Amidst the tumult of recent events, the White House and current administration has generally received a warm reception to their recent Executive Order on cybersecurity, albeit with some reservations around the reliance upon reporting frameworks to measure the efficacy of the plan.
Notably, the Order shows a lucid understanding of both the complexity of implementing a holistic cybersecurity framework that “comprises the full range of activities undertaken to protect IT and data from unauthorized access and other cyber threats”, as well as strong assessment and accountability guidelines for measuring the program’s success.
Prior to the Order’s formal release, the White House’s homeland security and counterterrorism advisor Tom Bossert expanded upon the administration’s thinking. Speaking at the Center for Strategic and International Studies' Cyber Summit, Bossert noted that the administration ranked enhanced cyber defense as its third priority -- and echoing back to the previous administration’s $19 billion cybersecurity plan, underscored that intelligence sharing and a shared federal-state operationalization plan would be essential to the improvement of the US cybersecurity infrastructure.
In order to maintain a robust and effective security posture, this forthcoming re-investment into cybersecurity will ideally address three core issues: standardization of services through a more efficient selection process, selection of tools, vendors, and sharing communities that reduce opacity around threat identification and response, and the incentivization of creating cybersecurity talent within the US workforce.
Improving Information Sharing Between Agencies
The prioritization around cooperation and intelligence sharing is reflected in the Order’s language, specifically requiring reporting by all major intelligence heads on their processes for “investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation”.
Enhancing cyber-awareness and resilience though intelligence activities is an important change at this level; the arc of cybercrime has bent towards increasingly sophisticated tactics over the past three years, with multi-stage attacks and a combination of technological and social engineering leading to both more breaches overall, and a longer time to detection and response on breaches that have been identified.
The challenge here is in the details; there are efforts underway to provide a common national threat sharing platform (see the CyberUSA initiative, under the auspices of the non-profit Foundation for American Science and Technology), but adoption at the federal level has yet to be realized.
One way to move from reporting to real adoption could be through the adoption of a single consolidated platform, as a common infrastructure would enable much more effective threat intelligence sharing. Federal agencies could provide high-level guidance on cybercriminal trends based on intelligence from the NSA, CIA and FBI, while states could then share information on the specific threats they are experiencing. Federal agencies are able to keep the states informed on the latest cybercriminal activity to limit the need for direct intervention.
Reducing Friction through Shared Cybersecurity Services
Cyber threats cross governmental dividing lines.
At the federal level, modernization efforts and investment can materially improve both overall cyber resilience to attack, as well as create a model wherein shared services at the Department of Homeland Security level reduce the barrier to entry for aligning cyberdefense with critical resources.
Both cybersecurity vendors and community resources can be more readily made accessible to federal organizations, especially where technology is most susceptible to attack: communication infrastructure, information warehousing, and collaboration technologies that expose data to potential exfiltration risk.
Aligning each of the named agencies to NIST standards to improve Critical Infrastructure Cybersecurity, helps ensure that core functional areas for security investment are met. Where the Framework itself falls short is in reducing the complexity of selecting tooling for meeting the guidelines; ideally, we will see an implementation that simplifies the process of selecting from tens of thousands of competing security vendors and negotiating multiple disconnected procurement contracts or delaying operationalization during a complex multi-vendor bidding process.
For a model of what that might look like, consider the model of the General Services Administration as applied to human capital management: by pooling resources and services, disparate federal agencies can benefit from pooled purchasing and best practice implementations for functional requirements (legal, payroll, and financial management, for example), reducing the time and effort required to reach a minimum acceptable standard within critical operational areas. Cybersecurity could -- and arguably should -- be run in the same fashion, simplifying the work required to build consistent frameworks for security tools across all federal agencies.
Creating a New Talent Pool for Cybersecurity
To stay ahead of highly adaptive adversaries, the US must also put in place policies and budget allocations that can increase the talent pool of qualified cybersecurity professionals, which are at an all-time low across the IT industry.
During a Senate Armed Services Committee hearing on “Foreign Cyber Threats to the United States,” Admiral Michael Rogers, Director of United States National Security Agency, noted that one of the primary challenges his agency faces is hiring staff. Recent research from Indeed.com backs up his argument that the talent pool for these roles is woefully inadequate; a recent cybersecurity analyst role, according to their data, generated few than ten inquiries, a shockingly low number for a position that requires only a bachelor’s degree and, according to the Bureau of Labor Statistics, comes with a $92,600 average annual salary. The BLS further predicts these analyst positions will grow by 18% through 2024 making it especially important that the government play a part in developing this skillset within the national workforce.
One way to do address this shortfall is by establishing cybersecurity centers of excellence around the country. Currently, there are large concentrations of cybersecurity talent in Boston and Silicon Valley. The government should expand that expertise into other metropolitan areas like Chicago and St. Louis to ensure adequate supervision of critical infrastructure. At the same time the US needs to retool its workforce for the digital age, security provides the White House with an excellent opportunity to ensure policies help encourage academia, certification programs and federal scholarships and grants incentivize citizens to pursue a career in the Information Security field.
If the White House embraces the goal of developing a stronger national supply of security professionals, it can then work with other government agencies – most notably the Department of Education and career assistance agencies – to support the initiative. Cybersecurity has the potential to create thousands of highly paid, highly accessible jobs that are critical to the country’s national security and economic needs.
The White House must get off to a fast start with their cybersecurity initiative. Harnessing the nation’s cybersecurity expertise and creating a strong federal-state framework are two major pillars in securing the US from cyberattacks.
These initiatives provide a solid foundation from which following years’ budgets can build upon, but doing so will require both political will, with collaboration across security community lines and with both public and private sector engagement.