While economic issues such as inflation and international conflict garner the most attention from politicians in Washington D.C., the Biden White House continues to funnel energy and resources into addressing the nation’s cybersecurity, especially issues related to critical infrastructure and cyber resilience.
With the release of the first version of its National Cybersecurity Strategy Implementation Plan on July 13, the Biden administration is detailing 65 cybersecurity initiatives, with 18 federal agencies playing a significant role in implementing various improvements. These include building better defenses, combating threat actors (especially ransomware), and increasing transparency around how software applications are built and distributed to help strengthen the supply chain.
The strategy also calls for building international partnerships and bolstering the federal workforce by hiring skilled tech and cyber profs who can address these issues. “This plan details more than 65 high-impact Federal initiatives, from protecting American jobs by combating cybercrimes to building a skilled cyber workforce equipped to excel in our increasingly digital economy,” according to a White House fact sheet.
The strategy, while a major component of President Biden’s cybersecurity agenda, is actually one of several initiatives from the administration. In mid-July, for instance, the White House rolled out a voluntary labeling program for smart and connected devices to show when they meet particular security standards, according to the Washington Post.
The release of the cybersecurity strategy plan and other security programs shows the administration is attempting to address many longstanding issues related to cybersecurity threats and the effect they can have on the nation’s security, said Robert Hughes, CISO at RSA.
“The Biden Administration’s National Cybersecurity Strategy Implementation Plan has the right goals: We all want to defend critical infrastructure, disrupt threat actors and drive security and resilience,” Hughes recently told Dice. “A strong plan could not come at a better time—we are seeing 2023 shape up as a year where ransomware payments are back up and approaching the all-time high they reached in 2021 after a dip in 2022. With stakes that high, we will not see behavior change from our adversaries.”
Building a Better Federal Cybersecurity Workforce
While the Biden administration seeks to build up the federal cybersecurity workforce, it’s facing an increasingly tight supply of tech talent. CyberSeek, a joint initiative of the National Institute of Standards and Technology’s (NIST) Nice program, lists more than 660,000 open cybersecurity jobs in the U.S., which includes the public and private sectors.
Another challenge is addressing the talent gap and encouraging younger workers to consider cybersecurity as a profession. Here, the Biden strategy lacks specific details, with the documents only noting: “The Office of the National Cyber Director will lead the development of the National Cyber Workforce and Education Strategy and will drive, coordinate, and report on initial stages of implementation of the strategy.”
For industry experts like Rick Holland, CISO at ReliaQuest, there must be additional attention around early education.
“To build a cyber workforce that can defend the public and private sectors, we must invest in school programs for children from middle school through the collegiate ranks,” Holland told Dice. “Students should be aware of cybersecurity principles to protect themselves, but they should also learn about the job opportunities in the cybersecurity field. Without a continuous pipeline of cyber security practitioners, we won't be able to impact the workforce shortage significantly.”
Holland would also encourage more training for security operation center (SOC) analysts, since identifying and detecting malicious activity is foundational. “The experience gained as a SOC analyst is a great steppingstone to other positions within cybersecurity,” he added.
Other issues with creating a robust federal cybersecurity workforce include closing the pay gap between the private and public sectors, ensuring better work-life balance and helping those who serve in the military to accommodate their family needs, noted Samuel Kinch, director for technical account management at security firm Tanium.
“I believe it will be a long-term, consistent effort of closing the pay gap, enforcing the balance between work and life, leaders who own and properly execute force development in their hierarchies and reducing deployment timeframes that undermine critically important relationships,” Kinch told Dice. “Lastly, there is plenty of room for creative solutions. One example is a federal cyber force auxiliary that allows for civilian surge capacity when federally needed. Several states have similar constructs already in place.”
Pillars and Security Skills
The White House began publicly discussing its cyber strategy in March, and the document released this month expands on the same five pillars outlined in the initial plan. These include:
- Defending critical infrastructure.
- Disrupting and dismantling threat actors.
- Shaping market forces to drive security and resilience.
- Investing in a resilient future.
- Forging international partnerships to pursue shared goals.
The more detailed plan released this month expands on these five pillars.
For example, the document adds details on the third pillar, which includes developing a Software Bill of Materials to ensure that applications use secure code and that users can document how these apps are built—ensuring a more secure supply chain. The document also noted that the U.S. Cybersecurity and Infrastructure Security Agency is taking a lead role in these developments and will work to create a database that will detail end-of-life and end-of-support dates for various applications.
Each of these pillars details the type of skills that tech pros who are interested in government work will need to develop for employment or to retrain themselves, said Patrick Harr, CEO of security firm SlashNext.
“Each pillar is calling for skills, tools and protocols to strengthen cyber resilience and combat threats. There is a need to invest in building a skilled information security workforce by investing in training and education to increase the talent pool, which struggles to fill jobs today,” Harr told Dice. “However, there will never be enough people to address the growing needs of a complex and ever-changing threat landscape, so it’s important to invest in cybersecurity tools that use automation, machine learning and artificial intelligence to stop this scourge of threats.”
The cybersecurity plan also details how federal agencies must move to zero trust, a security model that re-enforces the principle of least privilege and creates a defense-in-depth security posture. Under the fourth pillar of investing in a resilient future, the White House details how CISA and the Office of Management and Budget will oversee the adoption of zero trust as well as other initiatives like encryption.
Although zero trust has gained significant attention over the years, the concept remains new. It’s critical to invest in tech pros who understand the concept and can help take steps to build this type of cyber defense, said Sunil Muralidhar, vice president for growth and strategic initiatives at ColorTokens.
“Zero trust challenges the traditional security paradigms as it is a revolutionary concept. Such a change cannot be brought with traditional thought processes and approaches,” Muralidhar told Dice. “To ensure the durability of security investments, agencies should invest in training their employees on zero trust and invest in platforms that provide an integrated and holistic approach to zero trust.”
Looking at the five pillars, RSA’s Hughes noted that the White House cyber plan will require skilled workers who can help move the government away from legacy systems.
“The skillsets needed will not just be deep security, automation and cloud skills,” Hughes said. “Identifying and updating legacy systems may take security guidance, but there also needs to be sufficient IT staff and project management—and the willingness to change. Implementing new systems that allow the use of secure processes takes persistence, critical thinking and leadership—including the ability to document existing issues and push for change.”
Years in the Making
Several experts noted that the attention to these issues is long overdue. It will take years, however, to bring U.S. agencies up to speed, including building the right tech workforce.
“The initiatives in the National Cybersecurity Strategy Implementation Plan are steps in the right direction, but it will be in some cases years before we see their impact. Still, I am excited to see the government take action that has long been called for, but my excitement is tempered by the recognition that these are just the first steps along a potentially very long path,” said Georgia Weidman, security architect with Zimperium.