, The Emerging Biden Administration Cyber Strategy, The Nzuchi News Forbes

The Emerging Biden Administration Cyber Strategy

The recent surge in high profile cyber-attacks has correlated with a similar surge in cybersecurity policies and announcements from the Biden Administration. These actions are a mix of explicit requirements for federal agencies, federal contractors, and critical industry entities, and broader recommendations for industry and the public-at-large both for cyber defense and engagement with the federal government on areas like threat information sharing and development of standards and best practices.

Taken together, these elements represent the pieces of an emerging federal cyber strategy that contains at least three key components: increased accountability for cybersecurity at all levels in both public and private enterprise, better implementation of a risk-informed set of core cyber security best practices, and enhanced public-private integration, especially regarding threat intelligence. While requirements in each of these areas will be mandatory for federal contractors, they are understood as voluntary best practices for industry more broadly, at least for now.  

Foremost, the administration expects businesses to treat cybersecurity threats like ransomware as “a threat to their core business operations.” The same White House memo goes on to recommend that “business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture.” While not explicitly stated, businesses that suffer significant losses due to ransomware should anticipate that there will ultimately be a public accounting of their responsiveness to these suggestions, and even a Congressional hearing in significant cases. This week’s two hearings offered a first glimpse of this new level of public accountability that corporate executives may face.

In other words, although the government will undoubtedly still investigate intrusions and support recovery, executive allowance of poor corporate cyber hygiene will enter the public domain. CIOs and CISOs can and should look to minimize this possibility by doing fulsome third-party audits including actual penetration testing that drives corrective actions on an ongoing basis.

Next, the administration seeks some indication of how prepared a company is – both to defend against cyber-crime and to face public accounting – based on whether it is implementing risk management practices, such as those embodied in the NIST Cybersecurity framework. The White House’s ransomware memo helpfully provides a subset of those best practices such as using multifactor authentication, encrypting data, segmenting networks, and having a reliable and offline backup process. These controls make a successful intrusion harder and minimize the cost when one does happen.

MORE FOR YOU

CIOs and CISOs should already be aware of these practices and know the costs associated with implementing them. If incident response plans aren’t already available, they need to be developed and communicated to other key stakeholders as soon as possible.  It’s particularly important that those stakeholders understand the critical steps to minimize risk, even if they come at the expense of some additional friction in business processes. For example, internal systems that had internet access may not have it in the future, and employees and customers will want to know why. Corporate leaders must be prepared to explain these tradeoffs as a demonstration of their seriousness about protecting critical data and assets.

, The Emerging Biden Administration Cyber Strategy, The Nzuchi News Forbes

Further, recent cyber incidents like the SolarWinds breach and Colonial Pipeline ransomware attack prove that an essential best practice for leadership is testing incident response plans. This exercise is critical, and must include a role for the CIO, CISO, and CEO. When a true incident is detected, leadership needs to be prepared to respond in a timely fashion. Making a real-time decision of whether to disconnect an operational system or capability, without having ever considered the costs or how to sustain and resume operations, is a recipe for mistakes.

Finally, while the administration expects private industry to take steps such as these, it is also clear that it sees a larger need for public-private integration. The sheer breadth of challenges in areas such as software development and evolving vulnerabilities requires such collaborative efforts to improve on existing best practices, leveraging NIST’s industry government forums.  President Biden’s Improving National Cybersecurity Executive Order makes reporting incident information mandatory for government contractors, and it is likely that the government will use other regulatory tools to expand this across critical industries and to all ransomware victims. At the same time, the government wants to get “left of boom” and disrupt intrusions and criminal actors before they can inflict damage. There are already calls to grant the U.S. intelligence community greater authorities for warrantless tracking of suspected cyber activities on domestic networks. Limited industry engagement with existing threat sharing and incident reporting activities will only increase the likelihood of such actions.

Taken together, the United States is at the start of a shared cybersecurity journey that is likely to increase government regulation and oversight of industry. As is already happening with the defense industrial base, expect that if there isn’t strong voluntary participation, more will be mandated.

More Stories
Judge Allows National Eviction Moratorium To Remain In Force While Feds Appeal Ruling Tossing It