The National Cybersecurity Strategy released on Thursday by the White House is drawing strong initial reviews from across government and the private sector on a number of fronts, including its spur to modernizing technology, harnessing the full power of the Federal government to promote better security, and wrapping private sector interests more fully into the effort.
The strategy features multiple focus points including continuing efforts to improve security in already-regulated critical infrastructure sectors, a high-level goal of shifting more security responsibility onto providers of tech products and services, and a robust focus on using “all tools of national power” to go after attackers. Implementation of the strategy is already underway under the coordination of the Office of the National Cyber Director (ONCD), which produced the plan.
On the Hill
From the congressional side, Rep. Gerry Connolly, D-Va., applauded the Biden administration for adopting “a forward-looking, whole-of-government approach to cybersecurity that seeks to ensure the safety and security of every American in the digital sphere.”
“This Administration understands that the nature of the 21st Century threat landscape demands strong, proactive leadership from the federal government, and that’s what they have delivered,” said Rep. Connolly, who is ranking member of the House Subcommittee on Cybersecurity, Information Technology, and Government Innovation.
“I look forward to working with the Administration to bolster our federal IT’s cybersecurity posture, particularly through the development of a new FITARA cybersecurity metric that both accurately and securely assesses federal agencies’ cyber performance,” the congressman said.
Ross Nodurft, executive director of the Alliance for Digital Innovation (ADI), said the technology trade group commends the strategy’s “comprehensive approach to enhancing our nation’s digital security.”
“We appreciate the strategy’s focus on replacing legacy systems with more secure technology, including through accelerating migration to cloud-based services, along with its emphasis on public-private collaboration, investments in zero trust technology and innovation, and the development of a diverse and robust national cyber workforce,” he said.
“There are many areas outlined in the strategy that will require partnership with industry, and we look forward to working with Congress, the Office of the National Cyber Director, and federal agencies to shape the implementation of the Administration’s cybersecurity initiatives,” Nodurft said.
“The National Cybersecurity Strategy is a mandate for change in a changed world,” said Stephen Kovac, Vice President and Chief Compliance Officer at Zscaler. “The policy emphasizes the White House’s commitment to zero trust as the foundation for protecting Federal data and missions. It builds on OMB’s zero trust architecture strategy that directs agencies to encrypt data, gain better attack surface visibility, manage access and authorizations, and adopt cloud security tools.”
Kovac added that the strategy goes further, acknowledging that agencies need modern IT and OT systems to achieve zero trust, and asks agencies to identify milestones to remove legacy systems that can’t support zero trust architecture within a decade (or mitigate risks to systems that can’t be replaced in that timeframe.)
“We are on the right path, and we can move faster,” said Kovac. “The strategy highlights priorities that will accelerate progress. One is expanded public-private partnership, for example CISA’s Joint Cyber Defense Collaborative, JCDC. A second is leveraging investments in innovation, R&D, and education to strengthen defenses and our ability to respond to threats. Zscaler is committed to continuous innovation – it’s in our DNA. Our AI-powered phishing detection and dynamic risk-based access policy features are great recent examples.”
“This strategy outlines a multi-pillar approach to impose needed security outcomes across critical infrastructure,” said Matt Hayden, vice president of cyber client engagement at General Dynamics Information Technology (GDIT). “The cyber security baseline under this strategy will set in motion a much-needed deep dive across authorities and current regulations to address cyber concerns now and into the future.”
“While the challenge is always in the implementation and it won’t be easy to harmonize approaches, the process that led to this strategy was very collaborative with both industry and government stakeholders,” Hayden said. “The cyber strategy will serve as a lasting legacy for the great service” performed by former NCD Director Chris Inglis, he added.
Mike Wiseman, Vice President, Public Sector at Pure Storage, highlighted the strategy’s take on infrastructure security, particularly with the electrical power grid, and the need to build in better security upfront.
“As highlighted in the National Cyber Strategy, the Federal government is accelerating the transition to a clean energy future by embracing a new generation of interconnected hardware and software systems that have the potential to strengthen the resiliency, safety, and efficiency of the U.S. electric grid,” Wiseman said. “This includes smart energy generation and storage technology that is sophisticated, automated, and digitally interconnected.”
“Investing in technology that has cybersecurity built-in and is oriented toward minimizing environmental impact from the outset can go a long way toward delivering on the strategy,” he continued.
“Building a secure and sustainable model for the future requires data storage that uses lower power, less cooling, and causes far less waste,” Wiseman said. “It also requires data-centric, flexible, and scalable solutions that prioritize safe and reliable data protection as well as backup and restore capabilities. In building a clean energy future, the Federal government has an opportunity to drive a stronger, more resilient foundation for their digital ecosystem.”
Gary Barlet, Federal Field CTO at Illumio, said it’s important that organizations get going quickly to reduce their risks. “The Biden Administration’s national cybersecurity strategy is a step in the right direction toward making a real and lasting impact on building resilience throughout our critical infrastructure,” he said.
“However, having a ten-year strategy simply isn’t effective,” Barlet continued. “We understand so little about technologies like quantum and AI today, it’s hard to imagine what the impact of technology will be on security in ten years. If we’ve learned anything the past few years it’s that breaches are inevitable, so it is essential that organizations, particularly critical infrastructure, reduce their risk to cyberattacks ASAP, not in ten years.”
Gary Hix, Chief Technology Officer at Hitachi Vantara Federal, said that the strategy “lays out an ambitious vision for a ‘prosperous, connected future’ fueled by technology,” and pointed to several of the areas in which better security will be crucial going forward.
“As society continues its trajectory towards convergence of digital and physical spaces in areas such as IoT, intelligent power grids, and autonomous mobility, addressing cybersecurity demands will become paramount to architecting a secure and resilient digital ecosystem,” he said. “We applaud the Administration’s proactive approach to securing our digital future.”
“In addition to developing our national cybersecurity posture and capabilities, architecting ‘secure by design’ digital cores, data fabrics, and application ecosystems will play a key role in realizing this vision,” Hix said.
“CISA’s continued leadership in this space will remain critical – both in maturing our digital ecosystem’s resiliency and security, and in enabling data-driven innovation and competitive advantages through collaboration with other government security agencies, private industry, and our allies,” he added.
“I’m encouraged to see critical cyber-security issues addressed at the national level,” said Egon Rinderer, chief technology officer at Shift5. “This is a national security matter and deserves such treatment.”
“The ability to make the right decision effectively and more quickly relies on data and the ability to make sense thereof,” he said. “The attack surface is no longer limited to computers and phones as the very platforms and weapon systems on which the DoD relies for mission critical response are just as much a computer.”
“While the strategy and its underlying requirements are important, success will hinge on the federal government’s ability to extend the envelope of visibility and protection to include totality of these systems; not just laptops and servers, but aircraft and weapons, in toto,” Rinderer said. “The policy is a sobering reflection that clearly shows the need to remove the roadblocks that have stymied industry in the past. The realities of current events and the foresight of what lies ahead strikes at the heart at the need to realign incentives to favor long-term investments.”
“When you address cybersecurity issues in a wholesale way like this strategy spells out, you start to really encourage the integration of cyber capabilities that will ensure the U.S. maintains its tactical edge over near peer competitors,” added Joseph Lospinoso, Shift5’s co-founder and chief executive officer. “The policy is very clear eyed about needing to take the burden off the user, the small business, the local government – and very correct that the government and private industry need to keep breaking down barriers to move and innovate at the speed of war.”