Pages

15 March 2023

US cyber strategy is missing accountability and a ransomware moonshot

GARY BARLET

Ten years ago, everyone was watching Breaking Bad, Frozen hit the theaters, and 2013 was called “Year of the Selfie.” Feels like forever ago, right? Because it was. Ten years is an eternity.

That is the first problem with the new National Cybersecurity Strategy, recently rolled out by the Biden administration. It falls short in two essential areas: immediate impact and accountability. The plan states, “By the end of this decisive decade, we will achieve these outcomes so we can confidently take bold leaps into a digitally enabled future that benefits us all.”

As a 20-year Air Force cyber operations veteran and a former federal CIO, it pains me to say I’m deeply underwhelmed by this plan — even though it details a strong vision for strengthening our nation’s cyber resilience and critical infrastructure.

Planning 10 years ahead in cyber is out of the question. America should worry a lot more about 2024 than 2033. We’re hemorrhaging billions of dollars to ransomware annually, but the strategy doesn’t do anything to immediately turn that around. This is a crisis, and it deserves a crisis response. Last year, U.S. financial institutions saw nearly $1.2 billion in costs associated with ransomware attacks — four times the amount of the year prior.

But financial devastation isn’t the only thing at risk, the fabric of our everyday lives is too. On a weekly basis, ransomware is vexing our healthcare systems, food chains, telecommunications networks, energy infrastructure, and financial institutions, bringing operations for services we rely on to a screeching halt. If we don’t introduce actionable ideas and accountability that will make an immediate impact, it will only get worse.

In fairness, the National Cyber Strategy has articulated strong core objectives — like enhancing cross-sector collaboration, modernizing federal systems, disrupting and going after attackers, strengthening the software supply chain, and promoting Zero Trust breach containment strategies. However, it falls short in detailing the tactics, resources, and timing that show how we can actually accomplish all of this. In short, the plan does not reflect the severity and urgency of the current threat landscape.

We need a moonshot approach to make an immediate impact on ransomware and risk.Where are the bold ideas, like banning ransomware payments to stop cybercriminals from profiting off these attacks?
Or mandating that private and government organizations publicly notify customers within 72 hours of a breach so they know when their data has been compromised?
Or preventing software vendors from working with the federal government if they routinely fail to prove their own cyber readiness and resilience?

It’s not only big ideas that are missing. This strategy also fails to address the specifics. The implementation section is barely one page of the 39. What are the clear, actionable, time-bound goals and objectives? What needs to have happened one year from now, and what will the impact have been? And how will it be executed? We’ll have to wait for the Office of the National Cyber Director to create that assessment.

What’s more, this strategy is entirely unfunded at a time when bipartisan agreement seems to be incredibly rare. We need a strong focus, with commitment from both Congress and industry, to solve these problems. And we, as a nation, need to be prepared to make serious investments to get this done right in the name of protecting this country in cybersecurity. If we don’t, there will eventually be another catastrophic breach like the Colonial Pipeline attack that impacts day-to-day life.

And lastly, we need to step on the gas. We need to move faster, and we need to start now — not tomorrow and certainly not 10 years from now. Putting words on paper is an important step in driving the cyber awareness conversation forward, and I am excited to finally have a cohesive national strategy. However, at the end of the day that’s all this strategy is — words on paper.

We need the federal government to do more. We need them to lead by example and drive significant changes in our national cybersecurity posture by bringing bold ideas, granting resources, investing in people, and holding themselves accountable with more realistic, aggressive timelines that more accurately reflect the world — and threats — around us.

Otherwise mandates like these are rendered not only out of touch, but also largely ineffective — and a waste of taxpayer dollars.

No comments:

Post a Comment