Three Ways The U.S. Government Can Mark National Cybersecurity Awareness Month
The United States marks National Cybersecurity Awareness month for the 18th time this year. Each October, government officials and stakeholders do an admirable job of educating the broader public about the risks presented by life online, and about best practices that we all should undertake to make ourselves, our families, and our communities safer. However—after 18 years of these efforts—the data are unequivocal that attacks, their costs, and victims continue to increase. Why? The short answer is because the U.S. continues to tackle this massive challenge with a piecemeal approach.
Such an approach is insufficient in the face of the drastic shift to online services, work, education, banking, and communication that has—without question—increased our individual and collective cyber risk. This situation, like the proverbial boiling frog, is the culmination of a decades-long, haphazard approach to addressing cybersecurity.
The Biden Administration has clearly prioritized cybersecurity beyond its prior significance, which should be commended. Importantly, the emerging Biden Administration cyber strategy implicitly identifies three key pillars: increased accountability in both public and private sectors, a focus on risk-based best practices, and enhanced public-private integration. These are all necessary. However, the disjointed actions of the past few months—such as the White House’s National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems Cybersecurity and Infrastructure Security Agency’s (CISA) establishment of the Joint Cyber Defense Collaborative (JCDC); the unveiling of three separate Federal Zero Trust documents; and the establishment of critical infrastructure cybersecurity programs and a $1 billion grant program for improving state, local, tribal and territorial government cybersecurity in the Infrastructure Investment and Jobs Act—demonstrate that there is still a long road ahead for a coordinated and coherent execution of that strategy and underscore the inherent challenges with the current piecemeal approach.
As the administration marks National Cybersecurity Awareness Month, here are three big picture ways it can meaningfully observe the occasion and make progress:
- Clearly delineate roles and responsibilities for cyber leadership positions. Despite the best intentions of many supremely qualified personnel, the competing priorities of the administration’s strategy leave such a complex landscape that cybersecurity practitioners in the private sector will continue to be overly focused on compliance with the various regimes—at the expense of active cyber defense and risk mitigation. For example, the Cyber Maturity Model Certification program requires that all companies desiring to do business, even indirectly through a larger supplier, with the Department of Defense (DoD) comply with third party auditing of a set of cyber controls. On the other hand, the National Security Memo focuses on voluntary collaboration between the U.S. government and critical infrastructure community to develop and deploy technologies that improve threat awareness and response. To build accountability, the memo also calls for the establishment of performance goals that will provide “clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect….” In other words, one approach pushes companies to take steps that ensure they can pass a once in three years audit, and the other aims for companies to establish goals that can be used to name and shame future industry cyber victims who fail to meet those performance targets. In this environment, industry leaders will not be able to truly focus on threat mitigation and risk management.
- Use those roles to appropriately establish cyber best practices that can be widely understood. This is especially the case for the U.S. government’s Zero Trust Architecture guidance, which is aimed at defining risk-based best practices, although they don’t clearly agree on what those best practices are, nor how they should be implemented. For example, the OMB Zero Trust strategy document has a largely reactive view of the importance of data to the implementation of Zero Trust, focusing on logs, auditing, and security response, while the CISA Zero Trust Maturity Model identifies data as a key pillar and suggests that optimized agencies have in place full data inventories and sophisticated automation of data accesses and protections. The lack of consistency here means that cyber practitioners will again spend excessive time and effort worrying about compliance with competing guidelines.
- Invest in the needed resources for CISA to ensure better engagement with industry. Much of the implementation burden of the proliferation of programs and guidance falls to CISA, a relatively new agency that is still finding its footing. CISA needs to do more work to ensure true strategic engagement between government and industry. For example, the Zero Trust Strategy documents, which contain sophisticated maturity models and reference architectures that will have long standing consequences on cybersecurity best practices, were shared for public comment periods of only 2-3 weeks. Rather than demonstrating a willingness and desire to work together in streamlining frameworks, such short timelines inevitably lead to discrepancies and only add to the burden already confronting businesses.
Until Congress and the administration clearly delineate roles and responsibilities across the full spectrum of cyber agencies, private sector leaders should anticipate that there will be many new individual requirements based on federal contract precedent for incident reporting, software development standards and product labeling, and more. If the next Cybersecurity Awareness Month in 2022 is truly going to mark a change, then the U.S. government needs to work through these issues expeditiously and hand-in-hand with industry.