Cybersecurity and resilience have grown in priority for both the public and private sectors as threat surfaces reach unprecedented scales and threat actors gain new capabilities. The growing scale and complexity of cyber-attacks not only pose a threat to national security but also cost victims trillions of dollars each year. As the nation transitions from one administration to the next, U.S. leaders must continue to build on the successes of previous administrations, address gaps that exist in the nation’s cybersecurity ecosystem, and continue leaning on public-private partnerships that have proved valuable in the past.
Carrying Best Practices Into a new Administration
Within the last eight years, the Biden-Harris and the Trump-Pence administrations have taken tangible steps to fortify the country’s security posture. In 2018, President Trump signed the Cybersecurity and Infrastructure Security Agency (CISA) Act of 2018 to establish CISA, a first-of-its-kind component agency dedicated to U.S. cybersecurity. Following multiple cyber-incidents in the U.S., in 2021, President Biden issued Executive Order 14028 (EO 14028), aimed at modernizing and protecting federal networks, improving public-private partnerships, and strengthening the ability to respond to incidents.
In 2022, Congress and the Biden-Harris Administration took this action a step further by enacting the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), requiring covered entities to report covered cyber-incidents and ransom payments to CISA. Later that year, former President Biden issued a memorandum to EO 14028, directing federal agencies to only use software provided by software producers who can attest to complying with the “NIST Guidance” outlined in the memorandum. In this case the “guidance” refers to the NIST Secure Software Development Framework and the NIST Software Supply Chain Security Guidance.
Both CIRCIA and the subsequent memorandum marked pivotal steps to improve public-private partnerships to defend and respond to threats, while also shifting liability onto software producers who fail to take reasonable precautions to secure their software.
Software vendors can take multiple steps to build security into the products that agencies will use, much like car seatbelts fitted for safety. Chief among them is the adoption of a secure-by-design framework and software build environment incorporating security into the products from their inception. For example, security vendors should base their build environment on four central tenets:
- Base the build system on ephemeral operations that leave no long-lived environments available for attackers to compromise.
- Produce deterministic artifacts to ensure security.
- Build in parallel, utilizing isolated and distinct build environments, standard validation, and security. Each build environment should have very limited access, and no single person should have access to them all.
- Verify every build step and produce cryptographically signed statements of fact for each of the tasks executed in the pipeline, creating an immutable record of proof and providing complete traceability.
As vendors employ multiple build environments for engineers and application security teams to validate and test the software to ensure it operates effectively and securely, enacting an assumed breach mindset is also important. An assumed breach mindset takes zero-trust a step further, reducing the attack aperture and risk by eliminating implicit trust relying on artificial intelligence (AI) and analytics to continuously validate connections between users, data and resources through identity access management, multi-factor authentication, and other measures to insulate the environment from security threats.
Coupled with observability, organizations can gain single-pane-of-glass visibility into the entire environment to proactively identify issues, including potential breaches. The assume breach model needs accurate information to mitigate risks. Observability clarifies how assets fit into the ecosystem and provides critical data about infrastructure and indicators to protect the most critical assets.
However, the responsibility for strengthening our nation’s cybersecurity posture does not rest solely on organizations.
Filling in the Gaps
The federal government also plays a vital role in addressing systemic challenges. While the U.S. has made positive strides hardening federal information systems and networks during the last decade, the Trump-Vance Administration must address remaining gaps to bolster the resilience of the nation’s digital ecosystem. One of those gaps is workforce development.
As our world becomes more connected through technology, the demand for cybersecurity professionals to address the expanding threat landscape will continue to grow. For example, according to the World Economic Forum’s Global Cybersecurity Outlook 2024, 52% of public organizations said that a lack of resources and skills is their biggest challenge when designing cyber resilience. Another contributing factor to the cyber-workforce shortage is the rapid proliferation of emerging technologies such as cloud computing and AI. While these technologies have introduced numerous benefits and capabilities, they have also widened the workforce gap creating additional skill shortages. The International Information System Security Certification Consortium reports that of 14,865 cybersecurity professionals surveyed globally, 92% said their organization suffers from skills gaps in one or more areas.
The federal government is attempting to address this widening gap through various skills-based initiatives to expand the cyber-talent pipeline. In 2023, the Office of the National Cyber Director (ONCD) began implementing the National Cyber Workforce and Education Strategy (NCWES) aimed at growing the cyber workforce, increasing diversity, and improving access to cyber education and training through partnerships across the private sector. Another potential pathway, recently introduced in a bill by House Homeland Security (HLS) Chairman Mark Greene (R-TN-07), aims to provide full-scholarships for cyber training and education for students, who in turn, will work for the federal government for a certain number of years. While both initiatives have enormous potential, they will take time to implement and mature to their full potential.
The public and private sectors will have to continue finding creative ways to recruit, train, and retain cyber-talent to defend cyber space from malicious actors now and into the future. For instance, SolarWinds CEO Sudhakar Ramakrishna has proposed an initiative in which industry partners provide one full-time equivalent (FTE) employee to CISA to work together as a community. We are all resource constrained. Supplementing CISA with hundreds, if not thousands, of FTEs from across the industry could yield a relatively large, skilled workforce focused on creating best practices, advanced threat intelligence, and broadly sharing that information across the ecosystem. Such an initiative would help fill the gap immediately and strengthen the public-private partnership through a shared defense of our nation’s digital ecosystem.
The Importance of Public-Private Partnerships
Another gap for the Trump-Vance Administration to quickly fill, is the role of former CISA Director, Jen Easterly. Since becoming the operational lead for U.S. federal cybersecurity, CISA has been vital in heightening the security and resiliency of our digitally interconnected ecosystem through public-private partnerships to fortify our nation’s security posture. The public-private partnership fostered by CISA has been instrumental in addressing multiple large-scale attacks, but there is still a lot of work to be done to harmonize legislative and regulatory requirements across the industry.
Like cyber-workforce challenges, legislative and regulatory harmonization will also require strong public-private partnerships to deconflict and standardize reporting requirements. In 2023, the Department of Homeland Security (DHS) identified 45 in-effect cyber-incident reporting requirements administered by 22 federal agencies according to the Harmonization of Cyber Incident Reporting to the Federal Government report. Depending on the critical infrastructure sector, some businesses could be required to report the same incident to multiple federal agencies, at different deadlines, with varied methods (online form, email, verbal, etc.) of submission. Hopefully, CIRCIA will provide some clear parameters and coordination mechanisms to minimize regulatory overlap and conflict among the various federal agencies in that sector.
U.S. Congress must also continue its path to agency harmonization regarding cybersecurity legislation and regulations. Recently, Congressman Clay Higgins (R-LA-3) introduced a bill aimed at streamlining federal cyber-security efforts and removing duplicate reporting requirements. The bill would establish a “Harmonization Committee” consisting of members from ONCD and other regulatory agencies to “develop a regulatory framework for achieving harmonization of the cybersecurity requirements of each regulatory agency.” Clear parameters, standardized reporting channels, and a safe harbor framework are much needed to alleviate confusion about the reporting requirements and allow the victim to focus on mitigating and resolving the threat, rather than worrying about personal liability.
The Road Ahead
In a CIRCIA hearing last year, Congressman Eric Swalwell (D-CA-14) shared an alarming conversation with a former Fortune 100 CISO, who told him “when an attack happens now, rather than respond to the attack, the first thing that you do is you huddle all of the lawyers and you’re losing precious response time because you’re worried about […] your personal liability on any action that you take, which means that consumer data and consumer information and potentially critical infrastructure could be seriously jeopardized as that’s taking place.”
We must have a unified, whole-of-nation approach through public-private partnerships to protect federal information systems and networks without imposing legislative and regulatory liabilities that will discourage entry into the cyber workforce. As the outgoing National Cyber Director recently stated in a blog titled Service for America: Cyber Is Serving Your Country, “In an increasingly digital and interconnected world, all cyber jobs are vital to our national security and serve our public interest.”
In this era of AI, growing cloud architectures, and more dangerous nation-state actors, the new administration has its work cut out to protect national cyber-territory. The good news is that it has a strong foundation on which to build. If the federal government continues to foster positive public-private partnerships to collectively build a sustainable cyber workforce pipeline and harmonize legislative and regulatory processes — the nation will be prepared for whatever cyber-future is on the horizon.
