2021 was a headline-grabbing hotbed for cybersecurity hacks and breaches. We saw criminal groups and nation-state threat actors alike escalate the quantity and severity of attacks on the public and private sector, with incidents including Log4j, Kaseya, Colonial Pipeline, JBS, SolarWinds and the attacks on California and Florida water systems.
In the aftermath of each of these attacks, calls for a renewed focus on cybersecurity regulations have slowly grown louder. A piecemeal approach won’t effectively curb this threat. What is needed is a uniform set of regulations that establish a framework of best practices for government agencies and their third-party suppliers to follow.
A coordinated approach to regulation at the federal level would strengthen the partnership between these entities and establish a clear set of guidelines for government organizations and their third-party suppliers to adhere to and reduce vulnerable attack surfaces. The Biden administration has already taken steps to address cybercrime by allocating funding and issuing a number of cybersecurity executive orders to better secure and improve government technology and security. Let’s explore how these efforts can be further expanded to achieve a standardized approach to cybersecurity compliance.
Assessing the Biden Administration’s Current Approach
Last year, President Biden signed the $1.9 trillion coronavirus relief package into law, which specifically called out cybersecurity as a key part of economic recovery. The directive included nearly $2 billion in funding allocated toward modernizing government technologies and to help the Cybersecurity and Infrastructure Security Agency (CISA) mitigate risks more efficiently and effectively.
In January, President Biden also signed a memorandum that builds off the zero-trust requirements laid out in his “Improving the Nation’s Cybersecurity” executive order issued in May. It outlines specific ways government networks must be modernized and establish means of sharing information related to potential threats and breaches and made zero-trust adoption a security requirement for all federal agencies.
These actions demonstrate positive momentum in improving transparency and speeding up the investigation and remediation of future attacks at the federal level.
Expanding Cybersecurity Safeguards
Too many organizations in the public and private sectors are applying the bare minimum of security controls and measures to “check the box” on their cybersecurity plan, which significantly decreases the value of compliance and leads to breaches of sensitive data. While it’s true that no two agencies or companies function in identical ways and industries have unique compliance obligations, the foundational tactics and strategies are the same across the board.
Biden’s cybersecurity executive order requires all federal agencies to adopt a zero-trust architecture. With its micro-perimeters and a “trust no one” approach to access, it’s easy to see why this identity-centric framework is being mandated. It moves the attention away from the various methods of authentication and access controls, including the myth of single security perimeters, to tailored controls across sensitive data stores, applications and networks. It also necessitates that users’ identities be verified using multifactor authentication and single sign-on before accessing trusted systems and devices.
If implemented correctly, zero trust is incredibly effective at preventing and containing catastrophic breaches due to its ability to transform current and legacy IT models. The SolarWinds supply-chain attack cast a bright light on the need for federal mandates on third-party vendors and suppliers. Now that zero trust has been recognized as the architecture to follow, the Biden administration should seek to extend that mandate to any third-party suppliers doing business with the federal government.
Achieving a Standardized Approach to Cybersecurity Compliance
Necessary steps have been taken to improve government technology and security over the last year. The Biden administration should look to seize on this momentum to establish permanent guidelines that sufficiently defend government agencies, critical infrastructure and third-party suppliers by making these entities more challenging to compromise.
The progress made thus far is a good start. Now, the administration should seek to expand cybersecurity hygiene to include a requirement for threat intelligence sharing and operationalizing cybersecurity so agencies gain better visibility and have a guidebook to quickly identify, respond and mitigate potential cyberattacks. This will require additional funding and resources to continue the modernization of the government’s technology infrastructure.
The goal of these strategic steps should be to establish a streamlined and unified approach at the federal level via a single set of compliance regulations. A framework that applies to all agencies and third-party suppliers will reduce the need for compliance mandates to develop at the state level and assist security teams struggling to comply with several mandates at once. This ultimately allows them to better protect themselves against nation-state and other criminal threat actors.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected].
