The White House rolled out a new cyber strategy for the first time in 15 years.
While most of the coverage of the National Cyber Strategy focused on the Trump administration’s decision to roll back Presidential Policy Directive-20 and give the Defense Department and the intelligence community more flexibility and authority to conduct offensive cyber operations, John Bolton, the national security adviser, said the real goal of the unclassified and classified versions of the strategy...
The White House rolled out a new cyber strategy for the first time in 15 years.
While most of the coverage of the National Cyber Strategy focused on the Trump administration’s decision to roll back Presidential Policy Directive-20 and give the Defense Department and the intelligence community more flexibility and authority to conduct offensive cyber operations, John Bolton, the national security adviser, said the real goal of the unclassified and classified versions of the strategy was to deter adversaries from attacking the government, critical infrastructures and businesses, while also preparing for the future.
“The strategy directs the federal government to take action that ensures long-term improvements to cybersecurity for all Americans,” Bolton said, during a Sept. 20 press briefing. “Recognizing that cyber must be integrated into other elements of national power, the strategy is structured around the four pillars of the National Security Strategy. Each of the four pillars includes a number of focus areas with associated priority actions to secure and preserve cyberspace.”
The reaction to the strategy was decidedly mixed.
Rep. Mike McCaul (R-Texas), chairman of the Homeland Security Committee, said in a statement, “This strategy will help better combat malicious cyber acts from foreign adversaries like Russia, China, Iran, and North Korea. I have consistently said we must call out our enemies, send a strong message that we will respond when attacked, and ensure there are real consequences if we are.”
While Rep. Jim Langevin (D-R.I.), co-founder and co-chair of the Congressional Cybersecurity Caucus and a senior member of the Committees on Armed Services and Homeland Security, said in a statement: “While I appreciate that the Trump National Cyber Strategy is in line with the bipartisan progress that has been made over the past two decades, it does not go far enough in accelerating the reforms that need to be made. Cybersecurity is the national and economic security challenge of the 21st Century, and it deserves a whole-of-government treatment. Unfortunately, the strategy is largely a restatement of recommendations that have carried through the last several administrations.”
Industry reaction was mostly vanilla too. Many experts congratulated the White House on the strategy update and for taking a harder stance to call out and respond to cyber attacks from nation states.
For our purposes, let’s just focus on the areas where federal agencies and contractors will be impacted the most.
Here are four items from the strategy that you need to know about:
More aggressive oversight of contractor systems
While there is little new or interesting under Pillar One of the strategy, which focuses on securing federal networks and data, the section around vendors stands out. The strategy states:
“Going forward, the federal government will be able to assess the security of its data by reviewing contractor risk management practices and adequately testing, hunting, sensoring, and responding to incidents on contractor systems. Contracts with federal departments and agencies will be drafted to authorize such activities for the purpose of improving cybersecurity.”
This is, by far, the most aggressive stance the government has taken with contractors who host federal data on their networks.
And it comes after reports found Russian hackers exploited small and large defense contractors under an attack called “Fancy Bear.”
The government has for years tried to work with contractors to protect federal data. In 2013, the Defense Department required vendors to meet National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 regulations to safeguard controlled unclassified information by Dec. 31, 2017.
The Office of Management and Budget also released similar guidance aimed at vendors in 2015.
But based on what the Trump administration is seeing, a more aggressive stance now is expected.
Read between the federal workforce lines
The clamor for more and better trained cybersecurity workers is never ending in both the public and private sectors. Agencies have an even tougher time as few have anything more than direct hire authority to attract workers with this expertise.
This is why the Homeland Security Department’s new personnel readiness system combined with its authority to pay cyber workers 20-to-25 percent more is a major reason why the administration is looking to change how cybersecurity workers are managed.
“[T]he administration will explore appropriate options to establish distributed cybersecurity personnel under the management of DHS to oversee the development, management, and deployment of cybersecurity personnel across federal departments and agencies with the exception of DoD and the IC. The administration will promote appropriate financial compensation for the United States Government workforce, as well as unique training and operational opportunities to effectively recruit and retain critical cybersecurity talent in light of the competitive private sector environment.”
To understand this concept more, check out the administration’s reorganization plan where it highlights cybersecurity workers as completing the identification of gaps in the cyber workforce and creating new programs to help fill them.
Securing the federal supply chain
Over the last two years, the focus on better securing the federal government’s technology supply chain has turned up several notches. The strategy highlights the need to better integrate the supply chain risk management into the acquisition process. Some agencies such as the National Nuclear Security Administration and the Defense Logistics Agency are out ahead of most agencies.
“This includes ensuring better information sharing among departments and agencies to improve awareness of supply chain threats and reduce duplicative supply chain activities within the United States government, including by creating a supply chain risk assessment shared service. It also includes addressing deficiencies in the federal acquisition system, such as providing more streamlined authorities to exclude risky vendors, products, and services when justified. This effort will be synchronized with efforts to manage supply chain risk in the nation’s infrastructure.”
DHS launched supply chain initiative earlier this year, released a request for information in August seeking to establish a business due diligence capability. Responses to the RFI are due Oct. 19.
All of this is part of the pre-planning to create this shared service and address the deficiencies in agency supply chain programs.
Legislative actions in the short term
Among the biggest holes in current federal law is the computer crime statutes that are severely lacking and hampering the FBI and other law enforcement agencies.
The 1984 Computer Fraud and Abuse Act has been updated six times over the last 24 years, but many experts believe the current state of laws are well behind the times.
“The administration will work with the Congress to update electronic surveillance and computer crime statutes to enhance law enforcement’s capabilities to lawfully gather necessary evidence of criminal activity, disrupt criminal infrastructure through civil injunctions, and impose appropriate consequences upon malicious cyber actors.”
The goal now is to convince Congress that changing the law is both necessary and among their top priorities.