The Biden Administration released the new U.S. National Cybersecurity Strategy last week (fact sheet and full document). I’m still puzzled on the timing, weeks after Chris Inglis leaves as National Cyber Director and with no replacement announced (Kemba Walden is acting NCD). Maybe it doesn’t matter because there was little shift in executive branch action in this strategy. Most of the headline-grabbing changes, such as changing software vendor liability and calls for new regulation beyond what is underway, would require congressional action — something that is almost never swift.
These types of strategy documents are worth putting out and updating, perhaps once per administration. It probably should have come out sometime in the first year of the administration, but it’s still worthwhile at this time.
The big miss in the National Cybersecurity Strategy
“Resilient” and its derivatives appear eight times in the short fact sheet and 68 times in the 35-page National Cybersecurity Strategy document. Despite this wise focus on resilience, there are no objectives, approaches or actions suggested related to critical infrastructure being able to function at some minimal required level in some time period after a cyber incident.
Big miss. Huge miss. And surprising given that the Department of Energy’s Cyber-Informed Engineering leans heavily on this, and INL’s CCE is raising awareness on consequence reduction (as is my Security Truths and Consequences Keynote).
The Fact Sheet has a prominently placed bullet:
- Resilient, where cyber incidents and errors have little widespread or lasting impact.
Acting NCD Walden teed it up well in a speech at CSIS: “Resilience meaning that when defenses fail, which they sometimes will, the consequences are not catastrophic and recovery is seamless and swift. Cyber incidents shouldn’t have systemic, real-world impacts.”
There’s nothing in the strategy to address an attack that succeeds, “which they sometimes will,” not having an unacceptable consequence? Baffling. How can this be one of the three main items in the executive summary and the strategy have no actions related to this?
Given the approaches and detail in the strategy, this document has to be read as eliminating cyber incidents. None of the items listed in the approach talk about the ability to recover, replace or otherwise keep providing the critical infrastructure product or service after a cyber incident (the regulation I would require if I were king).
The “resilience” approach items in the fact sheet are minimum cybersecurity requirements, reducing vulnerabilities, more R&D on future cybersecurity controls, and a diverse and robust cyber workforce. These are all efforts to reduce the number and scope of incidents. Sure, let’s do this, but even the U.S. government acknowledges that we will not stop all attacks on critical infrastructure if we implement this strategy.
Is the government’s answer to Colonial Pipeline more security controls? Perhaps, although they already had two-factor authentication as a security control and simply were not perfect.
The real question though is what would have happened if the industrial control system (ICS) that monitored and controlled Colonial’s pipelines was down for two weeks or two months or one year? How would we have delivered gasoline and jet fuel if that ICS was not available, or needed to be completely rebuilt? I’ve been hoping the government is focused on that. Since it is nowhere in the strategy, it appears they are not. It’s not easy facing these terrible possible situations and saying they are a potential reality that we have to plan for and be prepared to live through.
What happens if a cyberattack succeeds?
One big part of the National Cyber Strategy should be the ability to continue on in the event a cyberattack succeeds. It’s difficult for any one company, or even an industry consortium, to do because it is more than a business risk; it is a societal risk. I thought the government had realized this based on the CIE, CCE and recent experience.
But this is only the fact sheet; perhaps there is more on this missing piece in the full document. Before going there, not having it in the fact sheet alone is a huge miss. This is what the administration views as the most important items; what will get the most attention by the people and government. It would have been top priority on my list, and in fact the quoted bullet, one of three emphasized, would lead one to believe this is the administration’s view. So why do the highlighted approaches not address this?
While resilience is mentioned throughout the strategy document, the most applicable area to put the requirement to recover or otherwise continue to provide the critical infrastructure product or service is Pillar 4: Invest in a Resilient Future. The only area in the whole document that vaguely addresses consequence reduction is Strategic Objective 4.4: Secure Our Clean Energy Future. It mentions Cyber-Informed Engineering as a way to “build in cybersecurity proactively.” Again, the focus and belief is that we can reduce the likelihood to zero, or even near zero, rather than being able to live in a world where a cyber incident has happened.
Too little, too late
One of the problems with these wide-ranging strategic documents is it is politically difficult to say that we made a big mistake. I’m under no illusion that the strategy document will be updated for years. Hopefully, the prominent resilient bullet in the fact sheet will allow the U.S. government to pursue a major program that is not in the strategy. My Magic 8 Ball’s answer: My sources say no.
Original content can be found at Dale Peterson.