Despite some complaints about the White House’s new tack, industry leaders say most recognize the need for better defenses
BY:
Antonio Greco
Cyber/Data Science Analyst
PROJECT COUNSEL MEDIA
8 March 2023 (Washington, DC) – Companies may feel the sting of new expenses under the White House’s new cybersecurity strategy. But many tech executives agree the new requirements are necessary to reduce the pain of cyber attack. Rob Carey, the president of Cloudera’s government solutions and DOD’s former principal deputy chief information officer, summed it up.
“This investment comes out of companies’ profit. So they would do what was necessary, but maybe not sufficient. And so, this I think, closes the gap between necessary and sufficient levels of cyber defense and what is expected.
The White House’s cybersecurity strategy presses companies to upgrade hardware and software and hire experts to implement better network defenses so that the U.S. can raise the cyber defense posture of the entire country, not just the government agencies.
There is a cost to doing this, but the cost of preparation and sort of defense is far less than cleaning up a cyber spill, right, or a cyber attack. This becomes the must-fund stuff and the organizations that have been attacked, and then paid for their recovery themselves, they’re the ones that are the evangelists for this kind of activity”.
But to many, complaints about money are standard amid significant regulatory change and will likely wane. Eventually, the cries of cost will just go away and become the “cost of doing business”. It’s crystal clear that the federal government is using every lever they have to enforce mandatory cybersecurity minimums.
Those levers include the White House’s new strategy; its 2021 executive order; the Pentagon’s Cybersecurity Maturity Model Certification, or CMMC, program; and the pending U.S. Securities and Exchange Commission rule for publicly traded companies.
So the only thing left after the long-awaited strategy is enforcement. As strategies go, it’s pretty aggressive and it’s good. But implementation is something that we’ve seen a lot of strategies in the past are not executed very well. And one of the things that is important is to measure how well we’re doing. So what are you going to use for measurement?
The problem is that private industry tends to measure cybersecurity in the number of breaches or ransomware attacks, but by then it’s years too late. If you’re looking at breaches, it’s going to take you another couple of years to understand if it’s working or not. And so we need to get metrics that are closer. People building the software should be able to share the metrics of what they are doing when they’re building the software.
And so we see the strategy is moving away from a compliance-driven approach to a resilience-based model by incentivizing software companies toward a more secure development process.
DOD will release its own cyber document and will likely echo the national strategy, which aims to shift the burden of cybersecurity away from individuals and small companies to larger entities and the federal government. And by focusing on being resilient rather than compliant, there’s more room for growth.
It’s a familiar story. You expect to get hit, you expect that your adversaries whether they’re criminals or nation-state actors, or script kiddies or whomever have gotten access to your environment. And then your goal is to make sure that when that happens, it doesn’t absolutely crush you as an organization. Many companies deal with a lot of data that is sensitive, but not necessarily classified. And there have been some highly visible situations like Sea Dragon that underscored the problem for this: lots of unclassified data about a sensitive weapons system was breached by nation-state actors.
For the Pentagon’s upcoming cybersecurity strategy, one expects there to be more of an emphasis on achieving zero trust, something the department has been working on in recent years with the creation of a dedicated strategy and office. My guess would be that you will see more of an emphasis on the roadmap to zero trust, not as a rush to compliance, but as a progression of how are we more able to secure our most critical data and our mission critical data. Compliance is important, it’s critical, it’s still going to be a need, it’s still going to be a requirement. But we have to collectively do better if we are going to protect your national interests, and that of your coalition partners.
I spoke to Steve King, one of the best known maven’s in the cybersecurity ecosystem who just published “Losing the Cybersecurity War and What We Can Do to Stop It” which will be the definitive text on how a Zero Trust approach can change the cyber battlefield, and he noted this about the Federal government’s moves:
“I think we had a log jam and now the Federal government has gotten fully on board by advocating for Zero Trust in this series of cyber-related executive orders, Pentagon strategies, etc. They have now become serious wards of IT and InfoSec, and see a better approach to cyber-defense, away from the marketing hype machine that has not only misrepresented Zero Trust but mangled it so badly, you wouldn’t recognize it if it were sitting in your own driveway.
One of our goals at CyberEd.io is improved education and communication. We believe the best way to break this log jam is to communicate clearly and often about Zero Trust, what it is and what it is not, and to conduct fireside chats with our founding members and interested third parties, where the case for Zero Trust can build itself.
And let me me clear: the goal of Zero Trust is not to get to the point where we can say we have stopped 100% of all threats. The goal instead is to shrink the attack surface, reduce our excessive trust landscape, and improve identity management with rigorous, always-on monitoring and continuous insistence that our visitors can prove who they are and why they need access, thus elevating our confidence levels in whom we allow and/or disallow access, segment our critical assets away from the larger network, and make the bad guys’ job much more difficult.
We believe that by doing so, we can seriously impact the quantity and depth of breaches, thwart ransomware and phishing attacks, and provide a much-needed respite from the assault”.