As the Biden administration continues to develop US cybersecurity requirements on software and supply chain security, zero trust, and incident reporting, among other initiatives, the projects have one often-unstated overarching goal: Improve the cybersecurity resilience of the nation’s critical infrastructure.
The US National Institute of Standards and Technology (NIST) defines cybersecurity resilience as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Its primary purpose is “to enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.”
The concept of resiliency is critical in the industrial cybersecurity sector, where cyber incidents can have catastrophic consequences. “Resilience is just the ability to operate through the attack and keep enough service functioning to survive,” Patrick Miller, CEO of Ampere Industrial Security, tells CSO.
“Often, this is separating from all other networks and going into ‘turtle mode’ while the adjacent areas are attacked and recovered. This takes intentional design, like the safety cage, airbags, crumple zones, and shear-away drivetrain on a car,” Miller says. “The fancy name for turtle mode is ‘intelligent islanding,’ but the idea is the same. In addition to an enormous amount of planning and testing, this relies on a deep understanding of the system and how to operate it almost manually for what could be an extended period.”
Resiliency covers a wide range of efforts
As government officials speaking at a recent Financial Times event on cybersecurity resilience attest, the term has become highly elastic, encompassing a range of efforts for all organizations to protect themselves during cyber incidents and possibly avoid them altogether. Kemba Walden, the acting national cyber director in the US Office of the National Cyber Director, discussed the challenge of crafting regulations for new technologies and the difficulty of quickly creating new standards and disclosure requirements to increase cybersecurity resiliency.
Speaking of the administration’s National Cybersecurity Strategy, “It’s an opportunity to have two fundamental shifts to be able to achieve a defensible and resilient cyber ecosystem aligned with our values,” Walden said. “Those fundamental shifts are first rebalancing the responsibility for cybersecurity defense but also investing in resilience to achieve that goal of a defensible resilient ecosystem.”
The goal is to raise baselines for everyone so that organizations are all on a level playing field, eliminating weak spots. “It’s executing new regulations to raise those minimum items for security baselines, but it’s also harmonizing the regulations that currently exist,” Walden said. “It is inefficient to ask companies to prove that they are meeting their cybersecurity requirements or cybersecurity baselines over and over again, and then check the box and then do it in a discordant way.”
Most software is insecure
One core factor in why cybersecurity incidents happen, according to Anne Neuberger, deputy national security advisor for cyber and emerging technology, National Security Council, is that most software is insecure. “Software isn’t built securely. It’s deployed quickly and there are no requirements for software standards,” she said, which is why five months after President Biden assumed office, he issued a comprehensive executive order that requires secure software development, mainly by mandating them in federal government contract requirements.
“It’s a really powerful tool that we haven’t used well before,” Neuberger said. “We will require that any tech we buy–and companies and government agencies are all buying the same email software, word processing software, etc.–must meet particular standards.”
One looming danger that can threaten cybersecurity resilience is artificial intelligence (AI), which, despite offering many societal benefits, can be used to accelerate malware delivery, Neuberger said. “From a cybersecurity perspective, we have seen adversaries use AI to generate malicious code more rapidly, to more rapidly generate polymorphic code that can adjust and make it harder for a lot of our cybersecurity techniques today to detect,” Neuberger said. Although the administration has yet to introduce actions that address this threat, “the White House has a very accelerated policy process that we’re working through to determine what the president can do and what areas we’re working on do we need to work on with the Congress.”
Organizations need to implement real cyber resilience policies
“Cyber resilience is a concept that I think recognizes that breaches and cyber incidents are likely going to happen and that firms need to be prepared to respond appropriately when they do,” Gurbir Grewal, director, Division of Enforcement, at the Securities and Exchange Commission (SEC) said. “It’s not a matter of if but rather when. This is certainly true in my world where SEC registrants such as public companies, broker-dealers, and investment advisors possess an incredible amount of electronic data about innumerable entities and individuals.”
Although market participants are doing their best to prevent and respond to cyber incidents, “Firms need to have real policies that work in the real world, and then they need to actually implement those policies,” Grewal said. “Having generic check-the-box, off-the-shelf cybersecurity policies simply doesn’t cut it.”
Highlighting some recent SEC enforcement actions, Grewal added, “Some firms have just been paying lip service” to SEC requirements. He suggested that advisors to firms under the SEC’s purview should look at some of these recent actions, which “clearly outlined what good compliance looks like and where and how registrants have fallen short with their cybersecurity obligations.”
Getting trusted infrastructure deployed globally
Nate Fick, ambassador at large for cyber at the US State Department, underscored the importance of cybersecurity reliability at the international level. “Technology’s changing every aspect of our lives,” he said. “It’s also changing every aspect of our foreign policy. And we are in the process right now of ensuring that we have a trained cyber and digital officer in every US embassy around the world by the end of next year.”
Although the US and a handful of allies held an “unassailable advantage” in telecom technology 30 years ago, China now dominates this field due to a “combination of corporate distraction and government complacency and Chinese IP theft subsidies by the PRC of Huawei and ZTE around the world…. We’re suffering because of that,” Fick said. The objective is to “get trusted infrastructure deployed anywhere we can,” including 5G, cable, fiber, data centers, and satellites. “It’s all the guts of the internet that bring it into your phone or into your home.”
Ukraine is a great example to follow when it comes to cybersecurity resiliency, particularly for building a workable relationship between industry and government. “There have been huge Russian cyberattacks in Ukraine,” Fick said. “They just haven’t succeeded. And one of the reasons they haven’t succeeded is because of the tight feedback loop among the Ukrainian government, other governments, and companies in order to push patches and updates in real-time in order to blunt those attacks.”
“These aspects of cybersecurity collaboration have been transformative,” Fick added. “There’s a lesson for all of us in the way the Ukrainian government has pulled really energetic, young, technically capable people into their government to lead on these issues.”
Following the example of Estonia, which went from being a net importer of cybersecurity to being a net exporter of cybersecurity after a series of major Russian cyberattacks in 2007, Ukraine could leverage the current crisis and become a world leader in what digital governance can look like under difficult circumstances. “There are a lot of challenges to get from here to there, but boy, it’s a goal worth aiming for,” Fick said.
Compliance, Government