Addressing America’s cyber dilemma in the wake of cyber disarray
This article is part of a new monthly series by ISAO SO working group members focusing on current topics impacting the Information Sharing Ecosystem. The content is not endorsed by the ISAO SO but provided to stir conversations and engage stakeholders of the ecosystem.
By Frank J. Grimmelmann
The convergence of successful adversary attacks on United States Critical Infrastructure with the current transition of power in the White House will prove to mark a significant milestone in U.S. policy and regulations, affecting cybersecurity in the U.S. and our federal government’s response to the escalating threat. The timing of the Solar Winds, Microsoft, Colonial Pipeline and JBS compromises highlights the significant vulnerabilities that exist in our cyber infrastructure and the implications of protecting this critical infrastructure and our productive assets in this country. These hacks have simply elevated public visibility into a phenomenon that cybersecurity professionals have witnessed and warned about for years, with the U.S. already ranked No. 1 as the most attacked nation. The motivation remains high for criminals and nation states to continue this trend, driven by $1.5 trillion in profits annually and diverse national security interests. More so, high profile media reporting on the visible proof of the fragility underlying some of our fundamental technology infrastructure has instilled fear in American organizations and the public, providing an unprecedented catalyst for visible government action in the cyber domain!
The administration’s action is most recently evidenced by President Biden’s “Improving the Nation’s Cybersecurity” Executive Order (EO) 14028 on May 12th, followed shortly by EO 14034 on June 9th, “Protecting Americans’ Sensitive Data from Foreign Adversaries”. Early takeaways from both of these suggest a prescriptive approach rather than providing a framework for adoption (similar to NIST). They are accompanied by very aggressive timelines for moving to specifics through designated tasks. Their noteworthy focus is on those doing business with federal agencies and entities; the National Security Agency (NSA) stakeholder agencies are directly involved in proposed standards development, and these EOs could be expanded into law to cover other entities in the future. Given that EO 14028 itself consisted of 88,000 words and was released a week after the Colonial Pipeline compromise, it’s reasonable to conclude that these were previously planned actions with the wording already on the shelf awaiting action. The visible compromises simply provided the call to action.
While extensive, these executive orders only provide a glimpse of the tip of the spear in the administration’s comprehensive response to the very real escalating cyber threat. The more comprehensive overall strategy and execution plan is set forth in the “2020 Cyber Space Commission’s Solarium Report”, which has noble intentions. This report urges for the U.S. government and private sector to adopt a “new, strategic approach to Cybersecurity,” namely layered cyber deterrence. Additionally, the report urges Congress to “pass a law establishing that final goods assemblers of software, hardware and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities”. Predictably, components of EO 14028 that focused directly on software developers, along with the respective Solarium recommendations, have already received strong resistance from the software industry.
Presently approved funding strongly supports these recommendations, with the $740 billion 2021 National Defense Authorization Act alone adopting two dozen of the Solarium Commissions recommendations. Additional funding focused on Cybersecurity includes the 3/11/21 American Rescue ACT (passed for COVID Relief), included $650 funding for CISA cybersecurity risk mitigation, an additional $200 million for the Executive Branch Technology Team and $1.4 billion for other technology focused programs in 2021. Note that the Solarium Commission’s mandate has been extended for another year, with the focus now turning toward advocacy and more squarely focused on the private sector.
In parallel, the administration has appointed its new cyber team and reaffirmed others that will remain in place in both the executive branch and U.S. DHS’ Cybersecurity Infrastructure and Security Agency (CISA) to support execution. The common denominator between appointments is that they all have NSA roots having worked extensively together, and were either appointed to the Solarium Commission and/or strongly support its recommendations. Of these appointments, none is more formidable than Chris Inglis’s appointment as the first White House National Director of Cyber Security. Previously serving for 28 years in the NSA, his last NSA position was eight years as the agency’s deputy director. Inglis’s primary duties include: 1) coordination of the defense of civilian agencies, and 2) reviewing agencies cyber budgets—providing the teeth! This effort is supported by a newly created staff of 75, with emphasis on driving a cohesive and comprehensive strategy across all federal agencies focused on information exchange and response.
The other notable priorities that we see emerging include the significant expansion of CISA resources and authority, increased consumer data breach transparency coupled with more stringent reporting requirements, and a big focus on standards that are likely to be adopted as fundamental risk management requirements for accessing the cyber insurance market in the future.
Let’s focus for the moment on sharing threat information as one major priority.
While the present EOs mainly focus on the federal government leading by example, improving federal information system as a foundation, the emphasis stated in the EO is clearly on expanding private-public partnerships through a coalition of the willing. The initial thrust having all federal information systems meet or exceed the standards and requirements for cybersecurity set forth in the sweeping executive orders as a foundation at the policy level.
Removing barriers to sharing threat information serves as an essential and high priority in this regard, driven by the purchasing power of the Federal Acquisition Regulation (FAR) and the Federal Defense Acquisition Regulation. The execution strategy in this regard will be central to its success, and the initial reports will begin to define the specifics for public comment within the 60 days from the EO’s filing.
It’s clear that whatever is put in place for the federal government is intended to be a model for expansion to the public and private sectors. This is probably most clear with suggested standards for commercial software development, since software companies are unlikely to develop one solution for federal information systems and another for everyone else. Uniformity leads to higher productivity and more competitive pricing if one size fits all. Likewise, contractual language developed for federal information sharing with the private sector will more broadly, likely over time, become the norm for information sharing.
Given the fundamentally flawed cyber infrastructure security, the existing defense in-depth capability and the present realities of artificial Intelligence and machine learning, a radical uplift is not just warranted—it is essential. And this uplift will be completely reliant on information exchange and transparency to complement available defenses. Washington is correct in stating that collaboration with the private sector is key, because without trust there is no information sharing. The inherent danger of this critical experiment therefore lies in the emergence of a top-down approach, or that information exchange, as in the past, will become somewhat unidirectional under the guise of national security.
As Henry Kissinger once said, “I believe in the tragic element of history. I believe there is the tragedy of a man who works very hard and never gets what he wants. And then I believe there is the even more bitter tragedy of a man who finally gets what he wants and finds out that he doesn’t want it.” Learning from the lessons of history can avert tragedy in this case if we look at the ISAOs and ISACs that have substantive demonstrated success stories. What has been confirmed time and again to drive success is strong and passionate grass roots effort that can drive proven outcome by engaging those who own the information and aligning the objective with their own self-interests. Alternatively, a prescriptive top-down model has generally resulted in those it affects meeting the letter but not the spirit of the law, and/or minimally participating to assure plausible deniability in adhering to requirements.
We are presently at a pivotal point in history—complacency is our enemy, driven by thinking that orders affecting federal information technology and operational technology are independent and will not affect public and private sector entities. Consider this a call to action to engage in shaping the emerging direction since it is critical to our future.
Act early to weigh-in and comment on all the federal recommendations that will emerge in the coming months and recognize that adopting successful models, and preferably non-prescriptive frameworks today, will directly affect our future and that of the generations that will follow. Given the state of our nation’s cybersecurity, bold changes and significant investments are called for to defend the vital institutions that underpin the American way of life. That said, with at least 85 percent of the cyber infrastructure owned and controlled by the private sector, having the private sector work collaboratively with the public sector, weigh-in and lead the way today is essential to a favorable outcome. We must not wait until it’s too late to change the direction; once the winds of change reach hurricane-force, it will be very difficult to direct this momentum in a direction that will produce positive outcomes.
 Frank J. Grimmelmann serves as president & CEO for the Arizona Cyber Threat Response Alliance (ACTRA), a non-profit entity that was developed collaboratively with the Arizona InfraGard Program, the FBI, USDHS and law enforcement, and independently launched in 2013 to enable its private/public sector member organizations across all critical sectors to enable themselves to respond to the escalating national cybersecurity threat. Grimmelmann co-chairs Governor Ducey’s AZ Cybersecurity Team (‘ACT’) and is a founding member of President Obama’s National ISAO Standards Group Leadership Team at the University of Texas San Antonio (UTSA). As ACTRA’s leader, Grimmelmann was the first private sector representative in the Arizona Counter Terrorism Information Center (ACTIC) appointed to its Executive Board. He has held C-level positions in Finance, healthcare and government, now focusing on cybersecurity in response to 9/11. He holds an MBA in Finance/International Business from UC Berkeley, and a BA in Operations with a Business Law minor from the University of South Florida.
The ISAO Standards Organization is a non-governmental organization established October 1, 2015, and led by the University of Texas at San Antonio (UTSA) with support from LMI and R-CISC. Our mission is to improve the Nation’s cybersecurity posture by identifying standards and guidelines for robust and effective information sharing and analysis related to cybersecurity risks, incidents, and best practices.
Visit www.aztechcouncil.org/tech-events to view all of the Council’s upcoming virtual tech networking opportunities, engaging virtual tech events and in-person tech events.