The federal government has once again signaled that our traditional approach to cybersecurity, one predicated solely on prevention and perimeter defenses, is failing us. In the past two years alone, 76% of organizations were attacked by ransomware, and 66% experienced at least one software supply chain attack. Now, the Cybersecurity and Infrastructure Security Agency (CISA) is the latest federal entity to shake up cybersecurity best practices — underscoring that we need drastic change to withstand today's dynamic threat landscape.
CISA, the group tasked with strengthening our national approach to cybersecurity and securing critical infrastructure, has released a strategic plan that outlines four goals that must be met to address the "diverse and dynamic challenges facing our nation." The CISA Strategic Plan 2023-25 is the first of its kind for the agency, which was founded four years ago. The plan is light on details, but it's notably marked with a move away from traditional prevention and detection approaches toward "resilience."
The first of CISA's outlined objectives is to "enhance the ability of federal systems to withstand cyberattacks." Federal agencies should be prepared for and able to rapidly recover from cyberattacks and incidents, as well as maintain mission continuity during and after cyberattacks and incidents.
That the agency places this goal above the ability to actively detect cyberthreats (Objective 1.2) speaks volumes about today's priorities. Instead of focusing first on preventing and detecting breaches, CISA is acknowledging that breaches will occur. This marks a subtle but dramatic shift in thinking. Only by recognizing that cyberattacks and breaches are inevitable can we effectively reduce their impact.
A Marked Shift Away From Prevention
Detection, firewalls, and perimeter defenses represent cybersecurity’s status quo — fundamentally, the same strategy employed since the dot-com era. But in the past decade, hyperconnectivity and hybrid work have become the norm — drastically expanding the attack surface. The painful takeaway from the long string of ransomware attacks and breaches we've witnessed during the past three years (Colonial Pipeline, Kaseya, SolarWinds, and many more) is that legacy solutions and traditional cyber approaches focused solely on keeping bad actors out no longer provide adequate protection.
If we consider CISA's plan in combination with the Biden Administration's May 2021 Executive Order on Improving the Nation’s Cybersecurity, which mandated that federal agencies must implement zero-trust architectures, it's clear that protecting our most critical infrastructure is now more about ensuring continuous operations, proactive risk mitigation, and resilience than preventing digital break-ins entirely. In fact, CISA's strategic plan mentions the word "resilience" 30 times.
Withstanding attacks through resilience is among zero trust's core principles, along with the concepts of assume breach, least privilege, and "never trust, always verify." In fact, zero trust is the rational response to the current threat landscape, with our hyperconnected, multicloud environments and sophisticated cyberattackers constantly changing strategies.
Breaches are inevitable today, but zero-trust tools and technologies are designed to shrink the initial attack surface and curtail the larger implications of attacks — for example, preventing a single breach from turning into a larger supply chain failure.
Driving Real Change
CISA's plan is encouraging. For one thing, it is recognition that the government believes zero trust is the way forward. It's also another indication that federal security leaders are serious about shoring up our national resilience in cyberspace.
We know that our critical infrastructure will continue to be a top target for digital adversaries. In 2021, according to the FBI, ransomware attacks hit 649 US critical infrastructure entities, and nearly 90% of all US critical infrastructure sectors were hit by a successful ransomware attack.
Still, the devil is in the details. CISA's plan offers rough specifics, but goals, standards, and deadlines must be set. Accountability must be mandated.
For the CISA plan to accomplish any of its goals, it will require cooperation from both the government and private stakeholders. Fueling these objectives will also require a commitment to continuous funding and resources. Without sufficient finances and personnel, agencies don’t have the bandwidth to act on their goals, let alone be held accountable. CISA's goals are admirable and a step in the right direction, but without a clear outline of funding priorities, there's little assurance that goals and plans like these will come to fruition.
Today's most daunting cyber challenges boil down to this: History has proven that the concept of preventing intrusions by building digital moats and walls is a fantasy. Modern organizations — private or public — are bound to be breached. What we need is more emphasis on breach containment, end-to-end visibility, and more private-public cooperation. We need more accountability, and we need to move faster toward zero trust to fuel national resilience.