National Cyber Strategy — What We Know So Far
I’ve run into several folks who wanted to ignore the Biden Administration’s recently announced National Cybersecurity Strategy – “isn’t that just for Federal agencies?”. That would be a dangerously flawed assumption! This is a major shift in strategy, and regardless of how small your organization is, it’s going to change how you get to a secure state, and how you show that you’re doing it.
The administration makes no secret of its goals, even if they are controversial. They openly describe a target of shifting the playing field, and as always, this creates winners and losers. You need to be agile to ensure you’re on the winner side of this equation! The tilted playing field is aiming for two effects. One goal is to change the economic risk/reward so that bad actors think twice. The other is a significant shift in the burden of defense, pushing it up from smaller mom-and-pop scale organizations, transferring it to larger, more capable companies.
Both of these sound great, but somebody somewhere has to pay for all this. There are new spending initiatives included in the strategy, but they are focused more on training of a new generation of cyber talent, not so much on the shifting playing field. To achieve the two goals, then, the strategy relies more on stick than carrot.
If you’re a defender of your organization, you don’t need to worry too much about the stick that will be applied to bad actors – you can just take some comfort in the idea that the government has a renewed emphasis on pursuit, hacking back, and on punishment. But that doesn’t mean you can rest. The strategy specifically calls for increased regulation, and even liability, of online businesses – and this means pressure.
We’ve heard plenty of talk about resilience over the last few years in this industry, but now we’re talking about a requirement for resilience. This means defenders have to do more than just achieve some reasonable level of security – they also have to be able to show they are effective. We don’t test the resilience of buildings by knocking them down every once in a while, just to see – instead, we inspect plans and demand that architects and builders can show how they know their buildings are safe. Expect this kind of thinking to come home to roost in cybersecurity – not just exhortations to do better, but real requirements to prove resilience.
OK, but if your job is securing an organization that is going to face this increased regulation and liability, what can you do? It’s no longer enough to just follow compliance check-lists and formalities – that can prove you’ve got a compliance program, but it won’t show resilience. A check-list attestation is the cybersecurity equivalent of being able to fog a mirror – hardly the same as being able to demonstrate fitness or health!
The new strategy requires resilience – both being resilient, and being able to show it. Resilience means, first and foremost, realizing that incidents will happen, but planning ahead to contain the damage. A resilient army is not one that avoids ever getting into combat – it’s an army that has the resources and planning to bounce back and continue to fight. Likewise, your network needs to be able to bounce back, if you’re to have any hope of meeting the requirements of the new national strategy.
This means you need to map out your whole environment – physical sites and across cloud networks. You need to understand what depends on what, and where attacks can spread. It’s going to require a complete inventory – a challenging objective in itself – but beyond that, some means to demonstrate that a failure in one part of your environment won’t bring it all down. This is the goal of the strategy – resilience, and ability to demonstrate resilience; for those who cannot, new fines, new regulations, and an uphill battle to compete with those organizations who have resilience plans baked right into their networks.
Fortunately, this shift doesn’t require super-human efforts and endless nights at the keyboard. The effort to map out your environment, and see where there are resilience gaps, is automatable. The new strategy presents a new opportunity to get funding and executive buy-in for better, more efficient resilience planning, as a competitive advantage instead of a burden.
RedSeal’s unique approach – mapping out your whole environment, including on premises and in the cloud, and then finding and prioritizing defensive weaknesses and resilience gaps – is an ideal fit into your response to the National Cybersecurity Strategy. And make no mistake – you will need a response, ready or not. New regulation is coming, new liabilities are coming. These are not designed to punish all market participants – rather, they are designed to shift the playing field in favor of those who can deliver resilience, leaving behind those who are stuck in the past.