The Biden Administration has set out its future plans for cybersecurity in a new document. The intent of the document includes improving, expanding and protecting the digital ecosystem.
Following the release of the White House’s March 2023 cybersecurity strategy, Cody Cornell, Co-Founder & Chief Strategy Officer of Swimlane, explains to Digital Journal what the key aspects of the proposed legislation are.
According to Cornell, the new legislation needs to be placed in its historical and cultural context: “The need to defend critical infrastructure was top of mind for many in 2022, with both the Colonial Pipeline ransomware attack and multiple attacks on water treatment facilities that continue to reinforce the need for improved protection and resiliency from both state-sponsored actors and individual attackers alike.”
In terms of what the strategy signals, this is based around a new regulatory framework. Here Cornell explains: “The White House is calling for new regulation that is not only for critical infrastructure, but sector-specific regulatory frameworks.”
Cornell’s opinion of this is lukewarm: “While the idea of sector-specific frameworks is a good one, these frameworks are not one size fits all and have specific guidance and controls that can be very beneficial. There is a lot of work to be done on defining the sectors, the frameworks, getting buy-in and providing guidance on not just implementation, but how they will be measured and enforced, because a framework with no enforcement is entirely voluntary and runs contrary to the goal of rebalancing the responsibility of defending cyberspace.”
This means a more nuanced approach is required. Cornell assesses this as: “As we’ve seen as an industry, getting a standard built, especially a collaborative one, can be extremely time-consuming, and the ability for it to become watered down and lack the teeth to drive change is always a risk in the development and refinement process.”
There are parts of the proposal that are suitable and workable, says Cornell: “An interesting element of the first pillar of the strategy is to create and institute incentives that ensure that low-margin sectors or disincentivized sectors might have the economic support to implement or, at a sector level, may become mandatory across every provider in a sector, reducing the often-seen fight between doing what is right from a security perspective, with the concern that a competitor may forgo those same costs and be able to achieve a lower cost for the market or higher margins.”
In terms of how these might be realised, Cornell explains: “Each of these objectives calls on both industry and government collaboration along with the help of Congress to close any statutory gaps, which again is asking a divided government to do the unpopular task of providing additional regulatory guidance.”
In terms of those aspects of the strategy set to make a difference, Cornell highlights: “An interesting element of the goal of “Scaling Public-Private Collaboration” is to continue to invest not only in the multi-directional sharing of information, but the calls for leveraging of security orchestration to enable real-time sharing to drive threat response.”
There is a pattern here, Cornell observes: “This is the second time the current administrations have called for security orchestration to meet cybersecurity challenges. In the first year of the current administration, OMB sent out memorandum M-21-31 calling for orchestration, automation, and response in response to the SolarWinds breach.”
In summing up the concept from Biden, Cornell notes: “The National Cybersecurity Strategy lays out a lot of great high-level ideas with the goal of modernizing the federal government’s cybersecurity strategy with the understanding that it needs help from across the government and the private sector, but does leave some questions unanswered around the speed and ability to execute inside the windows of an Executive administration and its inevitable changes in leadership that come at a longest in eight-year cycle.”
Cornell’s closing comment is: “Like almost everything in cybersecurity, real progress is not just made with strategy, but in detailed hands-on work.”
