CISA Outlines Plan to Get Ahead of Cyberthreat Groups – Source: securityboulevard.com

The nation’s top cybersecurity agency is envisioning a future where the federal government and private companies alike set the rules of the game against threat groups and bad actors rather than constantly reacting to attacks after they happen.

In its recently released FY-2024-2026 Cybersecurity Strategic Plan, the Cybersecurity and Infrastructure Security Agency (CISA) lays out ways for the public and private sectors to not only address immediate threats – in large part through broad collaboration – but also to adopt strong security practices to reduce the likelihood of damaging attacks and push tech providers to build and ship products with security built in.

The plan takes into account the evolving IT environment and upcoming technologies like AI and quantum computing, both of which hold the promise of huge technological and societal benefits as well as its share of risks. Hackers will have access to these technologies as well.

“We know that connected technologies underpin every aspect of our lives, our businesses, our communities, our families, often in ways that allow us to be more connected, productive, efficient than ever before,” Eric Goldstein, executive assistant director for cybersecurity at CISA, wrote in a blog post announcing the plan. “But malicious cyber actors recognize this dependence as well, and continuously work to exploit it for financial or strategic gain.”

The attackers often succeed, “enabled by an environment of insecurity, in which our enterprises are too difficult to defend, and our technology products are too vulnerable to protect,” Goldstein wrote.

The 36-page strategic plan updates the first one, which covered FY 2023-2025 and was released in September 2022. It also aligns with the National Cybersecurity Strategy the Biden Administration released in March, the latest push by the White House to strengthen the national cyber capabilities.

The aim is to reach the point where “damaging cyber intrusions are a shocking anomaly” by investing in a “future where collaboration is a default rather than an exception; where innovation in defense and resilience dramatically outpaces that of those seeking to do us harm; and where the burden of cybersecurity is allocated toward those who are most able to bear it,” the strategic plan reads.

Three Main Goals

The plan revolves three goals, the first of which is to take on immediate threats by making it more difficult for attackers to get what they want from attacking US networks and those of allies. That goal comes as cybersecurity firm Malwarebytes in a recent report noted that between July 2022 and June 2023, there were 1,462 ransomware attacks in the United States, accounting for 43% of such attacks worldwide during that time.

The following six countries were the UK, Canada, Germany, Italy, France, and Spain.

“We will work with partners to gain visibility into the breadth of intrusions targeting our country, enable the disruption of threat actor campaigns, ensure that adversaries are rapidly evicted when intrusions occur, and accelerate mitigation of exploitable conditions that adversaries recurringly exploit,” CISA’s report states.

The agency also says it will create guidance and direction to help organizations adopt strong practices to not only protect their IT environments but also to make them more resilient so when an attack occurs, it is less damaging to employees, partners, and users.

The third goal is ensuring that tech providers are prioritizing security by building it into the products throughout the development cycle. This dovetails with the ongoing “shift left” DevOps push to test products earlier in the development cycle for security, testing, and other measures. CISA is encouraging that, as well as making sure products ship with secure defaults and that there is broad transparency so that customers understand the risks involved when they use a product.

“Even as we confront the challenge of unsafe technology products, we must ensure that the future is more secure than the present – including by looking ahead to reduce the risks and fully leverage the benefits posed by artificial intelligence and the advance of quantum-relevant computing,” the report states.

Where the Public and Private Sectors Part Ways

Zane Bond, head of product cybersecurity software company Keeper Security, told Security Boulevard that CISA’s strategy did a good job touching on areas like national prioritization and a broader awareness of cybersecurity as a key component of national security.

That said, the motivations, goals, and solutions behind attacks on the private and public sectors often differ, so recommendations for government agencies won’t always dovetail with the needs of private companies. That includes having the resources needed to address many of the strategy’s larger goals, such as modernizing infrastructure, growing the workforce, or preparing for quantum computing, Bond said.

“Most private sector companies are focused on the more simple and straightforward cybersecurity measures like secure password management, installing software updates, and ensuring they have adequate antivirus protection,” he said.

In addition, most organizations can’t afford the billions of dollars needed for investing in long-term programs.

“While this strategy illuminates important, albeit costly, national and international priorities for our government, the private sector must remain focused on the actionable changes they can make each and every day to improve cybersecurity within their own businesses, no matter how large or small those security measures may be,” Bond said.