Since inauguration day, things in the federal cybersecurity realm have been turbulent to say the least. The new administration has already revoked several Biden-administration executive orders, including one outlining safety assurances around the development of artificial intelligence. It has also made some drastic reductions within the Cybersecurity & Infrastructure Security Agency (CISA), including the dismissal of the entire Cyber Safety Review Board (CSRB). That was preceded by the voluntary departures of CISA Director Jen Easterly and Deputy Director Nitin Natarajan.
Transitions between presidential administrations always have a measure of trepidation to them, but this is a particularly sensitive time, in particular for cybersecurity leaders who are facing enhanced regulatory pressures, personal liability challenges, and adversaries acting with aggression in their targeting of critical infrastructure and cyber-physical systems.
This activity surfaces a number of questions, principal of which is where do we stand as an industry in terms of government oversight and coordination? And of course, what other shoes will drop in the coming weeks and months?
Let’s look at three things we hope the new administration takes into account with regard to critical infrastructure protection.
The CSRB was established to research critical incidents and report to the industry in order to foster improvements. The Log4J vulnerabilities and breaches against Microsoft were among the prominent reports the group published, and the CSRB was not shy about going hard at tech companies such as Microsoft for their technological and cultural shortcomings and exposures.
This is heavy and vital work that provides much sought-after transparency to incidents that threaten national security, public safety, and the country’s financial wellbeing. Reportedly at the time the board was terminated, the CSRB was working on an in-depth analysis of the so-called Salt Typhoon hacks that targeted multiple U.S. telecommunications companies.
Linked to China and the Volt Typhoon actors, Salt Typhoon successfully compromised close to a dozen telcos and gained access to call record, text messages—apparently including senior U.S. government officials and politicians.
The true value of the board is its composition, a mix of representatives from public and private sectors whose work informed much of the cybersecurity direction put forth by the Department of Homeland Security and the White House. Prominent cybersecurity experts including Heather Adkins of Google, Crowdstrike Cofounder and Chairman Dmitri Alperovitch, Katie Nickels of Red Canary, Dept. of Defense CIO Leslie Beavers, National Cyber Director Harry Coker, and many others made up the current board.
The new administration must restock the CSRB at once. It’s hopeful that staffers and advisors can communicate the importance of the board’s work and the transparency it provides into what threat actors are actually doing in the wild.
Zero-day vulnerabilities get the sexy headlines, but folks in the trenches understand that bad passwords and unpatched vulnerabilities are a much bigger threat to the security of our networks and critical infrastructure. Very few companies should have multimillion dollar zero-days within their threat models. Instead, what’s become characterized as good cyber hygiene should be the end-state enterprises and government agencies seek to achieve.
This is the message we hope is conveyed to the new administration. Understand that small hospitals and water treatment facilities nationwide, as just two examples, often don’t have the human and capital resources to fend off ransomware and other commodity attackers. With most of the critical infrastructure in this country being privately owned, this is where the most computing risk lies in our country.
We need programs, tooling, and support fed to these organizations in need. Healthcare delivery organizations, for just one example, are among the hardest hit by actors who favor extortion, whether it's via ransomware or the threat of leaking stolen data. Criminal enterprises understand these organizations are the most likely willing to meet ransom demands in order to maintain a level of patient care and availability—and bad guys aren’t beholden to laws or morality.
Federal—and industry—leaders should advocate for these groups, and emphasize what strategically and tactically matters most, especially for smaller organizations:
Minimize the exposure of key systems, including control systems, to the internet.
Prioritize known, exploited vulnerabilities for mitigation and remediation
Limit remote access to sensitive systems, especially OT control systems and medical devices
Provide the guidance necessary for risk assessments that would also go a long way toward minimizing exposures
The Biden administration issued landmark cybersecurity executive orders during its tenure that put pressure on technology vendors to be transparent about the security of what they’re selling, and to shore up the software and hardware supply chains.
Days before leaving office, President Biden issued another order further reinforcing the need to lock down the software supply chain, address exploitable vulnerabilities that expose organizations at scale, and also spelled out threats from China and elsewhere that should be prioritized.
However, with the changes to CISA and across the government, beneficial initiatives such as CISA’s secure-by-design/demand/default may be in jeopardy. These types of programs would go a long way toward meeting a desired end-state of adhering to basic cyber hygiene, and put the ball in the vendors’ court in order to reduce exposures rather than relying solely on resource-strapped security teams.
Secure by design and default recommends that, for example, default passwords would be eliminated, that current versions of communication protocols are in use, and older, insecure protocols are disabled by default. A recent secure by demand procurement guide for OT spells out other recommendations that include configuration management capabilities, as well as logging, strong authentication, vulnerability management, and upgrade and patch tooling by default, among other necessities.
These are attainable wins for the new administration and would further help establish and/or maintain the resilience of our critical infrastructure. The key is for the government to utilize its unique role to provide direction and oversight that is not cumbersome but which both incentivizes the private sector to enhance its level of cybersecurity while directing specific actions to address our greatest cybersecurity challenges—particularly within critical infrastructure..
By prioritizing these three areas, it’s possible to positively influence vendors to further prioritize security and maintain—and enhance—government oversight.
U.S. Navy Adm. (Ret.) Michael Rogers served as the 17th Director of the National Security Agency and the 2nd Commander of U.S. Cyber Command. Adm. Rogers presided over the activation of the Pentagon's Cyber Mission Forces and the elevation of U.S. Cyber Command to unified combatant command status. He is currently the chairman of Claroty’s Board of Advisors.
