[ This article was originally published here ]
by Joe Fay
China is the “most active and persistent threat” as the government signals the need for a larger and more diverse cybersecurity workforce to meet the long-term challenge.
The Biden administration has submitted its effectively placing the country on a permanent cyber war footing, with the federal government embracing zero trust while requiring technology vendors to take more responsibility to protect their products and address cyber threats.
“Voluntary” approaches to securing critical infrastructure will be reinforced by regulation, tailored to individual sectors. The federal government will also remove insecure legacy systems from its own estate, while developing its own cyber attack and defense capabilities.
The strategy signaled a state of inequality in responsibility for addressing cybersecurity threats. For example, school districts have been forced to come face-to-face with international cyber threat actors, said acting National Cyber Director Kemba Walden, launching the strategy in Washington, DC “This is not only unfair, it’s ineffective.” said.
The strategy calls China the “broadest, most active and most persistent threat,” having surpassed intellectual property theft a decade ago to become the only country with the intent and the means, including technological ones, to reshape the order. national. Russia, North Korea and Iran were singled out as threats, along with purely criminal syndicates.
“The National Cyber Security Strategy is an opportunity for the US to not only improve its own cyber security posture, but also lead and influence globally. It comes at a time when cybersecurity has never been more critical to the economy, as well as to national and global defense and security,” said Clar Rosso, CEO of (ISC)²..
Fairer share of responsibility
Countering all of these threats to ensure a “free and open” Internet means that the US must “rebalance the responsibility to defend cyberspace.” That means shifting the burden of responsibility from individuals, small businesses, and local governments.
It means a bigger role for the federal government, but also a lot more responsibility for the largest organizations in the private sector. He also highlighted how open source developers should not take responsibility for poor results when their components are integrated into commercial products.
Too many vendors shirked their responsibilities, either through insecure development, shipping products with known vulnerabilities, or integrating “third-party software of untested or unknown provenance.” They had also tried to take advantage of market position to “relinquish liability by contract.” All of this contributes to increased systemic risk.
“The inclusion of Coordinated Vulnerability Disclosure in the National Cyber Security Strategy, as well as the invitation to the community to provide input on its formation, bodes well for the future of collaborative security,” said Casey Ellis, CTO and founder of collaborative security specialist Bugcrowd.
Walden said the industry needed to move from “first to market” to “sure to market.” The administration will work with Congress on legislation that “establishes liability for software products and services.” A point echoed by Amanda Brock, CEO of OpenUK, who said: “The responsibility should lie with the stakeholders best able to take action to prevent bad outcomes, not with the open source developer of a component that is built into a commercial product. ”
Defend it or replace it
Federal systems that cannot be defended must be modernized, and the Office of Management and Budget will lead a multi-year plan for this, “eliminating legacy systems that are expensive to maintain and difficult to defend.” Moving to the cloud will be critical to this. The NSA will lead an effort to secure national security systems.
Moving from defense to offense, the US will build on its efforts to disrupt and dismantle threat actors, to render them “incapable of mounting sustained cyber-enabling campaigns that would threaten the national security or public safety of USA” The Department of Defense will develop an updated cyber strategy aligned with the National Security Strategy, the National Defense Strategy, and the National Cybersecurity Strategy.
The private sector often had more information about threat actors, and more “routine collaboration” was needed between federal agencies and the private sector, the strategy said, and would bring “all elements of national power to counter the threat.” ”.
The strategy specifically addresses the “post-quantum future” and the effect that quantum technology could have on existing encryption technology. The federal government is already working on transitioning vulnerable networks and systems to quantum-resistant cryptography, and the strategy calls for the private sector to do the same.
The document also set in motion the development of a digital identity ecosystem as a strategic objective, saying that current wrestling breeds inefficiency and identity theft, as well as exclusion and inequality.
Strategy requires a larger workforce
But all of this will be for naught if the government can’t put digital boots into cyberspace, which is why it also pledged to build the US cybersecurity workforce, with a dedicated National Cyber Workforce and Education Strategy. The US Department of Defense can provide a model here, with their and keep it updated.
(ISC)²’s Rosso said the strategy recognizes that organizations are trying to hire from too small a talent pool. “We welcome diversity being recognized as a valuable investment that broadens the group, strengthens the nation’s ability to manage and mitigate incidents, develops new skills to protect our digital future, and underpins the next generation of cybersecurity research and development. ”.
“We are attracting more women, people of color, entry-level professionals, people with disabilities, immigrants to the US, members of the LGBTQI+ community, and other underrepresented communities into the profession through our . This strategy announcement commits to building on these shared goals, building on the existing efforts of various government agencies, state and federal initiatives, as well as supporting the proactive efforts of the industry itself,” he added.