Remember back a couple of years ago, when Joe Biden became
President, he signed an Executive Order (EO) for Cybersecurity? I wrote a couple of articles on that for
clients, but honestly, I have not heard too much about it after that. There have been commentaries about whether if
anything has come out of it or not, but I have not kept up. But being the fact that it is the Federal
Government, it could take a very long time before any concrete results are
seen.
But just very recently, the Biden Administration came out
with a new directive which has been called the “National Cybersecurity Strategy”. The main objective is to take away the burden
from individuals like us, and add more incentives so that all parties involved
will be held responsible.
Here are some of the key takeaways of this new initiative (and
maybe legislation???):
1)
A balance of accountability:
Here is
this part in Biden’s own words: “"[The
strategy] takes on the systemic challenge that too much of the responsibility for cybersecurity has fallen on
individual users and small users . . . by working
in partnership with industry, civil society, and State, local, Tribal, and
territorial governments, we will
rebalance the responsibility for cybersecurity to be more effective and equitable." Simply put, the Biden Administration feels
that as a society, too much of the blame for
security breaches in happening in the first place has been put on individuals
and small business. Now, he wants all parties involved from the manufacture
of a product to the point of sale
of it to have their equal responsibility.
It is supposed to come down to five separate areas: Critical
Infrastructure, the disruption of Cyberattack groups, having the vendors be more
responsible for the security
features that they put into their products, the processing of data, having better Cyber technologies that
are affordable for all, and having much greater international cooperation in terms of hunting down and
prosecuting Cyberattackers and their associated
groups. Of these, the Biden
Administration feels that Critical Infrastructure and holding the vendors to higher degrees of accountability will be the
most important to success. In this regard, he wants CISA and NIST
to have a greater say so in terms of enforcement with respect to their various frameworks.
2)
Having a Secure By Design approach:
With this, the main intent of focus
is on the Critical Infrastructure of this country. This includes things like the national power
grid, water supplies, oil and gas lines, the food distribution system, nuclear
facilities, etc. The goal is to
introduce a set of requirements and mandates that will make the CISOs of these
places upgrade the technology that they have, so that they will be as Cyber
proof as possible. But here is the
kicker: As I have written before, the this
is all legacy technology. It was built
and deployed in the 1960s and 1970s when nobody even heard of
Cybersecurity. One cannot just rip out
these old technologies and put new ones, and also at the same time, you simply
cannot deploy software upgrades and patches (and even firmware). All of this stuff has to be interoperable
with the legacy systems. If not, you
will even have bigger problems down the road.
IMHO, the key here is to examine all of our Critical Infrastructure, and
create frameworks as to what will work best with what we already have. It’s like our nuclear arsenal. At the present time, the United States has an
aging inventory of Minuteman III missiles.
Are you going to take those out and put new ones in place? Probably not.
3)
Making vendors responsible:
This is probably the best one so
far, in this entire initiative. The aim
here is to make vendors of Cyber products more accountable for the stuff they
produce and sell. They now have to held
to much higher standards in terms of manufacture. They also simply cannot walk away if a
security breach actually occurs to one of their products. In other words, the old days of blaming the
consumer for anything and everything should now come to an end. One of the areas that is going to get very
close scrutinization is in the Software Development Lifecycle (SDLC) when it comes
to the development of web interfacing applications and products. Software developers have long been overlooked
in this process, but now, they or their employers will be held to much greater
levels of responsibility in case something does go wrong, and customers are
impacted. This will all come down to creating what is known as a “Software Bill
of Materials” framework. But keep in
mind that this already has been a long haul, even ten years in the making. There has been legislation introduced on
this, but it never moved forward. The
most recent action has taken place with the “Securing Open-Source Software Act
of 2022”. More details about this can be
seen at the link below:
https://www.congress.gov/bill/117th-congress/senate-bill/4913
One approach the Biden Administration
plans to use is what is known as the “Carrot and Stick”. The goal here is to offer small incentives
and subsidies to the Cyber vendors in order to make them make more secure
products. Of course, the greater the effort
that they put in, the more money they will receive.
4)
Greater cooperation:
Also, the Biden Administration
wants to have much greater levels of cooperation with law enforcement agencies
all over the world in order to bring Cyberattackers to justice. Right now, the main parties involved here are
the FBI and the Secret Service. While they
have done an awesome job in what they have achieved so far, they too have
limited resources. Thus, they need much more
cooperation from countries abroad, especially when it comes to the sharing of
intelligence. Maybe other incentives
could also be offered to make this part of the Initiative to move forward much
more quickly. There also needs to be an emphasis on greater public and private
cooperation here in the United States.
My Thoughts On This:
The end resultant of all this is to difficult to tell. Given the nonpartisan cooperation that exists
in Congress today, it will probably be a very long time until any of this comes
to fruition, if at all. But I will give
the Biden Administration a huge credit for one thing: They are at least aware of what is happening out
there in the Cyber world, and when compared to past Administrations, they are taking
a much more proactive approach in securing the United States. My hats off to them for at least that much.
The entire National Cybersecurity Strategy can be seen below
at this link:
https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf
No comments:
Post a Comment