Nick is the Chief Security Fanatic of Security Fanatics, CISO, keynote speaker, author & radio show host. He loves all things cybersecurity.
getty
Most Americans who follow cybersecurity news know that earlier this year the Biden-Harris Administration unveiled its new “National Cybersecurity Strategy.” This administration took office and immediately had to deal with the fallout from the massive SolarWinds data breach and a region-wide panic on the eastern seaboard thanks to the Colonial Pipeline ransomware attack.
In response to this trial by fire, the administration began quickly issuing cybersecurity-focused executive orders and pushing for laws that would strengthen the U.S. national infrastructure for government, businesses and individuals alike.
Though generally praised by the cybersecurity community, the strategy itself is rather ambitious and holistic in approach. I, however, am of the opinion that some of the points in the document need work. It’s an excellent start, honestly; however, there are some considerations that need to be made if this push will be adopted by the general population. Consider the following items.
We’re All In This Together When It Comes To Cybersecurity
The first critical point made in the announcement of the strategy was:
“We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.”
That seems like an excellent premise, and, to some extent, I agree. The infrastructure providers in the U.S. (think your internet service provider as well as the Amazons and Metas of the world) should be more proactive in detecting and defending their customers and users against threats. They could definitely be more visible in this fight as well, instead of just saying they’ll offer their end users retroactive tools to combat the onslaught of cyberattacks.
Where this becomes concerning is the perception this will generate for individuals and small businesses. Herd immunity also applies to cybersecurity. We are all interconnected thanks to emails, messaging, social media and more. The large infrastructure providers can only do so much, and phishing will continue to be a serious issue even with the ISPs turning their detection up to 11.
My fear is that a legion of people and small businesses will simply assume it’s being taken care of for them and, therefore, not invest in cyber awareness training, threat detection systems and more. If anything, this could make us less secure unless the Biden administration clarifies this.
The Open Language In The Strategy Lends Itself To The Perception Of Censorship
The second point in the strategy states:
“Disrupt and Dismantle Threat Actors – Using all instruments of national power, we will make malicious cyber actors incapable of threatening the national security or public safety of the United States…”
This is another excellent point. Whomever the “malicious cyber actors” may be, it’s important to address and combat malicious software that infects and disrupts the operations of an organization or government. Ransomware, banking trojans and other malicious software are essentially out of control and rampant.
The issue here is the overarching concept of what a “threat actor” and a “threat” is in the eyes of this executive order. Disinformation campaigns from foreign intelligence agencies have been leveraging U.S. social media platforms for years, driving a wedge into society and tearing down trust. While there is little doubt that demonstrably false information should ideally be excised from the public forums that are the large social media platforms, the concern here is that an unhealthy percentage of people already believe that they are reading the truth when they are reading disinformation.
Under the guise of “public safety,” this executive order could be interpreted by some as an attempt to quash any information that does not align with the President’s (or government’s) current viewpoint. Thus far, there has been no perfect solution to finding and removing only disinformation. Inevitably, factual information may be caught up in the removal process, which then reinforces those who believe disinformation that there is a conspiracy afoot when there isn’t.
The administration’s best bet is to clear up this language and explicitly express what, exactly, “public safety” means in this context.
This Strategy May Require Weaponizing CISA, Which Is A Serious Long-Term Mistake
For any executive order to be effective, it has to have teeth. Failure to comply has to have ramifications like financial penalties, the possible revocation of the right to conduct business or even potential jail time. So the question becomes: Which agency is best suited to be the enforcer for this order?
Naturally, the Cybersecurity Infrastructure Security Agency seems like the best fit. Staffed with actual cybersecurity professionals and leaders, it seems like a no-brainer. However, this would be one of the worst choices for enforcement.
The mission of CISA is to be a partner to all sectors of critical infrastructure. The agency helpfully issues guidance, offers education and provides many other services that essentially make it a trusted partner for the entire country. Requiring CISA to enforce cybersecurity policy is counterintuitive to its core mission. If that were to actually happen, businesses would see CISA not as a helpful resource but as an entity to be feared.
The government already has enforcement wings that would be perfect for taking on this mission as well. The Federal Trade Commission, Security and Exchange Commission and others already strike fear into the hearts of corporations from coast to coast, so what’s one more enforcement task for them to do?
Clearly, the United States is behind in laws and policies that help secure our national infrastructure, educate the general population and also protect the Constitutional right to privacy online. Overall, I think an executive order of this stripe was needed under previous presidents, and now that we have it, it needs to be recognized for what it is—an excellent start down the road to a more secure country. If they are able to address the above issues, I think we will be better off as a nation in the long run.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
