Federal Government Enhancing Its Cybersecurity Efforts


Posted on by Robert Ackerman

It has been relatively subdued on the cybersecurity landscape lately, notwithstanding heightened ransomware activity, no doubt in part because the latter is no longer a fresh development and newer headaches, such as soaring inflation and interest rates, are also confronting Americans. But this backdrop belies the fact that there is significant activity in cybersecurity, and this time the news is good, not bad.

For the first time, the federal government—in a radical departure from the past—is forcefully tackling the cybersecurity threat and seemingly setting the stage to help mitigate attacks and breaches down the line.

To be sure, much more needs to be done, and the government will never be able to stop every cyberattack. Yet if government can get to the point where the number of victims is markedly smaller, the cyber war becomes much more manageable. Among other things, managing cyberthreats requires a strong partnership between the government and private sector and better information sharing throughout a multitude of industries, which is starting to coalesce.

Here are key positive developments of late:

+ Congress signed into law in March legislation that requires companies in critical infrastructure sectors, such as energy, manufacturing, and transportation, to alert the federal government about significant cybersecurity incidents within 72 hours. In addition, nonprofits, businesses with more than 50 employees, and local and state governments, as well as critical infrastructure companies, must report ransomware payments within 24 hours to the Cybersecurity and Infrastructure Security Agency.

+ Over the past year, CISA has installed advanced tools to detect hacking threats on computers and servers at 15 federal agencies. This is called “endpoint detection and response” (EDR) and is considered far more effective than simply monitoring for threats as they enter an organizational network. CISA expects these tools to be installed or in the process of being installed in a total of 53 agencies by the end of September.

+ The White House has ordered federal agencies to fix, in a timely manner, hundreds of vulnerabilities in software and hardware that hackers have been known to exploit. The genesis of this first-time directive, in part, was due to the infamous SolarWinds attack, discovered in December 2020, which impacted thousands of organizations, including multiple federal government agencies and Fortune 500 companies. The intrusion wasn’t discovered until months after malicious code was injected into a routine software update.

+ A White House cybersecurity summit last summer, hosted by President Biden and attended by CEOs representing multiple industries, successfully helped persuade business leaders to commit billions of dollars to improve cybersecurity. Microsoft and Alphabet’s Google unit alone pledged more than a $30 billion, multi-year investment in cybersecurity advancements. Among their goals, as well as those of federal government agencies, is the adoption of zero-trust architecture, whose primary goal is to shift from “trust, but verify” to “verify, then trust.” Implicit trust is nonexistent.

These actions demonstrate the advancements that go far beyond what has been done in prior years.

As an example, the first major piece of Congressional cybersecurity legislation—the Cybersecurity Information Sharing Act of 2015—called upon businesses, government agencies, and other organizations to share information about cybersecurity threats to mitigate future attacks. Participation was voluntary and turned out to be limited. Many entities were hesitant to share information.

A year and a half later, former President Donald Trump signed a cybersecurity Executive Order to improve the security of federal agencies and require status reports of critical national infrastructure. In the end, however, many provisions of the EO were not executed. Roughly a year after that, the position of the national cyber czar was eliminated, and things stayed that way until the middle of 2021.

The change of heart about building a more effective cybersecurity strategy is widely perceived to be a reaction to the SolarWinds episode, which embarrassed the Trump administration not only because it was so widespread but also because it took so long to identify the breach. The icing on the cake came a few months later, in May 2021, when Americans experienced firsthand the impact of the Colonial Pipeline cyberattack that knocked offline an essential gasoline pipeline serving nearly half of the adults in much of the eastern half of the country.

As it turned out, the Colonial Pipeline hackers never actually reached the operational technology systems that sent oil through the pipelines. But they caused so much panic by locking up the information technology systems that run the company’s computer systems that operators thought it best to shut down the pipeline anyway. The upshot: Many Americans suffered the real-world, day-to-day implications of a cyberattack and wanted the government to prevent it from happening again.

More progress continues to be needed on the cybersecurity front. Although some states have enacted various forms of data breach notification laws, there is still no federal law that requires companies to disclose cyber breaches, a significant impediment. Another big problem is the persistent, unmet need for cyber pros in government and industry amid a relentless surge in hacking. Cyber training programs and universities have been unable to keep up.

And most of all, some contend, is the necessity for better consumer cyber education. Most cyber events are the result of a failure of fundamentals. If consumers and employees don’t know how to spot threats, they are not prepared to protect themselves or their companies.

Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Policy & Government

ransomware cyberattacks policy management threat intelligence

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs