In the past three years, the federal government has increased its efforts to advance cybersecurity technology and strategy. The Biden administration laid out its agenda in the May 2021 Executive Order on Improving the Nation’s Cybersecurity (EO), then offered a more sweeping vision in the March 2023 National Cybersecurity Strategy.
Although cyber innovations will come largely from industry and academia, the federal government is attempting to bolster those efforts by offering technical guidance best practices, spearheading public/private collaboration and, in some cases, making financial investments.
Here are some key issues on the current cyber agenda.
********************************
Strengthen Software Supply Chain Security
WHAT’S AT STAKE
Whether developed in-house or procured from the commercial market, every major application includes countless open source and commercial software components. The problem is that agencies often can’t identify all those components or their source, i.e., the software supply chain. Subsequently, an application might contain numerous vulnerabilities that might not be discovered until it’s too late. For example, in 2021, malicious actors exploited a vulnerability in Log4j, a popular open source component, to infiltrate systems across the public and private sectors.
WHAT’S BEING DONE
The Biden administration has made software supply chain security a pillar of its efforts to improve cybersecurity nationwide and in the federal government. These are some current initiatives:
- As part of its May 2021 EO the administration is pushing for widespread adoption of software bills of material (SBOMs), which detail the software components of applications.
- CISA, which has taken the lead on advancing the use of SBOMs, has published numerous resources, including the Software Bill of Materials (SBOM) Sharing Lifecycle Report and Securing the Software Supply Chain: Recommended Practices Guide for Customers.
- The General Services Administration plans to develop a contract through which agencies can buy supply chain risk management tools and services.
********************************
Reverse the Gains of Ransomware Gangs
WHAT’S AT STAKE
Ransomware continues to bedevil the public sector, with hackers targeting organizations that deliver essential services such as public safety, hospitals, schools and local government. Often, when organizations refuse to pay up, hackers retaliate by dumping the data on the web. That is how it played out for Oakland, California, which was the victim of an attack in early 2023. Eventually, city employees, whose data was exposed, filed a class-action lawsuit against the city.
WHAT’S BEING DONE
The federal government is working with organizations across the public and private sectors to undermine ransomware gangs. Here are some current initiatives:
- CISA has teamed with the FBI, the National Security Agency (NSA) and the Multi-State Information Sharing and Analysis Center to provide new guidance on how to detect, prevent, respond to and recover from ransomware attacks.
- As mandated by the National Cybersecurity Strategy, the State Department is working with the Joint Ransomware Task Force (co-chaired by CISA and the FBI) to develop an “international engagement plan” aimed at shutting down safe havens and cooperating on transnational cybercrime.
- CISA has launched the Ransomware Vulnerability Warning Pilot Program, which aims to help critical infrastructure organizations identify and mitigate vulnerabilities before they can be exploited.
********************************
Close the Cyber Workforce Gap
WHAT’S AT STAKE
Even as the global cyber workforce is now larger than ever, “the demand for skills still far exceeds the supply,” according to a November 2023 study by ISC2, an association for cybersecurity professionals. That gap means federal agencies face stiffer competition for cyber talent: More than half say staffing challenges make it difficult to improve their response to cybersecurity incidents, according to a December 2023 report from the Government Accountability Office.
WHAT’S BEING DONE
The Biden administration plans to explore ways to expand the capacity of two cyber workforce programs that have proven effective so far:
- The CyberCorps Scholarship for Service, which provides scholarships for up to three years of cyber-related studies in exchange for an equal amount of time of work in government.
- The DoD Cyber Scholarship Program, a similar program that offers scholarships to improve both recruitment and retention efforts. States are also getting creative to expand their cyber talent, according to a 2023 survey of state chief information officers. Two popular tactics include offering hybrid or remote work and working with K-12 and/or higher education to recruit cybersecurity workers.
********************************
Prepare for Quantum-Era Hackers
WHAT’S AT STAKE
The race is on: Can researchers develop encryption tools that can withstand attack by quantum computers before quantum computers enter the mainstream? Mathematics is the key. Current encryption approaches work because to crack them, you need to solve complex mathematical equations that are beyond traditional computers’ power. But quantum computers are expected to provide enough firepower to crack many widely used encryption algorithms. It’s an “emperor has no clothes” scenario.
WHAT’S BEING DONE
The federal government, which is leading the advancement of quantum computing, is accelerating efforts to develop what has been dubbed post-quantum cryptography (PQC). Here are some of the initiatives underway:
- As part of an update to the Federal Cybersecurity Research and Development Strategic Plan, federal agencies will partner with academia, manufacturers and the technology industry to spur more R&D work.
- The National Institute of Standards and Technology has published three draft standards for quantum-resistant encryption tools, which are expected to be finalized in 2024.
- CISA, NSA and NIST are encouraging organizations to begin planning their migration to PQC, especially if they manage critical infrastructure.
********************************
Above all, the Biden administration believes the federal government can drive advances in cybersecurity by leading by example. “The private sector should follow the government’s model in preparing its own network and systems for our postquantum future,” states the National Cybersecurity Strategy.
This article appeared in our guide, “The 2024 Cyber Agenda.” To learn more on the cyber outlook for the coming year, download it here: