Mediaboss Marketing

Earlier this year, the Biden White House released its National Cybersecurity Strategy policy paper. Although it has some very positive goals, such as encouraging longer-term investments in cybersecurity, it falls short in several key areas. And compared with what is happening in Europe, once again the U.S. is falling behind and failing to get the job done.

The paper does a great job outlining the state of cybersecurity and its many challenges. It focuses on four different policy areas: protecting critical infrastructure, disrupting and removing various threats, remaking and improving defensive security markets, and suggesting future cyber investments.The strategy recognizes that government must use all tools of national power in a coordinated manner to protect our national security, public safety, and economic prosperity, says the initial press description.

That is a good start, to be sure. But, as Acting National Cyber Director Kemba Walden said during a discussion with journalists at the RSA Conference last week, The devils in the implementation planning process. The word easy doesnt show up in our strategy at all.

One place that is ripe for improvement is with the federal government sprawling procurement system. However, as one law firm suggests, there arent any new regulations proposed in the paper that will specifically drive better cybersecurity practices and norms. This sprawl and the resulting complexity dont instill any confidence if we will continue to require the lowest-cost bidder to solve our cybersecurity problems.

Speaking of government sprawl, you might be forgiven if you cant really keep track of all the cyber-oriented initiatives going on right now. The Cybersecurity and Infrastructure Security Agency, or CISA which is part of the Department of Homeland Security has a joint cyber defense collaboration between public and private agencies around the world.

This effort has had some early successes, such as sharing threat intel about malware campaigns by Chinese state actors targeting various state and local governments and another effort aimed at improving the security of the 2022 elections. Its just one of numerous other DHS efforts to strengthen our overall cybersecurity posture, including helping fight commercial fraud (with help from the Immigration and Customs Enforcement), prosecute cryptocurrency transactions (with help from the Secret Service), fund various research efforts such as AI and malware analysis (as part of the DHS science branch) and elsewhere.

The National Security Agency has its own cybersecurity collaboration center. Its focused on protecting the nations defenses and working with various private sector companies to help detect and neutralize threats. For example, last month it worked with the FBI and CISA as well as their counterparts in the U.K. to document the tactics of a Russian state-sponsored attack on Cisco Systems Inc. routers.

Yet many security analysts dont quite give them the props they deserve, given that NSA-built malware has been exploited over the years the EternalBlue code that caused the WannaCry ransomware attacks in 2017 being most notable. At the RSA Conference, Adi Shamir (the S in the name refers to his initial efforts with the company) referenced the NSA and other badguys in one of his talks.

Then there is the National Institute of Standards and Technology, which is part of the Department of Commerce. NIST keeps various cybersecurity standards, such as this framework document, which was first published way back in 2014. Its proposing a major overhaul to come out next year. Duo Securitys blog documents what NIST representatives at the RSA Conference saidis in store, including updates to other efforts to help improve internet of things security, preserve privacy, strengthen identity management and increase software supply chain security.

And there are numerous cyber law enforcement entities within the Department of Justice, including special units of the FBI, and the State Department to arrest cybercriminals, such as this recent reward to help in bring Denis Kulkov.

These various agencies do make it hard to track an overall cybersecurity through line for the federales, and sadly the national strategy paper doesnt really assign to-do tasks to the different agencies or even suggest ways that they could cooperate across the board. Plus, the paper doesnt even put a price on what it would take to fund these various pie-in-the-cyber-sky Great Thoughts.

Another obstacle to better cybersecurity is the crazy-quilt patchwork of privacy regulations that are now being enacted by numerous states. Californias Consumer Privacy Act was the first in 2018, but others have jumped in, including Utah, Colorado, Iowa, Indiana, Virginia and Connecticut. At least 10 other states are getting close with their own laws.

Thats makes it harder for businesses that have a national footprint to craft any meaningful ways to preserve their customers privacy. Of course, the EU has had its GDPR regulations for many years that cover most of the entire continent.

If we look at other efforts across the pond, we see the U.K. hasa single entity that will review every government departments cyber posture under aframework called GovAssure. That would be nice for the U.S., but its unlikely given how we have parceled out various cybersecurity tasks here.

Andthe EU has its 1.1B Cybersecurity Shield effortthat was announced last month. This will connect and share info across national security response centers and aims to be up and running next year. Yes, this is something that we have done in the past but largely on a one-off basis.

Finally, the world has become increasingly interconnected, as documented by the World Economic Forum here. Cyber criminals are more frequently creating the pathways to other global risks, such as failures in public health or critical infrastructures. The good guys (and I am assuming we can finally include the NSA in that category) have to do a better job of cooperating to stop them.

The goal of the White Houses cyber strategy is to make our digital ecosystem more defensible, effective and resilient. Though we should praise this vision, the reality is still a long way off.

TheCUBEis an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate thecontent you create as well Andy Jassy

THANK YOU

Read the original post:
Where is our national cybersecurity strategy? All over the place - SiliconANGLE News