Sunday Musings National Cyber Security
Happy Sunday Friends!
Welcome back to another Sunday Friends! I’m glad you’re here. Here is your Sunday Musings, dedicated to exploring and sharing thoughts and insights on productivity, technology, and life. If you find it useful, please feel free to forward this along to friends!
I’m going to talk the first couple elements of the NCSS in this musing, I’ll break the musing into a couple publications to keep the newsletter at around a 6-8 minute read (Don’t worry, I’ll put it all together after for you hardliners).
National Cyber Security Strategy 2023
The President’s administration released its National Cybersecurity Strategy this past week. It builds on previous executive orders, law enforcement and international initiatives undertaken by itself and previous administrations to improve cybersecurity and disrupt threat actor activities. Additionally, it has been demonstrably shaped by the major incidents that threatened key public services since the 2018 National Cyber Strategy and in the administration’s first year, embracing the Government’s regulatory and purchasing power to force companies critical to economic and national security to improve their defensive cyber efforts.
To advance towards a more cyber-secure future, the administration believes, those in the best position to secure systems and software (neither of which are the end-user, or small businesses) must be held accountable for doing so. The private sector must play a significant role in addressing the vulnerability of U.S. technology as a partner with the government. To do so, the government must foster incentives that promote investment in cybersecurity over the long term.
The strategy incorporates and builds on previous efforts, introducing new initiatives with ambitious goals but uncertain implementation concepts. The administration believes that U.S. policy must foster incentives that promote investment in cybersecurity over the long term. This is a fundamental shift in how the U.S. government seeks to allocate roles, responsibilities, and resources in cyberspace, with much expected from the private sector partnership to secure the digital ecosystem.
I will present a (non-exhaustive) summary of the five pillars of the administration’s strategy - defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships to pursue shared goals.
Pillar I: Defend Critical Infrastructure
The United States has been subject to several cybersecurity incidents in recent years, highlighting the vulnerability of critical infrastructure. To address the issue, The new cyber strategy presents a bifurcated approach to defending critical infrastructure: improving collaboration with relevant stakeholders and making its own systems more resilient. The strategy outlines five strategic objectives that are designed to keep critical infrastructure "secure, functioning, and resilient."
The first objective is to establish cybersecurity requirements to support national security and public safety, recognizing that voluntary approaches to cybersecurity have “produced meaningful improvements”, but mandatory requirements are needed to ensure consistency across all 16 sectors. New authorities are required to set minimum cybersecurity standards for certain sectors (such as food and agriculture, government facilities, and critical manufacturing), but existing authorities will set these where possible. The administration has already launched initiatives to strengthen the cybersecurity posture of critical infrastructure sectors.
The second objective focuses on scaling up the public-private collaboration, which has been a constant friction point in the government's approach to cybersecurity. The strategy anticipates that the work between the Cybersecurity and Infrastructure Security Agency (CISA) and sector risk management agencies will continue to develop as the government assesses sector-specific needs and gaps.
It's no surprise that efforts to “harmonize and streamline” the relationship between regulators and regulates is a key focus for a strategy reliant on cooperation and collaboration. Managing and deepening relationships between the government and those software, hardware, and managed service providers with the ability to shape the cyber terrain towards elevated security and resilience.
Objectives three and four focus on improving coordination across federal government agencies and with the private sector, respectively. Leveraging Federal Cybersecurity Centers such as CISA’s Joint Cyber Defense Collaborative(Cyber Defense planning), the National Cyber Investigative Joint Task Force (law enforcement), and the Cyber Threat Intelligence Integration Center (Intelligence and Analysis) and others to assist the Office of the National Cyber Director in identifying gaps in capabilities and collaboration with the private sector. These are all aimed at resilience and agility to mitigate cyber incidents and share lessons learned.
The fifth objective hopes to modernize federal defenses. Particularly, implementing zero trust architecture (ZTA), a security model that assumes threats are already present and takes a more granular approach to security. Relying on principles like multi-factor authentication, data encryption, and continuous monitoring of network traffic to identify potential security threats and scrutinizing every user and device before granting access to any resource. This helps to prevent unauthorized access to sensitive data and reduces the risk of security breaches. Furthering President Biden's Executive Order 14028 on Improving the Nation's Cybersecurity.
Pillar II: Disrupt and Dismantle Threat Actors
“The United States will use all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests.” This is a powerful start to the second pillar. The pillar focuses on integrating the instruments of national power Diplomatic, Information, Military, Economic, Financial, Intelligence, and Law enforcement (DIME-FIL). Inculcating a whole of government approach to dismantling sustained cyber campaigns that may threaten national security or public safety. The “more sustained and effective disruption of adversaries” further acknowledges the necessity for partnering between public and private sectors on sharing intelligence, disruption campaigns, securing U.S.-based infrastructure, and ransomware campaigns. The last being a continued focal point for the President.
The first objective is the continued integration of federal disruption activities. The crux of this is to impose cost. Making the malign and criminal activity unprofitable and viewed as an ineffective means to achieve the nation-state actor or criminal organization’s end goal.
The administration tasks the Department of Defense to capitalize on the “defend forward” approach insights and lessons learned to generate a new cyber strategy aligned with national strategic documents such as the National Security Strategy, National Defense Strategy, and the National Cybersecurity Strategy. Clarifying “how U.S. Cyber Command and other DoD components will integrate cyberspace operations into their efforts to defend against state and non-state actors capable of posing strategic-level threats to U.S. interests.” Lastly, it asserts that the Federal Government needs to advance “technological and organizational platforms” for continued and coordinated operations, headed by the NCIJTF.
The second objective is to enhance public-private operational collaboration to disrupt adversaries. The objective acknowledges the private sector’s growing depth and breadth of “visibility into adversary activity”…often broader and more detailed than that of the government due to it’s scale. As part of the broader strategy, the objective seeks to improve collaboration and partnering with the private sector using virtual platforms and “bidirectional” information sharing to “rapidly overcome barriers to supporting and leveraging this collaboration model”.
The third objective increases the speed and scale of intelligence sharing and victim notification. The administration recognizes the outsized impact open-source and private sector intelligence providers have had in increasing the collective cyber threat awareness while emphasizing that the government intelligence community provides invaluable, bespoke, collection. This broad and targeted pair of capabilities emphasizes the need for increased and improved collaboration. The NSA and CISA-led private sector engagements have been effective in “disrupting adversary activity targeting the industrial base” and “accelerates victim notification to reduce the impact of identified intrusions” through coordination with the FBI. The strategy asserts that the government will “increase the speed and scale of cyber threat intelligence sharing” and tasks government entities to spearhead the processes and mechanisms for refined collaboration with the private sector. Specifically in reviewing declassification policies and expanding clearances as needed to ensure intelligence can be actioned.
The fourth objective is to prevent abuse of US-based infrastructure by working with cloud and other internet infrastructure providers to identify malicious use of US-based infrastructure, share reports and information. The objective articulates that service providers must “make reasonable attempts” to secure their infrastructure. Further, the administration will prioritize adoption and enforcement of risk-based approaches to cybersecurity for Infrastructure-as-a-Service (IaaS) through Executive Order 13984 “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber- Enabled Activities”.
The fifth objective targets countering cybercrime and defeating ransomware. As I noted previously, this is a priority for the President. Declaring ransomware “a threat to national security, public safety, and economic prosperity. The objective states that the “United States will employ all elements of national power [DIME-FIL] to counter the threat along four lines of effort:”
(1) leveraging international cooperation to disrupt the ransomware ecosystem and isolate those countries that provide safe havens for criminals; investigating ransomware crimes and using law enforcement and other authorities to disrupt ransomware infrastructure and actors; (2) investigating ransomware crimes and using law enforcement and other authorities to disrupt ransomware infrastructure and actors; (3) bolstering critical infrastructure resilience to withstand ransomware attacks; and (4) addressing abuse of virtual currency to launder ransom payments.
The objective outlines the need for international cooperation and has convened the Counter-Ransomware Initiative (CRI) to synchronize policy and diplomatic vehicles. Additionally, the objective identifies approaches to include targeting illicit cryptocurrency exchanges, and improving international standards implementation for “combatting virtual asset illicit finance.”
Lastly, the pillar ends by urging ransomware victims to refuse to pay ransoms and report the incidents and appropriate agencies. Stating that these reports will improve the government’s victim support, AML/CFT controls, and stymie future ransomware attack success.
So what do you think? Lot’s of collaboration needs. Fundamentally, it seems to rethink the cyber-social contract. Shifting the load of cyber risk management onto the larger private sector providers and federal agencies and away from the previous idea that the end-users should bear the burden.
Pillars III-V tomorrow!
I would love your feedback!
Which musing is your favorite? What else do you want to see or what should I eliminate? Any other suggestions? Just send a tweet to @erichaupt on Twitter and put #SundayMusings at the end so I can find it. Or, eric@erichaupt.com for long form email.
Have a wonderful week, I’ll see you Sunday.
-e
End of transmission.