As our nation's most critical infrastructure faces relentless threats in cyberspace, cybersecurity remains top-of-mind for the federal government. The Colonial Pipeline and JBS attacks, among others, showed us that our national resilience is only as strong as public-private sector collaboration. And as ransomware attacks remain the norm, new collaborative strategies and programs are underway to build and foster cyber resilience.
Notable Steps in the Right Direction
The State Department's Bureau of Cyberspace and Digital Policy (CDP) serves as a catalyst for building cyber stability, future incident reporting, and cyber-governance regulation. Its mission is to encourage responsible nation-state behavior in cyberspace, advance policies that protect the integrity and security of the Internet, serve US interests, promote competitiveness, and uphold democratic values.
We've also seen progress with the Cybersecurity and Infrastructure Security Agency's (CISA) new Shields Up program, which outlines guidance for public and private organizations to reduce the likelihood of a successful cyber intrusion. CISA's Jen Easterly emphasizes the program is all about "preparation, not panic."
The National Institute of Standards and Technology (NIST) also recently published guidance for securing enterprises against supply chain attacks targeting critical infrastructure. The new guidance stresses the importance of risk monitoring in cyber defense.
Collaboration Across Sectors
In addition to the above federal mandates and programs, public-private partnerships play a vital role in strengthening cyber intelligence, defense, and protection capabilities. As the world around us grows increasingly interconnected, cyber concerns that threaten to shut down or disrupt private entities also threaten the well-being of the federal government and government operations — and vice versa.
Because of attacks like Colonial Pipeline, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 into law — which laid out new "mandatory reporting requirements for critical infrastructure entities in the event of certain cyber incidents and ransomware payments."
The commitment to public-private partnerships continues to show up at all levels of government and private sector operations. Another proof point: CISA established the Joint Cyber Defense Collaborative (JCDC) in August 2021 to unify defensive actions and mitigate risk in advance of cyber incidents. The goal of this program is to strengthen the nation's cyber defenses through innovative collaboration, advanced preparation, and information sharing and fusion.
Programs and mandates like these are critical steps in bolstering national cyber resiliency. But to achieve herd resilience, we need to work together to shore up our shared cyber defenses, and for many, that starts with adhering to basic cybersecurity protocol.
Building Cyber Resilience
A pivotal factor in building cyber resilience and proactively preparing for the next attack starts with ensuring your organization maintains good cyber hygiene. In a nutshell, cyber hygiene is the practice of fundamental security behaviors, amplified through the adoption of supporting processes and technical controls. It's nothing revolutionary — back up your data, patch when you're told to patch, segment your networks, micro-segment your applications and workloads, etc.
One proactive security framework that has gained popularity and more widespread adoption over the last several years is zero trust. The Biden Administration's Cyber EO, which recently hit its one-year anniversary, emphasized the immediate need for federal agencies to implement zero trust to bolster national cyber resilience.
A key component of achieving zero trust security is zero-trust segmentation (i.e., microsegmentation). It's designed to stop lateral movement and reduce the attack surface by breaking down the internal infrastructure (think the data center, cloud environment, network, etc.) into smaller segments. In simple terms, think of microsegmentation like a hotel. Just because you're able to get into the hotel (bypassing firewall defenses) doesn't mean you're able to automatically access your room. Because every room has a key, you can only access yours once you're checked in and your access is granted.
Microsegmentation is the critical component of the workload and application pillar of zero trust reference architecture and your zero-trust security strategy; it's designed to stop the spread of cyberattacks and, malware, by isolating workloads and devices across the entire hybrid attack surface. Successfully implementing zero trust takes effort but ensuring your security team has an action plan in place and is taking small steps forward will ultimately better position you and your software supply chain to combat and withstand evolving threats.
Our Best Defense Against Cyber Threats
When taking steps to improve cyber defenses, agencies and critical infrastructure organizations often first look to legacy solutions: upgrading their networks, focusing on user access, bolstering perimeter defenses, or making sure all devices that connect to the network are approved devices.
While those steps are important, they're only one piece of the puzzle, and they will not stop the lateral movement of cyberattacks. Just think back to SolarWinds, which went undetected in federal systems for more than 14 months. A proactive cyber strategy, coupled with increased public-private partnerships and adherence to strong cyber hygiene practices, are critical components of bolstering our national cybersecurity posture.