Saturday, March 4, 2023

4 Key Takeaways From The Recent Biden Cyber Initiative

 


Remember back a couple of years ago, when Joe Biden became President, he signed an Executive Order (EO) for Cybersecurity?  I wrote a couple of articles on that for clients, but honestly, I have not heard too much about it after that.  There have been commentaries about whether if anything has come out of it or not, but I have not kept up.  But being the fact that it is the Federal Government, it could take a very long time before any concrete results are seen.

But just very recently, the Biden Administration came out with a new directive which has been called the “National Cybersecurity Strategy”.  The main objective is to take away the burden from individuals like us, and add more incentives so that all parties involved will be held responsible.

Here are some of the key takeaways of this new initiative (and maybe legislation???):

1)     A balance of accountability:

               Here is this part in Biden’s own words:  “"[The strategy] takes on the systemic challenge that too           much of the responsibility for cybersecurity has fallen on individual users and small users . . . by        working in partnership with industry, civil society, and State, local, Tribal, and territorial          governments, we will rebalance the responsibility for cybersecurity to be more effective and   equitable."  Simply put, the Biden Administration feels that as a society, too much of the blame     for security breaches in happening in the first place has been put on individuals and small                business.  Now, he wants all parties involved from the manufacture of a product to the point of          sale of it to have their equal responsibility.  It is supposed to come down to five separate areas:           Critical Infrastructure, the disruption of Cyberattack groups, having the vendors be more                responsible for the security features that they put into their products, the processing of data,          having better Cyber technologies that are affordable for all, and having much greater       international cooperation in terms of hunting down and prosecuting Cyberattackers and their              associated groups.  Of these, the Biden Administration feels that Critical Infrastructure and   holding the vendors to higher degrees of accountability will be the most important to success.            In this regard, he wants CISA and NIST to have a greater say so in terms of enforcement with        respect to their various frameworks.

2)     Having a Secure By Design approach:

With this, the main intent of focus is on the Critical Infrastructure of this country.  This includes things like the national power grid, water supplies, oil and gas lines, the food distribution system, nuclear facilities, etc.  The goal is to introduce a set of requirements and mandates that will make the CISOs of these places upgrade the technology that they have, so that they will be as Cyber proof as possible.  But here is the kicker:  As I have written before, the this is all legacy technology.  It was built and deployed in the 1960s and 1970s when nobody even heard of Cybersecurity.  One cannot just rip out these old technologies and put new ones, and also at the same time, you simply cannot deploy software upgrades and patches (and even firmware).  All of this stuff has to be interoperable with the legacy systems.  If not, you will even have bigger problems down the road.  IMHO, the key here is to examine all of our Critical Infrastructure, and create frameworks as to what will work best with what we already have.  It’s like our nuclear arsenal.  At the present time, the United States has an aging inventory of Minuteman III missiles.  Are you going to take those out and put new ones in place?  Probably not.

3)     Making vendors responsible:

This is probably the best one so far, in this entire initiative.  The aim here is to make vendors of Cyber products more accountable for the stuff they produce and sell.  They now have to held to much higher standards in terms of manufacture.  They also simply cannot walk away if a security breach actually occurs to one of their products.  In other words, the old days of blaming the consumer for anything and everything should now come to an end.  One of the areas that is going to get very close scrutinization is in the Software Development Lifecycle (SDLC) when it comes to the development of web interfacing applications and products.  Software developers have long been overlooked in this process, but now, they or their employers will be held to much greater levels of responsibility in case something does go wrong, and customers are impacted. This will all come down to creating what is known as a “Software Bill of Materials” framework.  But keep in mind that this already has been a long haul, even ten years in the making.  There has been legislation introduced on this, but it never moved forward.  The most recent action has taken place with the “Securing Open-Source Software Act of 2022”.  More details about this can be seen at the link below:

 https://www.congress.gov/bill/117th-congress/senate-bill/4913

One approach the Biden Administration plans to use is what is known as the “Carrot and Stick”.  The goal here is to offer small incentives and subsidies to the Cyber vendors in order to make them make more secure products.  Of course, the greater the effort that they put in, the more money they will receive.

4)     Greater cooperation:

Also, the Biden Administration wants to have much greater levels of cooperation with law enforcement agencies all over the world in order to bring Cyberattackers to justice.  Right now, the main parties involved here are the FBI and the Secret Service.  While they have done an awesome job in what they have achieved so far, they too have limited resources.  Thus, they need much more cooperation from countries abroad, especially when it comes to the sharing of intelligence.  Maybe other incentives could also be offered to make this part of the Initiative to move forward much more quickly. There also needs to be an emphasis on greater public and private cooperation here in the United States. 

My Thoughts On This:

The end resultant of all this is to difficult to tell.  Given the nonpartisan cooperation that exists in Congress today, it will probably be a very long time until any of this comes to fruition, if at all.  But I will give the Biden Administration a huge credit for one thing:  They are at least aware of what is happening out there in the Cyber world, and when compared to past Administrations, they are taking a much more proactive approach in securing the United States.  My hats off to them for at least that much.

The entire National Cybersecurity Strategy can be seen below at this link:

https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...