Since taking office more than two years ago, President Joe Biden has mainly focused his administration’s policies on hot-button issues such as the COVID-19 pandemic, an uncertain economy and high inflation, and international conflicts, specifically regarding China and Russia.
From his campaign through the start of his presidency, Biden additionally spoke about strengthening U.S. cybersecurity following a series of well-publicized incidents such as the SolarWinds attack. He first signed an extensive executive order in 2021 to boost security across the federal government. With the release of the new White House National Cybersecurity Strategy this month, the administration is taking further steps to address cybersecurity.
This realigning of cybersecurity priorities likely signals a significant change for tech and security pros—not only an additional push to hire more workers but also a rethinking of the skillsets required to carry out the core missions contained in the strategic plan.
“To recruit and train the next generation of cybersecurity professionals to secure our digital ecosystem will require Federal leadership and enduring partnership between public and private sectors,” according to the 30-page cyber strategy published on March 2.
The strategy document drew praise from many who see it as a major step forward for cybersecurity, especially for its attention to building resiliency into the software supply chain.
“The National Cybersecurity Strategy is a significant step in the right direction to bolster the security of software and cloud services and should be applauded,” said Ryan Kalember, executive vice president for cybersecurity strategy at Proofpoint. “The goal is to reduce the amount of vulnerabilities and dissuade companies and developers from cutting corners with a ‘ship first, patch later’ mentality. Currently, businesses aren’t incentivized to adopt a ‘secure by default’ approach—some organizations are overly focused on moving fast to create more adoption or a frictionless experience at the expense of security, unfortunately.”
And while the document addresses a wealth of cybersecurity issues facing the U.S., some experts would have liked to have seen the Biden administration push even further to help with hiring, training and budgeting for these initiatives.
“The Biden administration cybersecurity order is a mixed bag. It covered a lot of important areas, but ultimately, I was hoping for something more audacious—and for something that allocated the budget and personnel needed to improve our country’s cybersecurity,” Robert Hughes, CISO for RSA, told Dice. “The strategy asks government and industry to do better when it should have given us the strategy and resources we need to be the very best.”
Setting Cybersecurity Priorities
While the strategic document is a blueprint for how the entire federal government, as well as large sections of private business, should approach cybersecurity in the coming decades, the Biden administration is specifically focused on five pillars:
- Defending critical infrastructure.
- Disrupting and dismantling threat actors.
- Shaping market forces to drive security and resilience.
- Investing in a resilient future.
- Forging international partnerships to pursue shared goals.
While the strategy will have far-reaching consequences across the federal government—and for those elected officials and policymakers who must now iron out the details—several security experts noted that the emphasis on building resilience and security into the software countless organizations use will have some of the biggest effects on tech and security professionals.
The strategy will also test the ability of the government and the private sector to hire enough cybersecurity and tech pros at a time when hundreds of thousands of cybersecurity positions remain open.
“The National Cybersecurity Strategy is a positive shift in building a more secure future and more resilient software. However, it will take extensive time, human resources and investment in compatibility and interoperability to actually implement these strategies,” Melissa Bischoping, director of endpoint security research at security firm Tanium, told Dice. “We currently have hundreds of thousands of unfilled positions in cybersecurity, so in order for this strategy to become a reality, we need to focus on building and deploying technology that is more user- and admin-friendly, along with solutions that integrate with defense-in-depth approaches and zero-trust frameworks.”
Bischoping sees the strategy as increasing the need for tech and cybersecurity pros who understand the software supply chain, including those with skills and expertise in DevSecOps, secure software development, and networking and application testing. The concern is that building a cybersecurity workforce with these skills needs sustained investment.
“It will take intentional and ongoing investment in education, hands-on training, internships and certifications to ensure we’ve trained a workforce capable of meeting the technical needs outlined in the National Cybersecurity Strategy,” Bischoping added.
Darren Guccione, CEO and co-founder at Keeper Security, said he appreciated the scale and scope of the strategy but remains concerned about hiring enough skilled workers to make it a reality.
“As demand for cybersecurity professionals continues to grow, the private sector and federal government are both fighting the talent war for a limited pool of qualified employees,” Guccione told Dice. “Public awareness campaigns such as CISA’s ‘See Yourself in Cyber’ aim to tilt the tables toward federal cybersecurity hiring, but it will take a collective effort and public-private collaboration to address the broader needs of the cybersecurity community.”
Another concern is having a skilled team of tech and cybersecurity pros who understand how software and hardware are created now, and how technological developments such as artificial intelligence (A.I.) can change the equation.
“While tools are rapidly being built with effective A.I.- and machine learning-based threat modeling and early warning capabilities, the cultural barrier of actually understanding and rapidly remediating findings is still present,” Landen Brown, field chief technology officer for federal at Symmetry Systems, told Dice. “Time and time again, we see new tools being made and purchased, while the findings of that tool are not acted upon or used to make positive change in the overall security posture.”
RSA’s Hughes noted that building secure code is one thing, but protecting against sophisticated nation-state groups is another matter. In his estimation, the White House still needs to invest more in defense and build up a skilled federal workforce that can counter these attacks.
“In the U.S., commercial software is endangered far more frequently by nation-states taking shots at our code than it is by birds mistakenly flying into our engines. We need to adjust our defense budget accordingly and be far more aggressive about disrupting cyberattacks,” Hughes added. “And that’s where I do see some promise in the cybersecurity strategy, which calls for disrupting and dismantling threat actors—and calls out some of the highest-frequency, highest-impact offenders by name.”
Zero Trust and Cloud
The cybersecurity strategy also notes that much of these new initiatives will be built around zero trust, a concept that seeks to re-enforce the principle of least privilege and to create a defense-in-depth security posture.
Currently, the Office of Management and Budget (OMB) is spearheading this effort to ensure many federal agencies adopt zero trust principles, including using multifactor authentication, deploying data encryption, investing in identity and access management platforms, creating better visibility into the attack surface and adopting cloud tools.
This means training not only a new generation of cybersecurity workers but also making sure IT and tech pros are much more security aware and that other employees know the risks, said Guillaume Ross, deputy CISO at security firm JupiterOne.
“It will be important to not only prioritize reducing the attack surface as much as possible but also to ensure developers, IT and even business and process management people integrate security into their own day-to-day,” Ross told Dice. “Improving the security skills of a million developers and IT workers would have a much better impact than training up a million new ‘security people’ from scratch.”
Keeper Security’s Guccione also noted that moving into areas such as zero trust and cloud will only increase the demand for these types of skilled practitioners.
“The federal push toward secure cloud services and implementing a zero trust security architecture through Executive Order 14028 will likely raise demand for cybersecurity practitioners with expertise in those specific areas,” Guccione said. “If America aims to lead the world in the innovation of secure and resilient next-generation technologies and infrastructure, as outlined in the strategy, the government must put its money where its mouth is, through continued investment and support. This strategy is a roadmap. Now, the real work begins.”