Industry Reactions to New National Cyber Strategy
24.9.2018 securityweek Cyber
Industry Reactions to United States 2018 National Cyber Strategy
The White House last week announced the release of the 2018 National Cyber Strategy, which outlines the government’s plans for ensuring the security of cyberspace.
Described by officials as the “first fully articulated cyber strategy in 15 years," the new strategy describes how the current administration plans on protecting the country against cyber threats and strengthening the United States’ cyber capabilities.
The strategy shows that the U.S. is prepared to take a more aggressive posture, which includes an offensive response against nations engaging in cyber activity aimed at the country. Officials warned that the government’s response to a cyberattack may not necessarily be in the cyber world.
Industry professionals contacted by SecurityWeek commented on various aspects of the new strategy, pointing out its benefits, shortcomings, and the unanswered questions it raises.
And the feedback begins...
Dave Weinstein, VP of Threat Research at Claroty:
“Most government strategy documents tend to be underwhelming and this one is no different. This isn't a whole lot of new content or ideas, but rather amplification, clarification, and renewal of previous ones.
The paragraph that stands out to me is the one on the Cyber Deterrence Initiative. Until now we haven't formally adopted an international approach to deterrence, which includes collaborating on incident response and attribution. This Initiative has enormous potential to be successful if the right nations formally participate and equally contribute to its cause. I would expect to see the Five Eyes join in but it should extend even further, beginning with NATO member-states.
Another one that stands out to me and is much overdue is modernizing of surveillance and computer crime laws. The Computer Fraud and Abuse Act (CFAA) in particular is in desperate need of a refresh.
On critical infrastructure, it's encouraging to see it featured so prominently in the Strategy but the substance is a bit lacking. More creativity is needed for government to maximize its contributions to what is largely a private sector problem. Some of the best ways for government to "secure critical infrastructure" is to incentive investment in technology, people, and training; share actionable threat intelligence; and deter activities that hold infrastructure assets (and the citizens they serve) at risk. Again, some of these are mentioned but not in great detail.
Would've like to see a bit more emphasis on state and local cybersecurity and a key component of the national strategy.
They punted on encryption -- would've like to see them take a strong stance on encryption while committing to foster a dialogue between the public and private sector recognizing the real concerns of law enforcement and the national security establishment.
Was struck by the explicit mention of transportation and maritime cybersecurity -- would've thought energy and maybe even advanced manufacturing would have received similar attention (especially given the Administration's domestic policy priorities).”
Nathan Wenzler, chief security strategist at AsTech:
“Politicizing matters of cybersecurity only serves as a detriment to us all. Nearly every human on this planet is served in some way, shape or form by technology and the various forms of communication and information delivery, and taking security seriously and promoting it consistently is critical to safeguard the access to information for all of us going forward. However, this Cyber Security Strategy document released by the White House does not do much of anything to serve this purpose on its own account, and even more so when viewed alongside with other security-related matters that this administration has weighed in on. For example, Pillar IV of the White House's plan states that "The United States stands firm on its principles to protect and promote and open, interoperable, reliable and secure internet." Yet, this comes from the same administration whose FCC has killed Net Neutrality and arguably has laid the groundwork for the exact opposite thing taking place. Pillar III discusses addressing the interference of foreign powers executing propaganda and other counter-intelligence campaigns against the United States, yet we've witnessed repeated efforts from this administration to stop efforts to do exactly that in several situations, including the influencing of voters during the last major election cycle. Ultimately, this strategy document strikes me as nothing more than hyperbole, or as a distraction from the contrary actions this administration has already taken that nullify most of the principles outlined here.
Perhaps the most troubling part of this is the change in tone from looking to bolster the cybersecurity defenses of the United States, including the hiring and retaining of qualified information security professionals to raise the overall cybersecurity capabilities of government agencies, to one of aggression and taking an offensive stance against those deemed to be enemies of the state. It's a short collection of statements buried in the strategy, but National Security Advisor Tom Bolton has already confirmed that executing more counterattacks and taking this more aggressive and offensive position is the intent. This is, in my opinion, and incredibly dangerous strategy to take, especially when it comes to cyberwarfare initiatives. It's simply too easy for conflicts to escalate, and it does not require huge armies or massive amounts of money or government support for a malicious actor to do incredible damage from a technological perspective. A single actor could, potentially, take down power grids or even impair the internet itself (look at the attacks against the root DNS servers in years past as an example). Escalating conflicts in cyberspace is not the same as on bringing a huge show of military force to a conventional battlefield, and it is with this mindset that the current administration appears to be working from, demonstrating a lack of understanding of what we are collectively facing from a cybersecurity perspective and of the risk involved in performing acts of aggression in this arena.”
Sherban Naum, SVP of Corporate Strategy and Technology for Bromium:
“The Strategy is a policy vehicle. The key concern is once the strategy has been fully executed, it must drive acquisition in a timely fashion to be effective. What funding vehicle will support implementing the actual cyber tools necessary to deliver on the policy changes? Who will drive the acquisitions? Will they be consolidated under a single OSD mandate and funding action, coalescing all funding to a single activity or will OSD mandate the changes, leaving the services to both fund and implement? If the later, how will the mandate compete with other necessary funding efforts, considering the sheer volume of legacy infrastructure in place today under sustainment? Are there technologies that have been vetted of recent that have proven to deliver vastly new capabilities that satisfy both defensive protection-first while delivering the threat telemetry needed to take offensive action based on clear attribution? The DoD has been unsuccessful to implement clear and agile acquisition changes despite the many years as a stated goal.
I’m not sure accepted international rules of engagement in kinetic warfare translate equally to that in cyber space. In kinetic warfare there are clearly defined rules of engagement, both Federal Defense policy as well as International governing bodies, and these rules need to be better defined in the cyber world. The specific call out for international consensus and support is paramount. Modern Cyber Warfare may come down to the creation of a Cyber “NATO-like” body that acts both as a unifying body toward response and a deterrent to nation state attackers. Attack one, attack all.”
Bryson Bort, Founder & CEO of SCYTHE:
“This is the most comprehensive cybersecurity strategy document ever published—firmly stating a vision of the United States as ensuring a secure Internet by cooperation or force. It reads like a response to former NSA Director Admiral Mike Rogers’ February Congressional testimony where he acknowledged current constraints in responding to the active threat landscape the US faces.
The ambitious scope is easily reflected in a just few stand out items: replacing social security numbers for identify management; addressing IOT security through the full lifecycle, although not post-deployment; a global “Cyber Deterrence Initiative” to strength partner law enforcement and information sharing capabilities; and the promise of “swift and transparent consequences” to deter attacks.
The message appears to be: you will see an American Flag planted on your scorched computer(s).”
Ali Golshan, CTO and co-founder at StackRox:
“While the new Trump administration cyber policy is not a major deviation from President Obama's initiative in 2016, the focus now is on enabling agencies – specifically the Defense Department - to respond more quickly to cyber threats. Under the Obama cyber policy, various defense and intelligence agencies were required to coordinate offensive cyber operations to ensure they had no impact on government operations. The Trump policy allows organizations to respond without cross-agency coordination.
Unlike traditional warfare, where exposing one's arsenal deters an adversary, in cyber offenses, capabilities are kept confidential so as to not reveal capabilities. Historically, this approach has been a more effective deterrent. Considering the nature of cyber weapons and the ability to reuse them once discovered, as well as the difficulty of accurate attribution (accurately determining the attacker/location/country), one could argue that responding without cross-agency coordination brings higher risk.”
Jack Jones, Co-Founder and Chief Risk Scientist at RiskLens:
“As a high level statement of intent/direction, it seems fine. In order to make it actionable though, several things have to happen:
Organizations who want (or have) to follow this directive need to be able to accurately determine where they stand relative the sobjectives described in this document.
Then, for each sub-objective within this directive, they have to prioritize the gaps between where they are and where they need to be — and prioritization is invariably a function of measurement (risk measurement in this case).
Then they have to compare the various options for closing any gaps (the most important gaps first, of course) to ensure that the most cost-effective remediations are chosen. These comparisons also are dependent on accurate risk measurement.
As these efforts get underway, cybersecurity organizations need to be able to adjust intelligently to changes in the landscape that might alter priorities or solutions. This, too, requires risk measurement.
Of course, nowhere in here is there any explicit reference to improving the profession’s ability to measure risk — even though the success of everything else is dependent on it to some degree and it is one of the most deficient areas in the profession. This reflects continued ignorance on a fundamental element of risk management.”
Ed McAndrew, Partner & Co-Chair, Privacy & Data Security Group at Ballard Spahr:
“The new Strategy appropriately builds on the work of past Administrations. Particularly when read in conjunction with the DOD Cyber Strategy also released this week, the National Cyber Strategy also recognizes that going on offense is becoming more critical to playing daily cyber defense.
The Strategy has a few notable points as to protecting critical infrastructure. First, the Strategy emphasizes leveraging information and communications technology providers to detect, prevent and mitigate risk at the system level. Second, it prioritizes improved cybersecurity in the transportation industry, particularly maritime transportation. This is particularly noteworthy in light of last year’s NotPetya cyberattack, which significantly affected such transportation companies as Maersk and Federal Express. Third, the Strategy falls short in addressing election cybersecurity by throwing up state and local election control as a seemingly insurmountable obstacle.
The Strategy also recognizes that we have a long way to go in combating international cybercrime. It notes that some criminal groups now rival nation state actors in sophistication, and that rampant, technology-facilitated intellectual property theft is having a potentially deleterious effect on our long-term economic and national security. The Strategy appropriately prioritizes incident reporting and response, updating legal tools for the investigation and prosecution of technology-facilitated crimes, apprehending and successfully prosecuting more international cybercriminals, and helping other nations implement similar strategies.”
David Ginsburg, Vice President of Marketing at Cavirin:
“In one way this is helping to further codify and bring into the open actions that the US are already taking. For example, the cyber-attacks against North Korea’s missiles, as described in Woodward’s ‘Fear.’ As a public document, it also serves notice that the our responses will be on-par with approaches already taken by our adversaries. In doing this, I don’t think there is a danger of unnecessary escalation. However, we must balance our offensive capabilities with maintaining a more effective cyber posture within the various government agencies. We’ve read all too often about oversights due to lack of training, automation, or adoption of best practices. And, the strategy document is very timely given documented threats against this November’s election.”
Rick Moy, Chief Marketing Officer at Acalvio:
“This is a fairly broad and comprehensive strategy, that touches on everything from government supply chain, critical infrastructure, and democratic institutions all the way to space. While the devil will be in the details of executing this, there is a good range of priorities, including emphasis on streamlining civilian cybersecurity responsibilities, risk and vulnerability management, improving incident response. Of particular interest will be the efforts to deter attackers and ultimately hold them responsible through state-level sanctions and extradition.”
Rishi Bhargava, Co-founder at Demisto:
“One facet of this strategy that has the potential for long-lasting consequence is the US government’s commitment to develop a superior cybersecurity workforce. Today’s industry truth is that security professionals are tough to hire, train and retain. A government-led approach to expand educational opportunities and encourage re-skilling of workers will help build the talent pipeline and lead to better staffed organizational security departments. Security teams are overworked and will need all the help they can get.”