The U.S. and even its international partners need to stress greater investments in preventing cyber breaches through a number of means and there also needs to be an emphasis on better securiing the software supply chain, a White House National Security Council (NSC) official said on Thursday.
Incident response is, and will remain, an important element to cyber security preparedness but, “We can’t accept as reality we’re always going to be in crisis and response mode and just moving from event to event,” Jeffrey Greene, acting senior director of the NSC’s Cyber Directorate, told an online meeting of the National Security Telecommunications Advisory Committee (NSTAC).
Greene said there needs to be a “shift” in “mindset” so that prevention becomes a “priority, both in our policies and our investment.” In additional “wide-scale investments,” prevention will include “Immediate innovations” and “raising the bar of essential cyber hygiene,” he said.
Some of the mechanisms that the administration is reviewing to help the strengthen cyber defenses include making better use of federal procurement options, drawing on lessons learned from recent incidents, detection of cyber attacks and information sharing, he said.
He also singled out the software supply chain, which was the culprit in a recent hack of network management software supplied by the software company SolarWinds [SWI] and used widely by government and private sector entities, as an area where the government can lean in to make a difference.
“One thing in particular we’ve looked at is, ‘Are there ways that we can leverage government influence to substantively and rapidly improve the quality and security of software looking at the supply chain there?’ Greene said. “Current software development at times can lack consistent control,” he said, adding that “we’re going to need all developers across all different types of companies and all different types of software to implement more rigorous and predictable mechanisms to ensure that their products are going to behave as intended and as designed.”
Greene outlined a “three-pronged” approach to the Biden administrations cybersecurity priorities with the first being modernizing cyber defenses. The administration, through an economic stimulus package, has already begun to bolster federal cybersecurity funding through a new $650 million infusion for the Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA). The exact spending plan hasn’t been detailed but CISA officials have said much if it will go toward tools to better monitor and detect incidents on federal civilian agency networks.
The second prong is around leading international efforts with allies and partners and working together on issues such as artificial intelligence and machine learning, 5G, quantum computing and semiconductors, Greene said.
U.S. leadership in cybersecurity includes “strengthening our partnerships and looking to counter adversaries and competitors who are leveraging technology in ways to try to undermine both our economic and national security,” he said.
The third prong, which is a perpetual area of focus, is around public-private partnerships and stronger collaboration and improving “bi-directional” information sharing to better “detect and stop malicious cyber actors before they gain access to our networks,” Greene said. This coordination and collaboration between the public and private sectors, and with international partners, needs to continue to improve, he said.
The NSTAC, a public-private partnership that provides advice and recommendations to the president to strengthen the availability and reliability of telecommunications services, on Thursday unanimously approved a new report on communications resiliency.
The “fundamental conclusion” of the report “is modern networking technologies, implemented prudently but without delay will significantly increase our nation’s overall resilience while positioning the nation’s economy to achieve operational efficiencies and re-establishing United States leadership in next-generation technologies,” Jeffrey Storey, co-chair of the NSTAC’s Communication’s Resiliency Subcommittee and the president and CEO of Lumen Technologies [LUMN].
Greene also tasked the NSTAC with a new study that the White House would like completed in phases over the next 18 months. The study topic, which the NSTAC accepted, is enhancing future internet resilience.
There will be four subcommittees to the new effort, including software assurance, with a draft due in November, zero-trust, convergence of information technology and operational technology, which would be due in August 2022, and a strategy for increasing trust in information and communications technologies systems.
“Our goal would be recommendations on how the government can overcome these challenges as well as embracing whatever associated opportunities there are for improving long-term internet resilience,” Greene said.