The new US administration’s approach to modernizing the nation’s cybersecurity defenses was laid out by Anne Neuberger, deputy assistant to the president and deputy national security advisor for cyber and emerging technology, National Security Council, during a keynote session on day two of the virtual RSA Conference 2021.
Neuberger began by describing the increasingly dangerous cyber-threat landscape, noting that President Joe Biden’s administration has already had to deal with two large-scale incidents during its first 100 days in office—the SolarWinds and Microsoft Exchange attacks.
“Governments and companies are under constant, sophisticated and malicious attack from nation-state adversaries and criminals,” she outlined, adding that “today, more than ever, cybersecurity is a national security imperative.”
In this environment, Neuberger stated, it is time to shift the mindset from incident response to prevention. “I’ve observed that as a community we’ve accepted that we’ll move from one incident response to the next,” she said. “While we must acknowledge that breaches will happen and prepare for them, we simply cannot let waiting for the next shoe to drop to be the status quo under which we operate.”
With this principle in mind, Neuberger set out three areas the current US federal government is focusing on to enhance the nation’s cybersecurity:
1. Modernize Cyber-defenses
Neuberger stated how the SolarWinds attacks demonstrated that “some of the most basic cybersecurity measures were not systemically rolled out across federal agencies.” These include multi-factor authentication, encryption and endpoint detection.
As well as mandating these basic security hygiene measures in government, Neuberger said the administration is also introducing ways of ensuring the software security it purchases from vendors is up to scratch. She explained that the products the government buys “often include defects and vulnerabilities.” This is being accepted by developers, either because they expect to be able to patch later or they decide to ignore them if they deem the defects to not be sufficiently serious, according to Neuberger.
“That’s not acceptable—it’s knowingly introducing unknown and potentially grave risks that adversaries and criminals then exploit,” she stated.
To tackle this issue, Neuberger revealed it is a priority of the government to ensure the software it buys is built securely from the start, “by potentially requiring federal vendors to build software in a secure development environment.” She added that this approach should have the knock-on effect of enhancing the software security brought by organizations outside of government, such as schools and small businesses.
Another vital step in this area is to gain visibility into what software is developed securely and what isn’t, as it is currently impossible for customers to make this assessment. Neuberger explained: “Today we place our trust in vendors but we largely do it blindly, because we don’t have a way to measure that trust.”
No tags.
