On March 1, 2023 the Biden Administration in the United States published its long-awaited National Cybersecurity Strategy.
Key takeaways:
International cooperation is needed to stem the flow of systemic cyberattacks.
Critical infrastructure is at high risk and requires zero-trust protection.
Collaborative defense is a pillar of resilience.
The modernization of federal defenses using zero trust will lead the strategy.
Public/private sector partnership in needed to shoulder the burden of defense.
The strategy aims to address the security threats posed by a rapidly accelerating digital ecosystem, and in doing so, to preserve our digital society both in the present and for the future. In describing the future of cybersecurity resilience in the United States, this 39-page strategy paper uses powerful language to highlight the vital role that robust security measures play across society:
“Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications and our national defense.”
The use of such bold language underscores the growing impact of cyberattacks on our businesses and critical infrastructure. There is recognition that it truly is not a case of if but when an attack will happen; every organization, at some level, has been or will be affected by cyberattacks.
As we enter an era in which cyberattacks by both private actors and nation states are normalized and increasingly commonplace, will the National Cybersecurity Strategy stand its ground? Let’s examine this question, with a focus on the role zero-trust security has to play in making the strategy successful.
An Overview of the National Cybersecurity Strategy
The National Cybersecurity Strategy is part of a broader collaboration with international partners to deliver a solution to an expansive global problem. Despite being a defensive proposition, the strategy endeavors to elevate the importance of cybersecurity and makes privacy protection and accountability for tech companies central to the achieving of its goals. While the full paper devles into specific strategic security goals, The White House Briefing Room statement identifies five core pillars to accomplish these goals:
Defend critical infrastructure
Disrupt and dismantle threat actors
Shape market forces to drive security and resilience
Invest in a resilient future
Forge international partnerships to pursue shared goals
In support of these five pillars, the briefing room statement further describes the need for “two fundamental shifts.”
Shift #1: Rebalance the Responsibility to Defend Cyberspace
“We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.”
This “rebalancing” moves the burden of cyberthreat mitigation onto the broad shoulders of the tech industry, creating the expectation that those with the most experience and capability should play a greater role in developing systems resilient to cyber threats and attacks. Examples of impacted organizations include cloud service providers and software vendors.
Shift #2: Realign Incentives to Favor Long-Term Investments
“We must realign incentives to favor long-term investments by striking a careful balance between defending ourselves against urgent threats today and simultaneously strategically planning for and investing in a resilient future.”
The full strategy document adds one more key element, asserting, “We will realign incentives to favor long-term investments in security, resilience, and promising new technologies.”
This statement reflects advances in more modern and innovative security approaches, such as the zero-trust framework. Indeed, at the very core of the strategy is an effort to move away from conventional, static security tools and measures that are proving ineffective against today’s more sophisticated threats.
Zero Trust at the Core of the National Cybersecurity Strategy
“The OMB [Office of Management and Budget] zero trust architecture strategy directs FCEB [Federal civilian executive branch] agencies to implement multi-factor authentication, encrypt their data, gain visibility into their entire attack surface, manage authorization and access, and adopt cloud security tools. These and other cybersecurity goals cannot be achieved unless Federal IT and OT systems are modernized so they are capable of leveraging critical security technologies.”
The strategy stresses a commitment to the long-term application of a zero-trust architecture and modern identity infrastructure and to the modernization of both information technology (IT) and operational technology (OT). It also recognizes that “threats must be countered both inside and outside the traditional network boundaries” and that zero trust is the way to achieve this.
According to the strategy, zero trust will form a model of best practice for critical infrastructure not just in the United States but on a global basis, as international partners apply the same principles and set the same priorities. Moreover, by implementing and adhering to zero-trust principles to make “its own networks more defensible and resilient, the Federal Government will be a model for private sector emulation.”
With its emphasis on the need to better protect critical infrastructure, the strategy rightly calls out a key security challenge: vulnerable legacy systems and applications. Nearly every organization around the world, and most certainly the federal government and other operators of critical infrastructure, depends on at least one legacy system that cannot be easily patched or upgraded without severe disruption. Traditionally, the risk posed by such systems was simply accepted – largely because no viable alternative existed. This has changed with the emergence of zero-trust access, and the National Cybersecurity Strategy includes a long-term commitment to modernizing legacy systems in line with zero trust principles:
“OMB will lead development of a multi-year lifecycle plan to accelerate FCEB technology modernization, prioritizing Federal efforts on eliminating legacy systems which are costly to maintain and difficult to defend. The plan will identify milestones to remove all legacy systems incapable of implementing our zero trust architecture strategy within a decade, or otherwise mitigate risks to those that cannot replaced in that timeframe.”
Notably, even while plainly acknowledging the urgent need to improve the security of legacy systems, the strategy still sets aside a full 10 years to solve the problem. The added challenges of federal bureaucracy notwithstanding, legacy systems are clearly seen as much more complicated to secure than more modern cloud applications. But is this actually the case?
How Cyolo Zero Trust Access Aligns with the National Cybersecurity Strategy
Cyolo welcomes the goals and ambition of the National Cybersecurity Strategy. In fact, many of the challenges the strategy highlights are the very same challenges Cyolo’s co-founders set out to solve when they created the company.
Also like the experts behind the National Cybersecurity Strategy, Cyolo is fully committed to the zero-trust framework and believes zero-trust access can bring game-changing security to both IT and OT environments. Whereas the earlier generation of zero-trust network access (ZTNA) solutions could only support cloud-based installations, the Cyolo platform was designed to be deployed in any environment – on-cloud, on-premises (including fully offline), or in a hybrid arrangement. With technology like Cyolo, critical infrastructure and other OT systems can finally experience the security benefits of zero-trust access.
In addition, and perhaps most significantly given the National Cybersecurity Strategy’s extended 10-year timeline for upgrading legacy systems, Cyolo has the unique ability to retrofit legacy infrastructure with modern authentication capabilities like multi-factor authentication (MFA) and single sign-on (SSO). This eliminates the need for a lengthy and expensive rip-and-replace project that genuinely could last months or even years and enables the near immediate application of zero-trust access to even the oldest mainframe or other legacy system.
Still, none of this is to say that implementing zero-trust security is without its challenges. Any undertaking of such scale will encounter obstacles, some that can be planned for in advance and others that will emerge along the way. This is why it is critical for all organizations embarking on a zero-trust journey, whether it’s the US federal government or a small local enterprise, to choose strategic partners that will accompany and support them from beginning to end.
Perhaps the very biggest hurdle to adopting zero trust is that it requires a complete mindset shift, away from the perimeter security model we have depended on for decades and that no longer offer adequate protection. With its National Cybersecurity Strategy, it appears the US government is ready and determined to make this important shift.
