The National Cybersecurity Strategy is a mandate for change in a changed world – a shot across the bow acknowledging that modern digital infrastructure is increasingly interconnected and vulnerable to cyber threats.
It builds on the President’s Executive Order 14028, which includes several provisions to increase our nation’s security.
The NCS acknowledges that our cybersecurity posture and supply chain are too complex and important to be left to any single business, government agency, person, or organization. It is intended to disrupt threat actors and their methods – such as ransomware, a borderless cyber crime requiring international cooperation to combat.
Recent research shows a 37% increase in global ransomware attacks, with the U.S. as the most affected country. Working across the public and private sectors and with our allies, we need collective approaches that reduce cyber risk and promote national security and global stability. The U.S. is making progress. The National Cybersecurity Strategy Implementation Plan was built with contributions from the public and private sectors and emphasizes collaboration between government agencies, international partners, and the private sector throughout, bringing in a whole-of-society mindset.
The Cybersecurity and Infrastructure Security Agency’s 2024-2026 Cybersecurity Strategic Plan is a prime example of an agency mobilizing plans to meet the NCS requirements. Notably, CISA will work with partners to gain visibility into the breadth of intrusions targeting the U.S., disrupt/mitigate threat actor campaigns, and accelerate mitigation of exploitable conditions.
We are also making progress establishing a foundation for continuous collaboration. CISA’s Joint Cyber Defense Collaborative has reduced risk to the cyber ecosystem and critical infrastructure by increasing visibility into threats worldwide, strengthening industry and government communication, and fostering initiatives, like updates to the Known Exploited Vulnerabilities Catalog and developing the Geopolitical Tensions Cyber Defense Plan.
Additionally, the NIST Cybersecurity Center of Excellence, uses experts from industry, government, and academia to generate new ideas and guidance – like a draft practice guide on “Implementing a Zero Trust Architecture.”
But risk to critical infrastructure, our business, and societies continues to evolve. To maximize cyber resiliency, the U.S. (and our allies) must go beyond requesting information to actively engage industry for second and third-order effect considerations that can be incorporated into strategies, programs, and funding.
The federal government can:
· Continuously work with private sector partners on cutting-edge technologies and research and development (R&D) programs on all levels – threat identification, mitigation, and solution development to maximize agility and accelerate cyber resiliency
· Leverage industry cyber investment. Programs like FedRAMP, StateRAMP, TIC 3.0, CDM, and Protective DNS capitalize on private sector knowledge and resources, circumventing constantly developing new processes and programs
· Prioritize implementing cyber best practices, solutions, and guidance; recommendations are useless if not applied to ongoing work
· Increase collaboration across the private and public sectors, including agency-to-agency and global government-to-government
Private industry leaders can:
· Strengthen supply chain security and transparency. Much of our critical infrastructure is privately owned, sharing threat information and embracing CISA’s secure-by-design guidance further ensures the security and reliability of our international supply chain
· Invest in novel approaches to attracting and training the global cyber workforce and support knowledge exchange with the government
· Prioritize cybersecurity R&D to increase the use of advanced security measures such as zero trust that strengthen organizational security and protect cloud migration
· Share lessons learned from fielding and securing new technologies with government agencies so the U.S. is armed with the latest capabilities
Funding is the other obvious critical component. While the Administration’s cyber budget priorities align with the NCS, agencies need dedicated funding – which is not available today. The Technology Modernization Fund (TMF) and State and Local Cybersecurity Grant Program show how targeted funding programs can propel cybersecurity initiatives across different levels of government.
As TMF and SLCGP solidify cyber security postures governmentwide, there are no similar commercial programs to spur this level of cybersecurity maturity yet.
Until then, the private sector should:
· Determine initial security needs and resource those appropriately within a company’s fixed budget
· Understand and follow the Office of Management and Budget’s Zero Trust Strategy and CISA’s Zero Trust Maturity Model to apply best practices already in-use by the government
· Utilize CISA’s free services and tools to test and assess solutions for better cyber investment decision-making
Meanwhile, agencies should align budgets according to the NCSIP’s timelines, and also procure capabilities supporting established, highly effective programs including FedRAMP, StateRAMP, TIC 3.0, CDM, and Protective DNS – with a mindset of quality over quantity.
Federal agencies and private sector partners must work together to educate Congress and the Administration on evolving threats and where increased funding is vital to maintain national security and global competitiveness for us and our allies.
Stephen Kovac is the vice president and chief compliance officer at Zscaler, where he leads efforts to advance federal IT modernization.