For the past several years, cybersecurity has been a rapidly growing focus of the overall security strategy in the United States— and for good reason. As technology evolves, reliance on digital ecosystems continues to increase. The Biden/Harris Administration’s updated National Cybersecurity Strategy aims to strengthen the efforts of previous administrations to enhance the security and resilience of these systems. In the face of increasing threat activity, each of the strategy’s themes addresses a core area of need and endeavors to shift the practices of both the public and private sectors in order to shield the nation from potential attacks.
Unpacking the National Cybersecurity Strategy is a three-part thought-leadership series analyzing the initiatives outlined in the Biden Administration’s updated cybersecurity strategy document. In our first post, we took a deeper look at the strategy’s first major theme: defending critical infrastructure. For this second installment, we’ll dive into the next two themes: preventing attacks and disrupting and dismantling threat actors.
For each theme, I will continue to analyze the initiatives through the lenses of the different roles I play at SafeBreach, namely: a CISO for a cloud-first company who needs to protect their own organization, a CISO for a technology company who needs to protect their customers from potential supply chain risks, a CISO who is acting in the capacity of a trusted advisor, and finally as SafeBreach, a company that needs to understand what the National Cybersecurity Strategy means for our own security posture and program.
Theme 2: Prevent Attacks
In this overarching theme, the Administration seeks to develop and enhance the proactive capabilities of the cybersecurity program. This theme applies to most, if not all, organizations. The Administration is looking at the active role they can play in disrupting and preventing the activities of malicious actors by making it harder for them to access funds, generally available infrastructure, and networks. It also seeks to make malicious activity potentially more dangerous to these actors through criminal prosecution and international collaboration.
It is important to note that most organizations need more resources and capabilities from the US government to disrupt threat actors. With that, the concepts behind these initiatives can still apply.
Initiative 2.1: Integrate defensive capabilities.
For this initiative, the administration seeks to integrate the defensive capabilities of the different agencies to maintain sustained and targeted disruption campaigns. This way, malicious actors cannot carry out attacks against the US. This integration manifests in the private sector as cybersecurity advisories that can help thwart malicious activities.
As the internal CISO and product CISO at SafeBreach, I always look for an opportunity to integrate the capabilities of different defensive technologies. This integration can truly enhance the value of multi-layered or defense-in-depth security architecture.
As a trusted advisor, this is an opportunity to highlight to our customers how they can leverage the integration of our platform with their security stack. This integration can provide them with rich data about the efficacy of their security controls beyond a simple binary result of whether or not an attack was successful.
As a company, SafeBreach is relieved that the administration is stepping up its efforts to prevent malicious actors from even initiating their attacks. Phishing-as-a-Service (PaaS) has become a serious threat to most organizations, including our own. CISA already provides a wealth of information and free tools to enhance our proactive posture, but we look forward to leveraging more of these integrated capabilities.
Initiative 2.2: Enhance collaboration with our business partners.
In this initiative, the administration seeks to collaborate with private sector security vendors to enhance their capabilities in disrupting adversaries. The SafeBreach Labs team is one such team. Our researchers help identify novel threats that can impact the overall industry. We already have several active collaborations with other private industry partners and are working to partner with public agencies.
When wearing my internal/product CISO hat, I always seek opportunities to collaborate with my business partners. For larger organizations, this means leveraging the different security teams throughout the company to collaborate on shared tools and insights into specific threats. I also look for design partnerships with cybersecurity startups that deal with the spot challenges I am facing. These partnerships are extremely rewarding and benefit both the organizations within the partnership as well as our outside stakeholder.
As a trusted advisor, I have the opportunity to help my customers expand their technology partnerships, especially where that partnership can benefit all stakeholders.
As SafeBreach, this is yet another welcomed initiative. We always look for opportunities to collaborate with the public sector and different partners in the cybersecurity space. SafeBreach Labs’ mission is to proactively find and address undiscovered vulnerabilities and attack vectors and actively share that information to enhance the safety of the security community as a whole.
Initiative 2.3: Increase the speed we share information across the organization and our constituents.
For this initiative, the Administration is looking to enhance the speed and amount of threat information sharing both internally and with the private sector. In the cybersecurity ecosystem, the faster you get threat intelligence, the more time you have to prepare properly to defend against upcoming and active threats. It is noteworthy that this initiative also looks to enhance victim notification mechanisms.
As the internal/product CISO, this is very important to me. Leveraging publicly available threat intelligence in a timely way allows me to validate threats and remediate them in the narrow window of opportunity before adversaries attempt to attack our infrastructure.
As a trusted advisor, I see an opportunity to help our customers leverage the same threat intelligence. An added potential aspect of this initiative is mentioned in the last sentence of this initiative: the Administration strives to provide some higher-level of classification for threat intelligence to critical infrastructure companies. Our platform will allow critical infrastructure customers to ingest this intelligence and weaponize it within our platform to validate their security posture against threats contained within that feed.
From the SafeBreach point of view, this is more welcomed news. We are already using open-source and public threat intelligence feeds. Any addition in both scale and speed will help us protect ourselves against emerging threats.
Initiative 2.4: Prevent misuse of our resources.
This initiative is one of the more intriguing initiatives in my mind. Malicious actors have leveraged cloud infrastructure to scale and speed up their operations. They have also used this infrastructure to avoid potential attribution and prosecution. With this initiative, the Administration seeks to require infrastructure providers, especially for US-based infrastructure, to increase security measures and prevent infrastructure abuse. I hope this will compel these service providers to extend these measures beyond the US. All major cloud infrastructure providers are based out of the US and have US-based infrastructure, and they also operate in multiple countries and regions. Denying malicious actors access to cloud-computing services and infrastructure will severely limit their abilities.
As an internal CISO, one of my concerns is detecting and preventing malicious or unintentional misuse of our resources. A simple example is an employee using The Onion Router (TOR) browser to browse the Internet anonymously. While there are some legitimate uses of this technology, for the most part, it is used to download pirated content and potentially malicious content. This type of activity would constitute a significant risk to my company. Detecting and preventing misuse of our network and computing resources is very important. Implementing simple and free mechanisms such as Domain Name System Security Extensions (DNSSEC) and Domain-based Message Authentication, Reporting & Conformance (DMARC) also helps prevent malicious actors from abusing our DNS and email infrastructure.
As a product CISO for a cloud-first company, we rely heavily on cloud infrastructure. One of my concerns is that malicious actors may be able to leverage our infrastructure and misuse it as part of their activities. Having cloud service providers help me further detect anomalous or suspicious activity will mitigate this particular risk. As a trusted advisor, I see an opportunity to work with our customers to validate that they are configuring their controls correctly to prevent misuse of their resources and infrastructure.
Finally, as SafeBreach, this initiative tells me that the Administration is looking to actively protect us and limit the adversaries’ ability to take advantage of cloud computing and infrastructure to launch attacks against us. With the rise of PaaS and Ransomware-as-a-Service (RaaS), we see this as much-needed support.
Initiative 2.5: Deter cybercrime and prevent ransomware.
With this initiative, the Administration attempts to go after the “reward” side of cybercrime and ransomware. Specifically, the Administration will seek to prevent malicious actors from easily profiting from their activities to reduce the financial incentives, thereby upsetting the risk-reward balance. I’ve seen some commentary that says this is the government’s attempt to regulate cryptocurrency. I beg to differ. The government makes it harder for hackers to launder money through cryptocurrency exchanges. This activity is not the same as regulating cryptocurrency. In the last paragraph of this initiative, the Administration states that they are “strongly discouraging” companies from paying ransoms, but stops short of stating that it would operate to prevent such payments. The Administration also states that they will help victims of ransomware prevent future successful ransomware attacks.
As an internal CISO, my main approach to dealing with ransomware is to have a good and tested backup strategy. This means I back up all critical information frequently and test my ability to restore these backups. Next, I need to prevent the ransomware from getting into our network. Most, if not all, ransomware actors target users and endpoints. Then, I look for ways to prevent ransomware from moving laterally across my environment—this addresses one type of ransomware threat, where an adversary encrypts my data and requires a ransom to unencrypt it. In situations where an adversary also exfiltrates my data and threatens to make that data public, I must prevent data from being exfiltrated from my environment. I suggest adding data leak prevention (DLP) and tighter egress controls. As a trusted advisor, our platform enables customers to test all the controls mentioned above safely.
As SafeBreach, we agree that if the administration significantly impacts the reward system that motivates the malicious actors, it will also significantly reduce their activity and potential impact.
Theme 3: Drive security-by-design.
In this pillar, the Administration addresses methods to reduce risks that are not necessarily dependent on technology. Specifically, it looks to implement security-by-design concepts that promote overall security.
Initiative 3.1: Enhance accountability.
In this initiative, the Administration is looking to help shift the responsibility of the security of our systems and the data of our constituents from the end-consumer to the owners, operators, and “stewards” of these systems and data. This concept is an important one. While the ultimate impact of a data breach is on end consumers, there is a tendency for organizations to transfer the liability of such an impact to end consumers as well. Too often, this causes companies to reduce investment in cybersecurity, since the impact of incidents is essentially transferred away from them and to the end consumer.
It should be noted that this particular initiative is one of the main initiatives around information privacy. While most of the strategy document focuses on cybersecurity, the administration is linking the cybersecurity strategy, at some level, to information privacy.
As an internal CISO, this is an important initiative. System owners and data stewards must be accountable for the security of their environments. We cannot simply expect our end users to carry the brunt of responsibility in case of a breach. As data owners, we are better equipped to analyze access issues, detect potential misuse, and prevent breaches. As the CISO, I also need to empower data stewards with the tools and resources they need to take on this responsibility. It also means we must hold vendors that collect, process, and store our data accountable.
As a product CISO, I need to take more responsibility for our data, push for privacy-by-design practices, and minimize dependence on downstream vendors for data privacy. As a trusted advisor, this does extend to how our customers use our platform. I have an opportunity to work with our customers to ensure they use it correctly and safely.
For SafeBreach, thankfully, we don’t collect or process personally identifiable information (PII), so this particular initiative does not impact us as a vendor. It does help hold our downstream service providers accountable for the data they collect, process, and store on our behalf.
Initiative 3.2: Enhance the security of the IoT.
With this initiative, the Administration is looking to advance the state of security inherent in the Internet of Things (IoT) and operational technologies. It is important to note that IoT devices share a common challenge; they are typically designed with something other than security in mind. At the same time, these devices do help processing capabilities. This challenge means malicious actors who can access these devices can also compromise them.
As an internal CISO, I must acknowledge that even though we are an IT-focused company, we still have IoT exposure. Examples include our fancy coffee machine that is connected to the Internet and our badging system that controls physical access to our offices. As noted above, to compromise IoT devices, adversaries must access the device which, in most cases, comes through traditional IT interfaces to the IoT. SafeBreach does not provide IoT, although some virtual appliances we provide our customers can be viewed as sharing IoT characteristics. Namely, they are largely a black box to our customers, are connected to their network, and have a specific IT-based interface. As a product vendor, I must ensure that malicious actors cannot leverage this interface to breach the appliance and use it for malicious activity. As a trusted advisor, I have the opportunity to help our customers understand and validate the security of the IT environment with access to these IoT devices. We also ensure that our customers can trust and test the security of the virtual appliances we provide.
As a US-based company with few IoT devices, this initiative does not really apply to SafeBreach. But we do recognize that this is a very important initiative for some of our customers.
Initiative 3.3: Demand higher security standards from vendors and accept responsibility for our products.
This initiative is one of the few legislative initiatives the Administration is pursuing as part of its cybersecurity strategy. Specifically, in concert with initiative 3.1 above, the Administration wants to ensure that the entities with the most capability can secure their products. One way of looking at it is that this legislation attempts to prevent supply-chain vulnerabilities due to lax security development practices or failure to exercise due care.
As an internal CISO, this is an issue I run up against quite often. Specifically, vendors who seek to limit their liability for the product or service they sell me, while at the same time expecting me to trust that their supply chain is secure.
As a product CISO, our development group depends on open-source and vendor tools that leverage open-source components. This initiative can help with that side of the equation. That said, as a product CISO, I need to understand the upstream implications of such legislation as it relates to requirements I have to make to my development organization regarding our software bill of materials (SBOM). I am also encouraged by the administration’s intent to offer a safe-harbor provision for companies that show due care in following best practices and secure-software development processes. As a trusted advisor to our customers, we have an opportunity to enhance the trust they place in us by providing transparency about our security process and program.
With SafeBreach being a software vendor, this initiative can certainly impact us. That said, since I ensure we exercise due care and use a secure software development process, I am confident that SafeBreach can comply with this legislation.
Initiative 3.4: Use funding and incentives to promote security-by-design.
In this strategic initiative, the Biden Administration attempts to incentivize critical infrastructure organizations and other public sector entities to invest in security and resiliency through their respective environments. These incentives are accomplished through Federal grants funded by the Infrastructure Law, the Inflation Reduction Act, and the CHIPS and Science Act.
As an internal and product CISO, I look to model this initiative internally. I need more than an investment in security from my organization, specifically the development group. To empower them to do so, I need to provide them with the resources they need to implement security-by-design. As a trusted advisor to our public sector and critical infrastructure customers, I have the opportunity to help make a case to take advantage of these incentives as they become available. CISA recommends adversary simulation as a best practice to build resilience for the most recent threats, and using the SafeBreach platform is exactly that.
As a company, SafeBreach isn’t directly impacted by this initiative. That said, it may enable more customers to leverage these incentives to use the SafeBreach platform.
Initiative 3.5: Leverage centralized procurement to drive accountability.
With this initiative, the Biden Administration seeks to leverage the purchasing power of the US government to compel vendors to provide secure products.
As an internal and product CISO, I must seek opportunities to consolidate tools and vendors to centralize security, drive operational efficiencies, and gain financial advantages. As a trusted partner, I see quite a few of our customers consolidating their security stacks for the reasons I mentioned above. The SafeBreach platform can help them validate that their security resilience does not suffer—and even validate that it potentially increases—due to this initiative.
As a company and a software vendor, SafeBreach can expect that when the US government seeks to purchase our platform, they will demand this level of accountability.
Initiative 3.6: Consider cyber insurance as a method to transfer risk.
Cyber insurance is a popular way for companies to transfer risk. With the rise of ransomware attacks and a growing number of breaches, cyber insurance companies are facing unprecedented growth. With this initiative, the Biden administration is creating a “Cyber FEMA.” This Federal cyber insurance backstop will help stabilize any issues that may arise due to a cyber catastrophe. In January 2023, Beazley launched a $45 million cyber catastrophe bond; this Federal backstop will provide even more important support.
As a CISO, cyber insurance is an important tool that can help me transfer some risk to insurance carriers, and our customers expect us to carry cyber insurance. However, the increase in the utilization of cyber insurance is causing insurance premiums to go up, and c insurance companies require more from policyholders to ensure their security posture is sound. As a trusted advisor, I have the opportunity to warn customers that cyber insurance carriers will eventually expect their policyholders to prove they are validating their security controls. I can also help them understand how the SafeBreach platform can provide this proof.
As a company, SafeBreach sees this initiative as a positive step to help the private sector mitigate potential cyber disasters.
What to Expect Next
While each of these initiatives will certainly prove to be challenging in one way or another, the Administration is certainly making an effort to provide assistance in enhancing the nation’s overall cybersecurity posture. This is sure to have impact beyond the US, and will hopefully help to set the bar for security-by-design and our collective ability to address threats. Keep an eye out for our final post, in which we’ll cover the remaining pillars of the National Cybersecurity Strategy:
- Pillar 4: Shape Market Forces to Drive Security & Resilience
- Pillar 5: Invest in a Resilient Future