China is ‘most active, and most persistent threat’ as government pinpoints need for a bigger and more diverse cybersecurity workforce to meet the long-term challenge.The Biden administration has unveiled its long-awaited cybersecurity strategy, effectively putting the country on a permanent cyberwar footing, with the Federal government adopting zero trust while demanding tech providers take more responsibility for securing their products and tackling cyberthreats.
“Voluntary” approaches to securing critical infrastructure will be stiffened with regulation, tailored to individual sectors. The Federal government will also root out insecure legacy systems from its own estate, while building up its own cyber defense and offense capabilities.
The strategy noted a state of inequality in responsibility for tacking cybersecurity threats. For example, school districts were being forced to go toe to toe with international cyber threat actors, Acting National Cyber Director Kemba Walden said, launching the strategy in Washington, D.C. “This isn’t just unfair, it’s ineffective,” she said.
The strategy calls out China as the “broadest, most active, and most persistent threat,” having moved beyond IP theft a decade ago to become the only country with both the intent and means – including technological – to reshape the national order. Russia, North Korea and Iran were all flagged up as threats, along with purely criminal syndicates.
“The National Cybersecurity Strategy is an opportunity for the U.S. to not only enhance its own cybersecurity posture, but to lead and influence globally. It comes at a time when cybersecurity has never been more critical to the economy, as well as to national and global defense and security,” said Clar Rosso, CEO of ISC2.
Fairer Share of Responsibility
Countering all these threats to secure a “free and open” internet means the US must “rebalance the responsibility to defend cyberspace”. That means shifting the burden of responsibility away from individuals, small businesses and local governments.
It means a bigger role for the Federal government, but also far more responsibility for larger organizations in the private sector. It also highlighted how open source developers should not be made to bear responsibility for bad outcomes when their components are integrated into commercial products.
Too many vendors had ducked their responsibilities, whether through insecure development, shipping products with known vulnerabilities, or integrating “third party software of unvetted or unknown provenance”. They had also sought to leverage market position to “disclaim liability by contract.” This all contributes to greater systemic risk.
“The inclusion of Coordinated Vulnerability Disclosure in the National Cybersecurity Strategy as well as the invitation to the community to give input into its formation bode well for the future of crowdsourced security,” said Casey Ellis, CTO and Founder of crowdsourced security specialist Bugcrowd.
Walden said the industry needed to move from “first to market” to “secure to market.” The administration will work with Congress on legislation “establishing liability for software products and services.” A point echoed by Amanda Brock, CEO at OpenUK, who said: “Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the open-source developer of a component that is integrated into a commercial product.”
Defend It or Replace It
Federal systems that cannot be defended must be modernized, and the Office of Management and Budget will lead a multi-year plan for this, “eliminating legacy systems which are costly to maintain and difficult to defend.” Moving to the cloud will be central to this. The NSA will lead an effort to secure national security systems.
Switching from defense to offense, the U.S. will build on its efforts to disrupt and dismantle threat actors, to make them “incapable of mounting sustained cyber-enable campaigns that would threaten the national security or public safety of the U.S.” The DoD will develop an updated cyber strategy aligned with the National Security Strategy, National Defense Strategy and National Cybersecurity Strategy.
The private sector often had more insight into threat actors, and there was need for more “routine collaboration” between Federal agencies and the private sector, the strategy said, and it would bring “all elements of national power to counter the threat”.
The strategy specifically addresses the “post-quantum future”, and the effect that quantum tech could have on existing encryption technology. The Federal government is already working on transitioning vulnerable networks and systems to quantum resistant cryptography, and the strategy calls on the private sector to follow suit.
The document also set in motion the development of a digital identity ecosystem as a strategic objective, saying today’s free-for-all results in inefficiency and identity theft, as well as exclusion and inequity.
Strategy Calls for a Bigger Workforce
But all of this will be for nothing if the government can’t get digital boots into cyberspace, so it has also pledged to build out the U.S. cybersecurity workforce, with a dedicated National Cyber Workforce and Education Strategy. The US Department of Defense may provide a model here, with its recent plans to broaden its cyber workforce and keep it up to date.
ISC2’s Rosso said the strategy recognizes that organizations are trying to hire from too small a talent pool. “We welcome that diversity is recognized as a valuable investment that expands the pool, bolsters the nation’s ability to manage and mitigate incidents, develop new skills to protect our digital future and underpin the next generation of cybersecurity research and development.”
“We are bringing more women, people of color, entry-level professionals, people with disabilities, immigrants to the U.S., members of the LGBTQI+ community and other underrepresented communities into the profession through our One Million Certified in Cybersecurity program. This strategy announcement commits to building on these shared aims, leveraging the existing efforts of several government agencies, state and federal initiatives as well as supporting the proactive efforts of the industry itself,” she added.