A new national cyber strategy, and ever-evolving threats, headline another busy year in cyber

...

Federal agencies coalesced around a new national vision for cybersecurity over the past year, but continued to grapple with emerging cyber threats.

I asked experts in the cyber field, many of them former feds, the following question: What was the biggest development for federal cybersecurity in 2023?

The most popular answer far and away was the Biden administration’s release of a new national cyber strategy. But regulatory activities, the emergence of artificial intelligence, and some game-changing cyber attacks were also among the most significant developments of the past year.

National cyber strategy sketches out new vision

In March, the White House issued a new national cyber strategy that seeks to “re-balance” the responsibility for managing security risks. One of the big goals of the strategy is to shift the burden for managing cyber risks from customers to manufacturers.

The strategy also stakes out an effort to establish cybersecurity regulations to secure critical infrastructure, a marked shift from the voluntary public-private partnership model of the last two decades.

And in June, the White House Office of the National Cyber Director follow-up on the big picture cyber strategy with the release of a detailed implementation plan, laying out 65 specific actions agencies will take to carry out the strategy.

Matt Hayden, vice president of cyber, intelligence and homeland security at GDIT, and a former Department of Homeland Security senior official, called the implementation plan a key roadmap for federal efforts going forward.

“The release of the White House’s National Cybersecurity Strategy Implementation Plan was a key to all things cyber for 2023 as it laid out ‘how’ the government is going to approach improving cyber protections, including the workforce and security by design efforts,” Hayden said. “That road map, which we expect to be renewed annually, set the tone for 2023.”

Jim Richberg, Fortinet’s head of cyber policy and the former national intelligence manager for cyber, said he was impressed with how the strategy and implementation plan have already resulted in concrete actions, like the Cybersecurity and Infrastructure Security Agency’s evolving “secure by design” guidance and the Federal Communications Commission’s cyber labeling program for smart devices.

“Many of these actions, such as secure by design, are not ‘quick wins’ that will show rapid success, but I think they plant the seeds that will bear fruit in 2024 and beyond,” Richberg said.

The Biden administration also wants to ensure agencies are buying securely built technologies, through the advancement of initiatives like the secure software development attestation form. In November, CISA released a second draft of the attestation form. Once finalized, agencies will require third-party software vendors to sign the form before buying their products.

CISA’s secure by design push and other initiatives increasingly indicate that “software vendors should be accountable for security and proactively address the security gaps in their products,” Joel Krooswyk, federal chief technology officer at GitLab Inc., said in an email.

“Automated security and quality scanning (i.e. DevSecOps), [software bills of material], and zero trust architectures have to be the norm as we head into 2024,” Krooswyk said. “Otherwise, companies and individuals alike could be liable for any resulting leaks or exploitations.”

Threats to crit infrastructure, and federal agencies

Cybersecurity is a field defined by threats and attacks. And in May, CISA and other government partners issued a remarkable cybersecurity advisory: Peoples Republic of China-related cyber actors had infiltrated the networks of U.S. critical infrastructure. Not only that, the actors were “living off the land,” using built-in network administration tools to evade detection.

“The discovery and revelation of the PRC campaign and living-off-the-land [tactics, techniques and procedures] was stunning and will have important implications for government and the private sector for years to come,” Bryan Ware, chief development officer at Zero Fox and a former senior DHS official, told me in an email.

“China is aggressively and stealthily pre-positioning itself by infiltrating our critical infrastructure in strategic places like not only our military communications in the region, but also daily infrastructure everyday citizens rely on at home, like water,” Ware continued. “The fact that this campaign is not about espionage, but rather capabilities for disruption of critical infrastructure will catalyze initiatives like secure by design and the recommendations from the Cyberspace Solarium to improve public private partnerships.”

Meanwhile, federal agencies were also wrapped up in several high-profile cyber attacks in 2023. The MOVEit breach, suspected to be potentially the biggest ransomware attack ever, ensared the data of several federal agencies, including the Energy Department and the Department of Health and Human Services.

And suspected Chinese hackers were also able to infiltrate Microsoft cloud-based email accounts to steal messages sent by Commerce Secretary Gina Raimondo and other high-level federal officials.

That incident is now being reviewed by DHS’s Cyber Safety Review Board.

Carl Wright, the chief commercial officer at AttackIQ and former CISO at the Marine Corps, said the severity of nation-state cyber threats ramped up “exponentially” in 2023.

“It will be important in 2024 for the federal government to take a lead role not only in developing regulatory cyber security mandates but providing more cyber defensive operational support to citizens and corporations to better defend against nation-state adversaries,” Wright said.

SEC headlines cyber regulatory push

The aforementioned national cyber strategy envisions more cyber regulations, specifically for critical infrastructure. And it was the Securities and Exchange Commission that made the most noise on that push in 2023.

First, the SEC issued new cyber rules for publicly traded companies. Those rules have received significant backlash from both industry and some members of Congress. But they still went into effect earlier in December.

And the SEC also brought legal action against SolarWinds and its CISO over the alleged fraud and internal control failures that led up to the eponymous 2020 hack that affected multiple federal agencies. SolarWinds and CISO Tim Brown have denied all wrongdoing.

Michael Mestrovich, the CISO at Rubrik and former CISO at the Central Intelligence Agency, said the SEC action shows CISOs are “increasingly in perilous situations.”

“There will never be enough resources devoted to cybersecurity in any enterprise yet CISOs have to make risk-based decisions every day,” Mestrovich said. “If that were not difficult enough, add to that the threat of criminal charges if you get it wrong and it only adds to an already incredibly stressful environment. Will we see more and more CISOs leave the profession? Will we see an increase in CISO turnover? How will the relationship between the CISO and the board and the executive leadership team change?”

Emergence of AI . . . and AI-related cyber threats

The public introduction of large language models like ChatGPT late last year led to a wave of AI excitement in 2023, but also has sparked major concerns about the security and safety of a technology that is already reportedly being leveraged by hackers.

In October, President Joe Biden issued a sweeping AI executive order that, among other activities, directs agencies to address the most pressing risks, including cybersecurity.

And in November, CISA issued a new AI roadmap that sketches out the agency’s role in ensuring AI systems are protected from cyber threats, while also deterring the malicious use of AI capabilities to threaten critical infrastructure.

Rob Carey, president of Cloudera Government Solutions and former principal deputy chief information officer at the Defense Department, said systems like ChatGPT have “huge consequences” for federal agencies and other organizations.

“It’s key to understand that AI solutions are driven by data, and cyber is a data problem,” Carey said. “Cyber is now embedded into everything and AI has greatly increased cybersecurity awareness, so many teams across the federal government and technology realm are worried about how to defend against AI-based cyber attacks. I believe this is one of the biggest items to be connected with cybersecurity in 2023 and the coming year.”

At the same time, CISA and other cyber defense organizations also see potential utility in using AI to help defend against cyber attacks. Mestrovich said leveraging AI could help make up for consistent shortfalls in the cybersecurity workforce across sectors.

“Generative AI has the opportunity to generate training content specific for various roles, and deliver that content on an ongoing and interactive basis to ensure every employee is best equipped to be a protector of their organization,” Mestrovich said. “AI makes it possible to apply adaptive learning techniques across organizations at scale.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Agencies to ‘remove barriers’ to cyber hiring under new workforce strategy

    Read more
    Amelia Brust/Federal News Networkcybersecurity, intelligence, network, computers, technology

    White House puts national cyber strategy into practice with implementation plan

    Read more
    Amelia Brust/Federal News Networkcybersecurity, intelligence, network, computers, technology

    Biden cyber strategy ‘fundamentally re-imagines’ responsibility for security risks

    Read more