President BidenJoe BidenPutin backs Lukashenko of Belarus amid international pressure for Biden administration to reimpose sanctions on Belarus for hijacked flight Senate approves resolution urging investigation into origins of COVID-19 MOREThe Executive Order on Cyber Security (EO) could mark a turning point against increasingly bold cyber threats. Its scope is ambitious. Your demands for quick action are important. And it points to a clear intention of the White House: to make real the stated approach of this administration in the review of national and federal cyber defense.
Agencies are moving quickly to fulfill OE mandates. But in the midst of this mess, it’s easy to miss the thematic transformations bubbling beneath the surface of the EO. There are five, and they will represent the future of national cybersecurity.
First, CISA is on the fast elevator, rapidly rising to federal cybersecurity leadership. The recommendations of the EO Turbocharger Cyberspace Solar Commission, the NDAA provisions of AF21 and an executive and legislative branch justify the codification of CISA as an authorized engine of federal and national cyber defense. This is a maritime change: after 30 years without a clear federal cybersecurity leader, the rose is set (perhaps even superglue) at CISA.
Can CISA meet the moment? We think so. However, there are some prerequisites:
- Budget stability (and growth), to maintain, strengthen, and transform federal foundational cybersecurity programs.
- First rights to the best cyber talent in government and industry, even if there is a premium price.
- The power to centralize government purchases of cyber technologies to elevate quality and performance at a lower cost.
- And direct channels to the western wing to achieve constant political coverage.
Congress and the administration must meet these prerequisites and then hold CISA and the agencies accountable for the results obtained.
Second, security is about all expanded digital ecosystems, not the classic boundaries of companies. And ecosystems are continually transforming. In our world of software, cloud and all as a service, there are no business limits. Organizations must have visibility into every element of their digital ecosystem, into every branch of their supply chains.
OE-related efforts to develop supply chain security standards and guidelines are useful, as are the supply chain reviews of the February agencies. But the key is no more checklists and questionnaires. It is better risk management. These are models, emulations, and cyber threat testing to understand how real bad guys can attack through a real ecosystem and the supply chain link. And then group these models at the federal or U.S. government levels and use them to prioritize overcoming major security deficiencies.
Third, the age of security tools has reached its peak. The strategy for overlapping more and more products and tools is often ineffective, redundant, and prohibitive.
Agencies should not attempt to purchase tools through OE requirements. The key is to build a more defensible, resilient and modernized digital infrastructure based on principles of zero trust.
Fortunately, the OE makes clear the zero-confidence imperative. But it is more opaque how agencies should operationalize and implement zero-confidence security operations. We need maturity models at the federal level, preparedness assessments, and agency-adaptable plans to make zero-scale trust real.
Fourth, cybersecurity is about making data operational. Cyberdefense operations carry too much weight toward reactive detection and response. These functions are important, but we can move forward.
Automated vulnerability management and, above all, persistent threat tracking will allow agencies and CISA to finally overcome threats, but only if organizations do a better job of leveraging security data and applying advanced analysis. which addresses vulnerabilities and reveals threats before attacking.
In cyber defense operations, speed, accuracy and precision are important. High quality data, advanced analysis and automation are key facilitators. Critically, this must happen to agencies and organizations and to CISA, where we can obtain information at the federal level about adversarial patterns and behaviors to ensure collective defense. Data is the fuel that allows defenders to move faster than attackers; the future of cybersecurity is based on data.
Fifth, it’s time to go beyond sharing information.
A new model of collaboration is needed for the public-private sector to facilitate the exchange of information and reduce operational, reputational and financial risks. A public-private exchange of information and cyber information would allow more contextualized threat intelligences to enable organizations to better defend themselves against advanced persistent threats.
Biden’s OE is starting to pave the way, with a focus on commercial notification of cyber incidents. But more can be done. Collaboration, not just the exchange of information, is key.
And now what?
Yes, agencies must comply with OE mandates. But it is also imperative to maintain the focus on achieving these larger transformations, the EO seeds. This is an opportunity for CISA, in its increasingly pronounced leadership role, to drive vision and provide a “North Star” for the look of good federal and national cybersecurity.
Patrick Gorman is executive vice president of consulting firm Booz Allen and a leader in the firm’s cybersecurity business. He has more than 35 years of experience in technological risk management and cybersecurity.