The White House released the implementation plan for President Biden’s National Cybersecurity Strategy on July 13. Within the plan, two fundamental changes are worthy of approbation – public and private sectors who are best positioned to mitigate cyber risk, do so; and increase incentives are offered in long-term investments in cybersecurity.
At the recent RSA2023 conference, ClearanceJobs had the opportunity to meet with representatives of the FBI, NSA and CISA and discuss the national cybersecurity strategy and how companies can help themselves in engaging with their government organizations.
The implementation will no doubt raise expectations among the private sector that the government will be more engaging, transparent, and above all sharing in information, remediation, and advisories with specifics and not the vast generalizations which have been the hallmark for many years.
Critical Infrastructure
CISA has the helm on the implementation of the President’s strategy, and one must say based on their RSA2023 commentary, they are up to the task and are embracing it with vigor. Director Jen Easterly leads the organization from the front. Their non-stop publication of advisories and tactics to close the identified cybersecurity delta are not only welcome, CISA is making a difference as enterprises work to secure their environments.
Dismantle the threat actors
The Joint Ransomware Task Force is co-chaired by CISA and the FBI. CISA has the focus on preparing the targets to be hard targets – remember the criminals aren’t looking for the easy target. The FBI is charged with working with the “Federal, International, and Private Sector.” However, at a presentation given by the FBI at RSA2023 for the private sector a portion covered how to engage with the FBI. Their advice was to reach out and become a known entity to your local FBI division cyber team before you’re attacked so that they can both assess your situation, as well as, have an established relationship so that the first call isn’t a “I need help call.”
Supply chains
The strategy highlights SBOM (Software Bill of Materials) and again points to CISA working with markets so that entities understand their supply chain risks better. Those in the know, know SBOMs aren’t the panacea, and one must go beyond and ensure what is “attested” to in an SBOM is also what is happening. This is not an insignificant lift.
Resilience is in our future
An all of government approach is going to be necessary to implement the cyber strategy, and the NIST will drive the truck as order is brought to international standards surrounding the internet and engage with the international entities and ensure federal agency’s participation.
As always, many hands make light work. And the United States, through international partnerships, is well positioned to work with other nations in evolving the International Cyberspace and Digital Policy Strategy, with Department of State being put in the driver’s seat. State is also charged with “development of staff knowledge and skills related to cyberspace and digital policy.”
Ambitious yet doable
The President’s plan, while ambitious, especially when you look at the roadmap from a public/private partnership, is doable. That said, private sector entities may be better resourced, and public sector entities may have access to more specific threat intelligence. Collaboration is not an option; it is a prerequisite.
For entities within the Defense Industrial Base (DIB), leverage the tools and solutions offered by the National Security Agency (NSA) in their “Cybersecurity Collaboration Center.” This is truly your tax dollars at work situation. At the RSA2023, NSA representatives waxed poetic on the benefits and the cost – zero cost – to obtain scalable and easily implemented cyber solutions.
