The White House has released its National Cybersecurity Strategy, seeking to shift the burden for managing cyber risk from individuals and small businesses to tech companies, while taking a more offensive approach to dealing with threat actors.
The strategy focuses on five pillars: defending critical infrastructure, disrupting and dismantling threat groups, shaping market forces to drive security and resilience, investing in a resilient future, and forging international partnerships to pursue shared goals.
Industry professionals have commented on various aspects of the new cybersecurity strategy, its impact, and implications.
And the feedback begins…
Brandon Valeriano, distinguished senior fellow at the Marine Corp. University and former senior adviser to the federal government’s Cyberspace Solarium Commission:
“There’s a lot to like here. It just lacks a lot of specifics,” Valeriano, commented. “They produce a document that speaks very much to regulation at a time when the United States is very much against regulation.”
Ilia Kolochenko, founder, CEO, ImmuniWeb:
“Even amid the surging cybercrime, shifting the cybersecurity burden to software developers and tech solution providers may seem an unduly harsh move, however, economically speaking it makes perfect sense.
Software vendors will certainly argue that they will be required to raise their prices, eventually harming the end users and innocent consumers. This is, however, comparable to carmakers complaining about “unnecessarily expensive” airbag systems and seatbelts, arguing that each manufacturer should have the freedom to build cars as it sees fit.
Most industries – apart from software – are already comprehensively regulated in most of the developed countries: you cannot just manufacture what you want without a license or without following prescribed safety, quality and reliability standards. Software and SaaS solutions shall be no exception to that.
That being said, overregulation or bureaucracy will certainly be harmful and rather produce a counterproductive effect. The technical scope, timing of implementation and niche-specific requirements for tech vendors will be paramount for the eventual success or failure of the proposed legislation. Unnecessarily burdensome or, contrariwise, formalistic and lenient security requirements will definitely bring more harm than good. Therefore, the new legislation shall derive from the intensive and open collaboration of independent experts coming from industry, academia and specialized organizations to ensure a properly balanced regulation that would consider legitimate interests of all concerned parties.”
Szilveszter Szebeni, CISO, Tresorit:
“Would you consent to undergoing a surgical procedure performed by a newly graduated individual who possesses exceptional proficiency in performing surgeries on cats? Furthermore, why would you entrust the same individual with the task of developing software for your pacemaker? While the answer to the former question will be negative, as a society, we permit the latter to occur. The IT industry has demonstrated remarkable adeptness in evading warranties on their products and offering them for sale ‘as is.’ This apparent lack of accountability is unprecedented in other industries, such as healthcare and construction.”
Moty Kanias, VP cyber strategy and alliances, NanoLock:
“The newly released National Cyber Strategy is a huge step in the right direction for the world in the fight against cybercrime and state-driven adversaries. We commend the work done by the agencies involved and hope that they will continue to prioritize the security of the nation’s critical infrastructure. It is crucial for allied countries to work together towards cyber supremacy, to fight cyber criminals and to create new cyber security solutions that will tilt the equation.
Adversaries in cyberspace are evolving at an alarming rate and are always looking for new markets to attack. In fact, manufacturing has become the number one target in the past year, according to reports from leading companies. Protecting critical infrastructure and production lines at the industrial device level is an essential next step beyond today’s requirements for common detection, monitoring and segmentation solutions to address a problem that is becoming increasingly more complex.
We also acknowledge the efforts made by other countries like Singapore in implementing regulations that can serve as a baseline for the U.S. For example, in July 2022, Singapore took the important step of deepening regulations for critical infrastructure and is now demanding that critical infrastructure prevent cyberattacks on field controllers, such as PLCs, RTUs, industrial computers, and more. Other countries, including the US, must follow this path to protect critical infrastructure from massive cyberattacks.”
David Lindner, CISO, Contrast Security:
“The current US Federal government administration is really driving the need to beef up the collective defensive and offensive capabilities within both the private and public sectors. It all started with President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity. This EO quickly morphed into many other key initiatives and operational directives such as Operational Directive 22-01 and OMB 22-18. Operational Directive 22-01 and 22-18, along with this new national cybersecurity strategy, have one distinct thing in common; we need to do a much better job of understanding, exposing, and fixing the security issues in our software.
This new strategy states, “Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance.” Those of us in the technology sector have known this for a very long time. As of today, the average number of new Common Vulnerabilities and Exposures released per day in 2023 sits at 76.9 (per CVE.icu) and that doesn’t include the fact that on average a software application has 25 vulnerabilities in their custom code (data source: Contrast Security).
I have longed for the day of regulation and accountability when it comes to the security of the software the world is producing, and at least in the US it appears I will get my wish.”
Cody Cornell, co-founder, chief strategy officer, Swimlane:
“The White House is calling for new regulation that is not only for critical infrastructure, but sector-specific regulatory frameworks. While the idea of sector-specific frameworks is a good one, these frameworks are not one size fits all and have specific guidance and controls that can be very beneficial. There is a lot of work to be done on defining the sectors, the frameworks, getting buy-in and providing guidance on not just implementation, but how they will be measured and enforced, because a framework with no enforcement is entirely voluntary and runs contrary to the goal of rebalancing the responsibility of defending cyberspace. As we’ve seen as an industry, getting a standard built, especially a collaborative one, can be extremely time-consuming, and the ability for it to become watered down and lack the teeth to drive change is always a risk in the development and refinement process.
An interesting element of the first pillar of the strategy is to create and institute incentives that ensure that low-margin sectors or disincentivized sectors might have the economic support to implement or, at a sector level, may become mandatory across every provider in a sector, reducing the often-seen fight between doing what is right from a security perspective, with the concern that a competitor may forgo those same costs and be able to achieve a lower cost for the market or higher margins. Each of these objectives calls on both industry and government collaboration along with the help of Congress to close any statutory gaps, which again is asking a divided government to do the unpopular task of providing additional regulatory guidance.”
“The National Cybersecurity Strategy lays out a lot of great high-level ideas with the goal of modernizing the federal government’s cybersecurity strategy with the understanding that it needs help from across the government and the private sector, but does leave some questions unanswered around the speed and ability to execute inside the windows of an Executive administration and its inevitable changes in leadership that come at a longest in eight-year cycle. Like almost everything in cybersecurity, real progress is not just made with strategy, but in detailed hands-on work.”
Debbie Gordon, founder, CEO, Cloud Range:
“While we applaud the administration’s goal to build out our national cyber workforce under Strategic Objective 4.6 and develop our nation’s next generation of cyber talent, it unfortunately doesn’t move the needle on what needs to be done to strengthen the workforce we have today. In any type of life safety field—and that is exactly what cyber security of critical infrastructure represents—the need for ongoing training and readiness is integral.
The cyber threat landscape changes daily, with critical infrastructure sectors being the targets of the most advanced, nation-state backed APTs, so we can’t depend on a yearly training certificate to be confident that our infrastructure is being protected. Requirements for ongoing training that can measured against industry standard frameworks to validate their effectiveness can not only help organizations ensure they have the right people with the right skills to prevent and respond to attacks in place, they can also provide cybersecurity professionals with a clear pathway to expand their careers with the cyberskills that are unique to OT cybersecurity.”
Jacob Berry, field CISO, Clumio:
“We are excited to see further investment from the US federal government in Cybersecurity initiatives. With the publication of the new National Cybersecurity Strategy, several of the federal initiatives stand out as likely to drive change in the cybersecurity industry. The new strategy delivers five strategic pillars and within these pillars, there are three areas that drew our attention.
The strategy outlined an initiative to increase the burden on technology companies to provide secure software and services. This is likely to lead to legislation that will create new penalties, or increase penalties, for businesses that do not follow security best practices aligned to NIST standards. This means investment and auditing will need to increase across all domains. Clumio will continue to increase our investments in new technology to ensure partners can deliver secure operating environments that meet and go beyond the NIST requirements.
Second, the federal government plans to “Shape Market Forces.” This will come not only in the form of regulation but in grants and monetary investment in cybersecurity research. For us who preach the need for continued investment in this sector, we are excited to see commitment towards private and public partnerships.
Finally, we may see federal legislation around privacy and data governance introduced in the future. With many states implementing their own privacy legislation, this may bring a welcome change to a more centralized strategy to US data privacy law.”
Amit Shaked, CEO, co-founder, Laminar:
“The 2023 National Cybersecurity Strategy acknowledges the benefits of cloud-based services, such as operational resilience for critical infrastructure and enabling scalable, more affordable cybersecurity practices – while acknowledging there are gaps in cloud security at the federal level. It also notes that a key part of the Office of Management and Budget (OMB) zero trust architecture strategy is gaining visibility into Federal Civilian Executive Branch (FCEB) agencies’ attack surfaces and adopting cloud security tools.
We applaud this, as visibility into and understanding the full breadth of their cloud infrastructure, and the data that resides within it, is one of those major gaps many government agencies face when making the cloud transition. In the height of the pandemic when other organizations were undertaking similar initiatives, one in two businesses experienced a breach due to unknown or ‘shadow’ data, lack of visibility into the network and overall disconnection between developers and IT and security teams.
We encourage all enterprises – including the federal government – to use agile data security tools that allow for automated continuous monitoring of data assets — especially after the shift to the cloud is complete. Having total observability will enable them to automate cloud data discovery and data security policy enforcement, control data exposure and enable data-centric environment segment. It’s simply not good enough to secure cloud infrastructure – the data must be protected as well.”
Jim Richberg, public sector field CISO, VP of information security, Fortinet:
“Part of the focus of the new national strategy is on transferring much of the responsibility for mitigating cyber risk away from end-users such as individuals, small businesses and small critical infrastructure operators like local utilities. Such groups are typically under-resourced and short on cyber expertise compared to organizations like technology providers and large corporations or government agencies, who are better able to deal with cyber risks systemically. As the U.S. government works to implement this strategy, ongoing partnership and collaboration between private and public organizations must be integrated into these efforts.
Cybersecurity is everyone’s concern. Our national cyber strategy will help define goals and roles for stakeholders ranging from government to individuals. Perfect cybersecurity is unattainable, but the goal we strive for should be focused on building cyber resilience, on maximizing cybersecurity while simultaneously taking steps to minimize the consequences of the inevitable failures that can occur in security. As a nation, we need to plan to succeed, but to be prepared to deal with failure as well.”
Joshua Corman, former CISA Chief Strategist and current VP of Cyber Safety at Claroty:
“The choice to put critical infrastructure at the forefront in Pillar 1 is an important and deliberate one. It’s crucial as the strategy is implemented, that we begin to finally stratify our critical infrastructure functions. I encourage Congress, the White House, CISA, and other parts of government to focus on the most critical of the 55 National Critical Functions—the lifeline, latency-sensitive functions that if disrupted for 24-48 hours could contribute to losses of life or a crisis of confidence in the public. These include: supply water, provide medical care, generate electricity, produce and provide food, etc. Many of the owners and operators of these lifeline functions happen to also be what I’ve called, ‘target rich, cyber poor’—meaning they are among the most attractive targets for threat actors, with the least amount of resources to protect themselves.”
Related: Industry Reactions to Hive Ransomware Takedown: Feedback Friday
