For President Biden’s national cybersecurity strategy to work, we have to agree that it’s impossible to eliminate all cybersecurity incidents. By accepting this premise, it’s the first step in creating an effective national strategy – one that’s focused on building cyber resilience. It’s a matter of maximizing security while simultaneously taking steps to minimize the consequences of the inevitable failure in security.
Building systemic resilience is a “whole-of-nation” issue. It includes that we have a secure critical infrastructure to shaping international standards and countering cybercrime. It’s a daunting challenge, but it helps to define the important aspects of the problem and break them into discrete chunks for action.
President Joe Biden and his team have made cybersecurity a cornerstone of the administration’s efforts. The new national cybersecurity strategy released yesterday includes a focus on transferring much of the responsibility for mitigating cyber risk away from end users such as individuals, small business, and small critical infrastructure operators such as local utilities.
These groups are typically under-resourced and short on cyber expertise compared to organizations in the technology ecosystem such as technology manufacturers and service providers, which are better able to mitigate cyber risk systematically. That’s because of their expertise and resources and the use of practices like ensuring products and services are secure by design and configured to be secure by default.
The federal government as change agent
The U.S. government has levers of change it can use to drive change and shape outcomes. One typically thinks of the carrots and sticks of Executive Branch regulation and congressional legislation. However, the government has other tools at its disposal that are sometimes overlooked.
For instance, zero-trust wasn’t a new concept in 2021 – in fact, before it was labeled “zero-trust,” it reflected a principle called “need to know” and technical practices of access control and information segmentation that were largely pioneered in government during the Cold War. The private sector, especially large technology firms operating globally, developed technologies and practices to allow them to protect information without resorting to the government solution of “air-gapped” networks isolated from the internet. The issuance of EO 14028 in 2021 precipitated a convergence between thought leadership by government and commercial capabilities. With the federal government committed to moving towards zero-trust virtually across the board, many in the private sector began to look seriously at the concept and to leverage the frameworks and implementation roadmaps the government created for its own use.
Something similar occurred with the NIST Cybersecurity Framework (CSF), originally created in 2014 to shape cybersecurity practices within the federal government. Soon, private-sector companies began to use the framework as well. Most cybersecurity professionals today are familiar with its “identify, detect, protect, respond, recover” paradigm.
Moving forward, we’ll need a U.S. public-private sector partnership to shape international standards. The October 2022 National Security Strategy, which frames the broader context for the cyber strategy, describes a world marked by competing international visions of the internet and IT’s role. Whether the internet remains a single worldwide platform or fractures into distinct regional or national enclaves – and whether government or the private sector define how IT gets used – is directly affected by technical standards. Many standards bodies are open to private sector participants as well as governments, yet relatively few U.S. companies participate—to our collective detriment.
How to influence the supply chain
While we’re a half century or more beyond the Cold War and Space Race era when federal funding broadly drove innovation in IT, the federal government remains a large market, and the private sector will develop products to meet this market demand. Many companies that sell to the federal government don’t want to incur the expense of developing and maintaining separate product lines for federal government and other customers. Well-resourced customers often want to adopt “government grade" security solutions. In areas ranging from zero-trust to supply chain integrity, where the government has decided to only use software that complies with a software “bill of materials” (analogous to an ingredient label), government-focused initiatives are moving the needle for private sector cybersecurity as well.
Information sharing has its role, but context matters. The private sector collectively sees far more information on threat than government does, but often lacks the insight from intelligence or law enforcement activity to link a specific technical indicator to a nation-state actor of concern. Conversely, government may see information on an emerging threat, but lacks insight into how this might affect private sector vulnerabilities and operations.
We need to make information sharing a two-way street with ongoing and systemic collaboration, not just when an urgent, high-profile problem occurs. Entities ranging from the Information Sharing and Analysis Centers (ISACs) in various industries and sectors and the year-old Joint Cyber Defense Collaborative are ways to make information sharing more systemic and focused on building and sustaining systemic resilience.
Everyone has to join in the fight to protect networks, businesses and government agencies. To do this, it’s imperative that the government and private sectors join forces. Systemic resilience isn’t about a specific technical remedy: it’s about a concerted effort on all fronts. Technology manufacturers and service providers must shoulder more responsibility for system security; all parties must work together to develop the cyber workforce needed to address the skills gap. Information sharing and the creation of common standards that enable digital transformation are also crucial. The new national cybersecurity strategy can help define goals and roles for various constituencies, ranging from the federal government to private businesses, and even individual users who just want to keep their smartphones safe.
Jim Richberg, field CISO for public sector, Fortinet.
