Read part 1 of this National Cyber Strategy expert commentary series here.
This week, the White House released its National Cyber Strategy, outlining how the Biden administration intends to safeguard the US from growing online threats. The Administration focused largely on the shift of responsibility for cybersecurity away from individuals and small businesses to large tech organizations. Experts from around the industry sounded off on what the strategy means for members of security of organizations that hold critical data across the private and public sectors. Jon Check, executive director of Cyber Protection Solutions at Raytheon Intelligence & Space:
"The recently announced National Cybersecurity Strategy is a leap in the right direction for creating a more cyber-secure future. This strategy better aligns national and commercial efforts to meet cybersecurity threats, while establishing a path for investing in the technologies and diverse workforce needed to enable security,” said Jon Check, executive director of cyber protection solutions for Raytheon. “Our way of life is increasingly intertwined with online digital commerce, entertainment, and communication. Federal and industry partnership is essential to securing our digital experience from state and non-state actors that would use these technologies for disruptive purposes." Fran Rosch, CEO, ForgeRock: "Until now, the U.S. government has viewed cybersecurity as voluntary. Today’s strategy demonstrates that it has shifted to viewing these cybersecurity policies as mandatory because attackers continue to have the upper hand when it comes to cybercrime and fraud. The entire world has become even more digital - including our critical infrastructure. Our nation’s most relied upon resources are all connected and, if hacked, the consequences are catastrophic to our economy and way of life. I believe that Federal oversight will help improve the baseline for our country as a whole. It isn’t uncommon for the government to enforce new regulations to ensure public safety and national security. Software shouldn’t be any different. While this new cybersecurity strategy is a great place to start, ultimately it will require the industry and companies within the private sector to take responsibility for the consequences of cyberattacks. Implementing new solutions like passwordless authentication are going to be important to improving security and reducing fraud. We’ve already seen companies like Google, Apple and Microsoft band together under the FIDO Alliance to reduce the world’s dependence on passwords, and ForgeRock is part of that mission." Aaron Sandeen, CEO and co-founder, Cyber Security Works:
“Today, the Biden-Harris Administration released the National Cybersecurity Strategy in an effort to ensure that every American can benefit fully from a safe and secure digital ecosystem. The announcement states that our rapidly evolving world demands a more intentional, more coordinated, and a well-resourced approach to cyber defense. Therefore, a way that organizations can do that by continuously improving their security posture.
Having a strong security posture is crucial because any open exposure that can be exploited provides adversaries greater chances to take advantage of vulnerabilities for malevolent purposes. In fact, 64 distinct vulnerabilities with publicly available exploits were discovered in all states in 2022.
Leaders must increase their cybersecurity visibility of known and unknowable assets, validate more regularly, and search for early warning capabilities as global cybersecurity concerns rise if they are to truly protect their organizations from future intrusions and vulnerabilities.” Duncan Greatwood, CEO, Xage Security: "The National Cybersecurity Strategy released today is broad and high-level, but nonetheless embodies and foreshadows a number of major advancements. The first pillar, focused on defending critical infrastructure, is closely aligned with the cybersecurity performance goals recently released by the Cybersecurity and Infrastructure Security Agency (CISA). The Biden administration’s strategy will enable CISA to turn these requirements into enforceable regulations, spurring real cybersecurity improvements. Equally important, new innovations in cybersecurity are making it practical for critical infrastructure operators to comply with the upcoming requirements without requiring ‘rip and replace’ of existing equipment and networks - so operators can overlay new cyber protection in a timely fashion. Another aspect of this first pillar focuses on defending and modernizing federal networks and updating the federal incident response policy. Federal agencies are embracing zero trust with defense-in-depth to ensure there are preventative cyber measures in place to ensure the continuity of key systems and critical infrastructure. One of the other key pillars focuses on shaping market forces to drive security and resilience. More granularly, it doubles down on ensuring that federal grant programs promote investments in new infrastructure that are secure and resilient. This is an unprecedented action and a great opportunity for mission-critical sectors to prioritize building cyber resilient infrastructure. These federal grant programs will help modernize existing infrastructure that’s currently vulnerable to attacks. Helping critical infrastructure agencies turn directives into effective actions is a responsibility shared by operators, the government and the cyber industry. Cybersecurity companies will need to create practical tools that enable preventative infrastructure cybersecurity." Tim Chase, Global Field CISO, Lacework: "This policy reinforces what software companies should have been doing all along – investing and executing on secure development practices. As the creators of their offerings, they are responsible for the repercussions that can place the government, businesses, consumers and more at risk to adversary actions. While it’s frustrating that we need to rely on the government to validate this effort, it’s clearly needed and now outlined as a basic (and expected!) standard. While all will benefit from this new strategy, it will require software companies to reprioritize and strategize in order to implement the contents of this policy. Secure development practices start at the code level and require implementing Infrastructure as Security (IaC) and scanning applications source code. Both are paramount to reduce risk of security incidents in production and decrease time and effort of security remediation. We no longer need to wait for a product to reach the market before learning of a vulnerability or explicit security threat. Today, we can address in real time, at the source, saving businesses money and end-users from unnecessary repercussions."
Jason Rebholz, CISO of Corvus Insurance: "It’s encouraging to see the Government step in to support businesses in combating cyber security threats. For too long, businesses and individuals have been forced to defend against a well funded, well trained, and well motivated adversary. This is the right next step in keeping American citizens and businesses safe in the escalating cyber war. What matters now is taking ideas from policy and implementing them. Cyber security has a history of being long in policy but short on execution. The White House has taken a decisive stance on ransomware in strongly discouraging the payment of ransoms. The reality is that in the current environment ransomware is too profitable and too easy for hackers. Increasing barriers to profit can be an effective strategy in combating ransomware. The creation of a National Cyber Workforce and Education Strategy comes at a time when it is needed most. There is untapped potential in the American workforce who are ready and willing to learn the skills necessary to protect the networks of America’s businesses." Richard Bird, CSO, Traceable:
“The recent announcement by the White House concerning a shift in our nation’s cybersecurity strategy has left me concerned about where the responsibility of managing data truly falls. I fear that organizations will consider themselves more vulnerable than the US citizens who have trusted those same companies with their data and personal information. Where consumers are the most vulnerable, accountability lies with corporations. In theory, the White House’s suggestions are a step in the right direction, but we need to be mindful of how we can continue to make our digital ecosystem secure so this works in practice, as well.“ Rob Juncker, CTO, Code42: "The Biden Administration’s new cybersecurity strategy emphasizes the necessary shift in the way organizations view cybersecurity, risk assessment and threat mitigation. It also places a long overdue level of responsibility on technology leaders and developers to prioritize secure development practices for software products and services. Today’s professional operations function largely in widely dispersed digital ecosystems and require an organized and strategic approach to protecting organizations’ sensitive data and IP. As we have seen, especially over the past year, security threats and data exposure events have impacted critical industries and some of the world’s largest organizations. This national cybersecurity strategy is a positive step forward in building a cyber-aware society, however, it isn’t the catch-all for cyber preparedness. Security leaders need to focus on internally creating a security-aware culture that establishes data ownership policies while empowering employees through consistent and ongoing education to do their part to protect the company and its data. With a focus on education and measured responses to cyber events, a trusted partnership can form between CISOs, their security teams, and the rest of the organization, keeping company data safe from both malicious and accidental breaches." Jacob Berry, Field CISO, Clumio: "We are excited to see further investment from the US federal government in Cybersecurity initiatives. With the publication of the new National Cybersecurity Strategy, several of the federal initiatives stand out as likely to drive change in the cybersecurity industry. The new strategy delivers five strategic pillars and within these pillars, there are three areas that drew our attention. The strategy outlined an initiative to increase the burden on technology companies to provide secure software and services. This is likely to lead to legislation that will create new penalties, or increase penalties, for businesses that do not follow security best practices aligned to NIST standards. This means investment and auditing will need to increase across all domains. Clumio will continue to increase our investments in new technology to ensure partners can deliver secure operating environments that meet and go beyond the NIST requirements. Second, the federal government plans to “Shape Market Forces.” This will come not only in the form of regulation but in grants and monetary investment in cybersecurity research. For us who preach the need for continued investment in this sector, we are excited to see commitment towards private and public partnerships. Finally, we may see federal legislation around privacy and data governance introduced in the future. With many states implementing their own privacy legislation, this may bring a welcome change to a more centralized strategy to US data privacy law."
Brian Shealey, VP of Public Sector, Immuta: "While this Cybersecurity Strategy addresses many pain points for our nation and its people, I see it as version 1.0. The main points are favorable, but what stands out is the allocation of resources to our Intelligence Community to help in ideological battles with China and Russia. Further, this strategy is not just about technology: it's about having the ability to leverage technology for potential positive future outcomes, but also ensuring that technology is used responsibly and ethically. Part of this investment must be in funding early-phase STEM education programs to equip our future workforce with the skills and experience necessary to carry the cybersecurity flag into the next generation.
We need to ensure that “secure by design” is a paramount priority in all aspects of our digital lives, from the applications and systems being built by companies or government agencies, to the laws and policies protecting the privacy of U.S. citizens. Investing in a resilient future is critical, especially with quantum technology just over the horizon. Market forces can be influenced by policy/law (driving fear), but also through incentives (driving intent) – it’s encouraging to see that both are outlined in this strategy.
This new framework requires additional improvements to meet the growing complexities of the cyber world which, with our increasing reliance on digital technology, is a marathon, not a sprint. We’ll need funding earmarked in our budgets to support strategic shifts and will have to find ways to drive the adoption of these objectives effectively and efficiently. Additionally, we’ll need to ensure that future administrations continue to drive this initiative forward." Amit Shaked, CEO and co-founder, Laminar:
“The 2023 National Cybersecurity Strategy acknowledges the benefits of cloud-based services, such as operational resilience for critical infrastructure and enabling scalable, more affordable cybersecurity practices – while acknowledging there are gaps in cloud security at the federal level. It also notes that a key part of the Office of Management and Budget (OMB) zero trust architecture strategy is gaining visibility into Federal Civilian Executive Branch (FCEB) agencies’ attack surfaces and adopting cloud security tools.
We applaud this, as visibility into and understanding the full breadth of their cloud infrastructure, and the data that resides within it, is one of those major gaps many government agencies face when making the cloud transition. In the height of the pandemic when other organizations were undertaking similar initiatives, one in two businesses experienced a breach due to unknown or ‘shadow’ data, lack of visibility into the network and overall disconnection between developers and IT and security teams.
We encourage all enterprises – including the federal government – to use agile data security tools that allow for automated continuous monitoring of data assets — especially after the shift to the cloud is complete. Having total observability will enable them to automate cloud data discovery and data security policy enforcement, control data exposure and enable data-centric environment segment. It’s simply not good enough to secure cloud infrastructure – the data must be protected as well.” Aaron Kiemele, CISO, Jamf:
"The idea of taking NIST standards and suggesting companies out of compliance are negligent and liable for privacy breaches is interesting. The devil will be in the details, but a GDPR-like liability regime tied to a real, pragmatic set of baseline control expectations will be a welcome change.
Liability for flaws exposed in software is more dangerous. That will be a fine line to draw. All software is vulnerable in some way to future exploitation. If a new issue arises and causes widespread impact, that doesn’t mean that the software vendor was negligent. You can do everything right and still be impacted by a security incident. That being said, there are plenty of old vulnerabilities that remain unpatched for years. As well as companies that are truly not prioritizing security and privacy. How to take the outcome (often a poor indicator of the underlying security capabilities of the company) and drive reform without this becoming a punitive punishment for a security environment that cannot reasonably be predicted is going to be tricky.
It seems some of this is an effort to align our practices with Europe so we can trade there without restriction. Currently our regulatory infrastructure is considered too weak to support unfettered data transport to the US, which means companies need to put their own controls in place to confirm their compliance with EU privacy laws.
The most interesting piece for me continues to be that this sounds like a good faith effort to impose appropriate liability on software companies who are not currently doing the right thing to protect their data and their customers. We talk a lot about the cost of breaches but unless you get into the news cycle, the cost of a breach can be relatively small. Certainly for non-critical failures the risk to the business can be negligible. It will be nice to be held to account more fully knowing that we will be rewarded for our good practices while others in the industry will be required to do the bare minimum to secure the digital ecosystem."