Coming up this week on Breaking Badness. It’s Pillar Time! and Gold, Guidance, and Grievances.
Here are a few highlights from each article we discussed:
It’s Pillar Time!
- In March 2023, the Biden-Harris Administration released the National Cybersecurity Strategy. The purpose of this strategy is to make shifts in how the United States allocates roles, responsibilities, and resources in cyberspace to protect our national interests
- This strategy builds on the work of existing policy and previous administrations
- Probably the highest profile part of this is the establishment of our favorite agency to debate the pronunciation of: CISA, formed in 2019
- But we can go back farther to 2007, when the National Protection and Programs Directorate was formed (under DHS). There’s been a gradual increase in focus, and evolution of efforts, around cybersecurity at the Fed level
- There are 5 pillars detailed in this strategy, the first being “Defend Critical Infrastructure,” discussing “the expanding the use of minimum cybersecurity requirements in critical sectors,” but what are the minimum requirements as they stand today?
- Well, what might surprise a lot of folks, though maybe not Breaking Badness listeners, is that there hasn’t been much in the way of hard requirements that carry the force of law
- What there have been are guidelines
- So one of the items that we could have mentioned with the previous question but deliberately held back was the NIST Cybersecurity Framework
- The first version of that was released in 2014, and it was aimed at critical infrastructure operators. But those are guidelines, not laws
- What’s shifting here is that by moving toward putting some legal teeth into this, the government is saying, quite explicitly, that the nudging/encouraging approach, which is to say making everything voluntary, has not worked, or not worked well enough
- We think that’s pretty significant, and we’ve seen this administration ramping up toward that with, for example, the earlier EO that put down some hard guidelines when it comes to Federal procurement of software. To be clear, that is different from putting laws in place mandating specific levels of compliance, but it was a foreshadowing in some ways
- The second pillar seeks to disrupt and dismantle threat actors using all instruments of national power
- What is coming out of this is an idea of “Defend Forward”
- The government has a policy of hacking hacking groups
- Government entities will have construction to attract various threat actors and we’re not going to wait and react, we’re going to go after the cybercriminals themselves
- The subsection of this tries to prevent US infrastructure used in attacks
- The idea is you can’t just accept bitcoin to accept a server – you have to trace it back to a person in the US
- It’s called out very explicitly – you have to be able to do a certain amount of know-your-customer
- The second pillar also mentions that they would engage the private sector in disruption activities through scalable mechanisms. Private sector partners are encouraged to organize their efforts through nonprofit organizations
- There’s a bunch of organizations with the acronym ISAC – the idea is work with these existing groups
- We’ll be interested if this does speed sharing because it could speed responses as well
- What is coming out of this is an idea of “Defend Forward”
- This strategy specifically calls out ransomware as a threat to national security, public safety, and economic prosperity, and we can agree that it is, but is it the biggest threat?
- We continually see articles arguing that it is, or other elements like Business Email Compromise are taking its place as the leader – should this strategy be addressing the other less-flashy threats?
- This is really interesting to contemplate, because on the one hand these ideas seem to be in opposition – BEC creates more financial losses, but ransomware is the national security problem—wouldn’t BEC be the biggest threat from a NatSec perspective?
- But weI think there’s a way in which they actually aren’t so much in opposition, and to us a lot of that has to do with the questions around policy on paying ransoms, which is part of a bigger question that’s similar to the question of whether to negotiate with terrorists
- We know that there’s a strong geopolitical component to ransomware, so when we develop policy around it, we’re ipso facto generating policy around interacting with other state actors
- We continually see articles arguing that it is, or other elements like Business Email Compromise are taking its place as the leader – should this strategy be addressing the other less-flashy threats?
- Pillar 3 discusses shaping market forces to drive security and resilience by holding the stewards of our data accountable. What does this mean for organizations working with customer data? Will we see shifts in company privacy policies as a result of this?
- The short answer is, yes. Next question (jk!)
- This is some of the most interesting stuff in this document
- We’ve seen trends starting with GDPR
- The real push for close governance of data and the privacy of individuals online
- California led the way with CCPA – very similar to GDPR and it’s likely we’ll see more laws similar to that, but in conjunction with Pillar 3.3 – shifting to the entities that are introducing vulnerabilities. It puts liabilities on vendors instead of ducking out in the terms and conditions that we all ready very closely
- The public is not going to put up with their privacy being compromised and being sold indefinitely
- It’s perfectly fine legally (not morally) for your data to be sold by these data brokers
- We will start to see some legal teeth to get vendors to take accountability for peoples’ data
- Another example in there has less to do with folks’ data, but making IoT devices more secure, which is pretty exciting
- Pillar 3 talks about shifting liability for insecure software onto the vendors of that software. What does that mean for software companies? Is this something they can just write into another clause of their insurance policy?
- The IoT part was a whole separate callout
- They’re saying to vendors of software: this has got to change
- And just to note, these are just wish lists – Congress needs to approve
- This one and the privacy one might not make it – we’ll be curious to hear about it
- Jen Easterly of CISA has spoken about it – and the analogy she used is that if you rub the fender enough that it explodes, you would expect the manufacturer to be liable – and that’s kind of what happens with software
- That doesn’t quite work for software because we don’t build software out of random parts
- Log4J is a volunteer effort written for fun that turned into this giant thing
- This can have a huge impact
- This section even mentions that an insurer of last resort should be set up
- Moving on to Pillar 4, which is to invest in a resilient future. This pillar mentions prioritizing cybersecurity research and development – what sort of research do you think is the most critical right now in our space?
- This is hard because people want to do neat stuff, but the federal government is fairly small compared to the private sector, so neat research might not be a good use of their time
- A few years ago there was the Cyber Grant Challenge to automate Red Teaming – you have to build something that can attack this chain of computers – they all failed, but now there are companies selling this product
- But that’s crazy stuff that would be interesting to see the government doing more of
- We’ve spoken before about careers in cybersecurity – we ask our guests about their career paths and we’ve written a blog post about the road to InfoSec and how we need more good people. Pillar 4 addresses this issue as well.
- We think the concepts laid out are great—We agree with the “what.” We think the “how” is still a bit murky
- The closest they come to answer that is probably where it says that it will build on National Initiative fro Cybersec Educaation, CyberCorps, Scholarships for Service, National Centers for Academic Excellence in Cybersecurity, the Cybersecurity Education Training and Assistance Program, and the registered apprenticeships program
- It will also build on NSF workforce development. Another of the “what” items without a ton of detail about the “how,” but which we agree with extensively, is the LGBTQI+
- Pillar 5 focuses on international partnerships to pursue shared goals. How will the United States be able to hold irresponsible states accountable when they fail to uphold their commitments to a stable cyberspace?
- Some of this is happening already with efforts to seize various ransomware groups
- Frankly, this boils down to diplomacy – how to we hold a country responsible if they look the other way if they’re poisoning our food or hijacking our ships
- Basically what this is saying is “what happens in cyberspace doesn’t stay in cyberspace anymore.”
- We’re going to look at this like a law and we’re going to start applying the law to any other international law
- Are there any constructive criticisms or reflections toward this Strategy?
- Overall, it’s an interesting grab bag
- There are some really good ideas, but the overall tone is “we tried it your way and it didn’t work” and that’s a new tone to be taking
- The proof will be in the pudding – how much will actually make it to legislation?
- The debate will be interesting to see and even just having that will be valuable
- We want to see more about the “how”
- Some of this will come down to where budget is allocated and how it will be used for enforcement mechanisms and incentives
- We’re unsure how to evaluate the impact this will have until we have more specifics
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
