partnerships to set global security standards and lock in a Western vision for the global internet.
Part of that effort will include language calling for a concerted push on the global stage by the U.S. government and its allies to make the case for what Daniel calls “a free, open, secure and interoperable internet.” Traditionally, that framework has been largely taken for granted by the West as both the status quo and an inherently superior vision to the heavily restricted and surveilled model put forward by authoritarian governments.
But the embrace of spyware and widespread digital surveillance by countries like India, the world’s largest democracy, increasing restrictions and censorship on the open internet in NATO countries like Turkey, the rise of digitally repressive policies across the African continent and other examples in recent years underscore how these problems extend well beyond the “Big Four” of Russia, China, Iran and North Korea.
“I think it’s become clear that there’s an awful lot of the world that isn’t so necessarily convinced that having a free, open and fair interoperable internet is a great idea,” Daniel said. “I’m not talking about the Irans and Chinas of the world. They’ve already made their choice, but there’s a large chunk of the world that is still connecting to the internet and I think there’s a realization that we actually have to start making that case affirmatively for the kind of internet we want to see in the world.”
The final strategy will also likely emphasize the need to disrupt and degrade command-and-control infrastructure used by hacking groups, particularly cybercriminal groups.
That follows a longer-term evolution at the Department of Justice and FBI in recent years away from “name and shame” indictments for hackers in countries unwilling to arrest or extradite them and toward the creative use of court orders and law enforcement authorities to make it more difficult for hacking groups to operate freely. Major tech providers like Microsoft have also executed court-sanctioned takedowns of adversary infrastructure.
Doubling down on that strategy by improving coordination between U.S. authorities, the private sector and partners abroad could help to place ransomware groups and other cybercriminals on their back foot and waste time and resources reconstituting their infrastructure that could otherwise be spent targeting victims.
The administration has tried to put together a strategy that is clearly saying ‘A big piece of this has to be actually imposing costs on the bad guy,” said Daniel. “We’re not going to be able to arrest our way out of this problem, so we’re going to have to do something different things … we’re going to have to expand the option set.”