- Last Week As A vCISO
- Key Takeaways From The National Cybersecurity Strategy
Key Takeaways From The National Cybersecurity Strategy
The White House just released a 35+ page document on improving our cybersecurity posture... here is what you need to know.
The White House released an all encompassing cybersecurity strategy to prepare us for the future. I read the whole thing and found it be well written, full of ambitious goals as well as grounded in the reality of cybersecurity today.
I put together my takeaways from in four sections:
Government Entity Takeaways
Large Enterprise Takeaways
SMB / Individual Takeaways
National Cybersecurity Strategy Overall Takeaways
The whole document can be boiled down into two parts:
1. Rebalance and Shift Responsibilities
The authors understand well that “end users bear too great of a burden for mitigating cyber-risks”.
With this acknowledgement, they are going to be looking at upstream providers, Software Companies, IOT Manufactures, and everyone in between to take more of the responsibility of building a secure environment from the beginning.
Some of this will be in better knowledge sharing and expanding capabilities.
But, what is really going to happen and being alluded to is increased regulations. laws, and fines since the market has failed to do so on its own.
Unfortunately, as a society, this is the only way we know how to do things. Look at the SEC Draft on Cybersecurity as an example. Public companies currently do not have any inherent cybersecurity responsibilities at this time.
Most people are shocked when I tell them this.
2. Long-Term Investments
The intention here is investing in the long term for cybersecurity.
This can be split into 3 sub-parts:
I. Cybersecurity Workforce Needs More Investment
The authors, as anyone in cybersecurity can tell you, really understand the need for improving the workforce. They do cite a conservative “hundreds of thousands of unfilled vacancies” (vs the millions often quoted by the press), and understand that as a problem.
II. The Internet Is Old And Inherently Insecure As A Foundation
Nothing can be further from the truth.
The fact that by default we’re protocols born in the 70’s such as BGP (Border Gateway Protocol) and DNS (Domain Name System) both of which are unencrypted by default, and can easily be hijacked to cause internet blackouts and/or divert data to malicious actors is mind-blowing.
Not to mention IPv6 is yet to be widely adopted. 🤔
The authors understand this very well and want to push us all towards better foundations. Secure foundations = secure products.
III. Quantum Computing Is Coming (Or Is It Here Already?!)
Quantum computing was mentioned is the document as a threat to existing encryption protocols. Keep in mind, the government may have some advanced research we may have no idea about, so it might be here already!
They did seem a little scared, reasonably so, at the idea, so the authors wants to invest in quantum proof encryption technology.
For the uninitiated, quantum computing can theoretically break all the encryption we currently have in place. Meaning all those end-end encrypted connections, can be stored for decryption later when we have the capability to do so.
📢 Announcing the vCISO Lite Program, currently in Beta. Geared for founders and leaders at early stage B2B SaaS companies. Get just the right technical and strategic security support you need without breaking the bank.
Exclusive pricing for the first 5 customers.
Government Entity Key Takeaways From The National Cybersecurity Strategy
Critical Infrastructure and National Security are top of mind throughout
There is a lot of work to be done!
Increase and leverage more public/private partnerships and inter-agency collaboration
As a government entity, there is a LOT of homework coming your way!
Recently I reviewed the DOD’s Zero Trust Strategy, which had a long list of todo’s and goals to achieve, all well overdue and to be applauded.
However, there is way more work to be done! (On paper at least)
In a nutshell, they are:
Protect Critical Infrastructure
Modernize Federal Systems
Update their Incident Response Plans and Processes
My takeaway from the last point above was like, wow, even the government is in the same situation as I am when managing security for a company. I feel like updating IR Plans is a never-ending task!
They also mentioned several times Executive Order (EO) 14028 “Improving the Nation’s Cybersecurity” published 2 years ago and the creation of the Cyber Safety Review Board (CSRB) and leveraging that group more in additional collaboration with the private sector and DHS.
Looks like some foundational things have been accomplished, but they now want to take it to the next level.
The document of course talked about the usual Nation State Threat actors and their massive capabilities, but they did single out the PRC as the biggest threat to the US currently.
The document was filled with tons of government agency acronyms, if I had time I would list them all here, and related documents and strategies. (Anyone looking for an internship lol)
Accountability and legislation was mentioned throughout which I will get to in the next section.
Private Enterprise Key Takeaways From The National Cybersecurity Strategy
There is only one takeaway here:
Get your act together or face penalties or other costs.
Legislation is coming
The biggest takeaway is that more regulations and legislation are needed are will be coming down the pike.
Of course, as with all things government, it might take a really long time and may not have sharp teeth in the end, but the document mentioned several times that companies need to be “Accountable”.
They had some real truths to say about the current state of data accountability and how software companies build and ship insecure code, which puts everyone at risk.
Something I’ve been saying for a long time, and why I’m on a mission to make cybersecurity more accessible, is that we’re all better off as society when we’re securing our systems.
Here are some excellent quotes:
Shipping Insecure Code or Defaults…
Stewards of Data and Accountability…
The document also mentioned stabilizing the cyber insurance market and even explore the creation of a “backstop” for insurance companies. However I’m not sure if that’s a good or bad thing right now. Too early to tell.
I do know prices for cyberinsurance is getting ridiculous, especially for the small company, so if that helps ease that, then I’m all for it.
Individual Key Takeaways From The National Cybersecurity Strategy
Takeaway: We Hear You and We’re Working On it
For the common American, you won’t see anything anytime soon, however this document was geared for you.
It had the average American in mind and completely empathized with the fact that a “lapse in judgement” could cost your identity and that companies need to take some of the blame for shipping insecure products.
It also recognized that there is a lot of work to be done and that the there was too much responsibility given to the individual user.
National Cybersecurity Strategy Conclusion
The National Cybersecurity Strategy document was a good read.
It was well written and didn’t sugar coat any of the issues we currently or have recently faced.
It was clear to me that that everything is slowly starting to come together now and build momentum.
Now we need to execute. 🚀
If you are a private enterprise, then I suggest you read Pillar Three: Shape Market Forces To Drive Security and Resilience and possibly Pillar Two: Disrupt and Dismantle Threat Actors.
If you are passionate about cybersecurity education and workforce enablement, then checkout Pillar Four: Invest In A Resilient Future
If you are in the Energy or IOT space, then Pillar One: Defend Critical Infrastructure is for you:
If you are in the government space, then read the whole thing!