The Biden administration’s new National Cybersecurity Strategy released Thursday marks two major policy shifts in the cybersecurity arena that asks software developers to assume more responsibility for cybersecurity breaches and encourage long-term financial investment in better cybersecurity practices to slow the chaotic cycle of cyberattacks and ransomware incidents brought on since the COVID-19 pandemic.
In addition to recent high-profile cyberattacks such as the SolarWinds software supply chain breach, the Log4Shell software vulnerability and the Colonial Pipeline ransomware incident, White House Assistant National Cyber Director for Technology Security Anjana Rajan said Russia’s “brutal” invasion of Ukraine sparked the creation of the strategy.
“The arena for this war exists in cyberspace,” she said during the closing fireside chat of GovCIO Media & Research’s CyberScape: Insider Threats event Thursday in Tyson's Corner, Virginia. “Our adversaries will choose cyberspace to engage in offensive attacks. Our critical infrastructure needs to be defensible and resilient for the long term.”
Prioritizing Open-Source Software Security
In many ways, the crux of the strategy deals with the problem of securing open-source software, which is ubiquitous to IT and OT systems even as robust software security strategies and practices lag.
“To talk about open source, we have to talk about the ethos of the system. It’s a beautiful concept — the idea that the ideas of one combines the ideas of another [and] makes us greater as whole, that’s a fundamentally democratic concept,” Rajan said. “We’re seeing that in Ukraine. We’re seeing the open-source community come together to build cryptographic libraries that can help defend against Russian cyberwarfare. We’re also seeing it on the data side … changing the way the intelligence game is played. Open-source satellite imagery, geospatial data [are] becoming mission-critical in the way the war is fought.”
Rajan said there are four main drivers of risk in the software industry: motivation and incentives for software developers to prioritize cybersecurity; cybersecurity enforcement within open-source software infrastructure; good data identifying where vulnerabilities lurk in open-source software; and memory unsafety.
Memory unsafety, which the strategy identified as an area of federal investment to improve overall software security, is an underlying property of programming language that can introduce vulnerabilities and bugs into the way software is stored, Rajan said.
“Say I have a list of 10 items and a program calls upon the 10th item in the list,” she said. “We’d assume an error would happen because there isn’t an 11th item. In memory unsafety, that error check doesn’t happen by default. It will return the value of whatever is restored in memory. The cyber implications are actually quite catastrophic. It means I can access data that was already deleted. You’re talking about the entire digital ecosystem of our U.S. government. That makes it very easy to exploit a vulnerability for an adversary.”
Using memory-safe programming language, she added, can reduce software vulnerabilities by up to 70%.
In addition to laying the groundwork for more robust cybersecurity policy, the new strategy also intends to shift the collective mindset around cybersecurity to grasp the impact poor cybersecurity has on an organization’s mission. Rajan reflected on her experience as CTO for Callisto — a non-governmental organization fighting human trafficking — and how the Log4Shell software vulnerability prevented team members from taking calls from victims in danger.
“It was this reminder that it is not just cyber or tech companies that need to care about cybersecurity,” Rajan said. “It made it very clear this was a whole ecosystem sense of urgency.”
Building Upon Zero Trust
Acting National Cyber Director Kemba Walden said the May 2021 executive order calling on federal agencies to implement zero trust architectures after the SolarWinds and Colonial Pipeline incidents “set the tone” for this new strategy. It was highly regarded as the brainchild of the inaugural and now former National Cyber Director Chris Inglis, and other cybersecurity advocates including the Cyberspace Solarium Commission and CSIS Senior Advisor for Homeland Security Suzanne Spaulding helped bring it to fruition, she said.
“We defend cyberspace because it is interwoven into our everyday lives,” Walden said during a special presentation hosted by the Center for Strategic and International Studies (CSIS) Thursday. “If we build a secure and resilient cyber foundation, we can pursue our boldest national goals with confidence, goals like a national electrical grid, high-bandwidth instantaneous communication that enable collaboration, commerce and cultural exchange, and an internet that strengthens our democracy. We have to think about cyberspace in terms of political economy, social change and technological innovation. It’s not just about security. [The strategy] acknowledges a profound truth: technology and humanity are intertwined.”
The goal is for cybersecurity to be “baked in” to software development per a DevSecOps approach, not “bolted on,” Walden added.
For many federal agencies, zero trust and the software community go hand-in-hand. At the Department of the Air Force, software factories helped jump start the journey to zero trust, according to recent interviews with CIO Lauren Knausenberger and CTO Jay Bonci.
“Software factories are great for many reasons — for one, they allow us to move and prototype things very quickly,” Bonci said in an interview with GovCIO Media & Research. “Many of the early zero trust component implementations came out of Cloud One and Platform One. They have also been eager to help us get our hands around some particularly snarly problems.”
At the Consumer Financial Protection Bureau (CFPB), zero trust principles are helping secure the software supply chain after the SolarWinds and Log4Shell incidents.
Building Cybersecurity Awareness
Federal agencies often talk about building a more cyber-aware culture within their organizations, but all end users of technology need to become more cyber aware.
Anne Neuberger, deputy assistant to the President and deputy national security advisor at the White House, described how New York City restaurants are required to display cleanliness ratings on their front windows so customers can make the best choice when deciding where to eat and how that same principle should be applied to Internet of Things (IoT) devices, such as medical devices, baby monitors and internet routers.
Cybersecurity ratings for all internet-connected devices should be available like a nutrition label on packaged food, she said during the CSIS event Thursday.
“The White House hosted an effort on IoT labeling and that effort is a way to give the customer the power to assess, is this secure or not? And we see again and again the customer wants to buy secure,” she said.
The Cybersecurity and Infrastructure Security Agency (CISA) has prioritized cybersecurity awareness under Director Jen Easterly’s leadership beginning with the launch of the Joint Cyber Defense Collaborative (JCDC) — an industry and government partnership to share information about potential and actual cyber incidents — and the Shields Up campaign, which began at the beginning of the Russia-Ukraine war.
“It’s really about working together to defend the ecosystem,” Easterly said at the 2022 Billington Cybersecurity Summit. “Everything we’ve learned over the past year as we have been building our partnerships through JCDC, Log4Shell, the Shields Up campaign, it really capitalizes on our superpower. We all need to work together, all of our defender partners. It’s industry, it’s state and local, it’s nonprofit partners, research community and the privacy community. Attackers have budgets, too. We have to work together to make sure we’re increasing the marginal cost so attackers have to burn a zero day if they want to go after critical infrastructure.”
JCDC will focus on securing open-source software this year, according to the 2023 planning agenda announced in February.
Going forward, the federal government will rely on industry to execute the new cybersecurity strategy, White House leaders said.
“It’s a team effort,” Walden said. “We need the private sector to step forward with us.”
But the push for increased partnership between government and industry to address systemic cybersecurity problems is also a call for greater responsibility given the impact poor cybersecurity has on the nation’s economy, society and future prosperity.
“Too often we’re relying on the individual consumer, small businesses, local and state governments to defend against nation states, and that is an unfair burden we’re putting on the wrong folks,” Rajan said. “What we need to rebalance is the players that can bear that burden in the public, and private sectors need to do their fair share of cybersecurity.”