The Trump administration’s long-awaited national cybersecurity strategy, which the White House released on Sept. 20, has been getting a lot of attention for the aggressive stance it takes toward adversaries in cyberspace.
However, the plan, the first comprehensive national cyber strategy since 2003, also has significant implications for federal IT security investments and changes to the government’s technology workforce.
The plan calls for investments in technology to improve federal cybersecurity efforts as well as efforts to build and sustain a stronger cybersecurity talent pipeline for the government
As FCW reports, the plan also comes after several high-profile cyberattacks in the past few years, which National Security Advisor John Bolton cited in a call with reporters to unveil the strategy. They include the 2017 WannaCry and NotPetya, as well as the 2018 ransomware attack that crippled much of Atlanta’s city government IT systems, which Bolton cited as “examples of how the U.S. and other governments are under siege from both nation-states and criminal hacking groups.”
The plan also comes as President Donald Trump declared October 2018 National Cybersecurity Awareness Month for the 15th year in a row. NSCAM was created as a collaborative effort between government and industry to “ensure every American has the resources they need to stay safer and more secure online,” as the National Cyber Security Alliance notes.
The Tech Investments Needed to Boost Cybersecurity
The report notes that information and communications technology “underlies every sector” in the United States, that ICT providers “are in a unique position to detect, prevent, and mitigate risk before it impacts their customers,” and that the government “must work with these providers to improve ICT security and resilience in a targeted and efficient manner while protecting privacy and civil liberties.”
According to the report, the government will bolster efforts to share information with the private sector “to enable them to respond to and remediate known malicious cyber activity at the network level.” Notably, this will include sharing classified threat and vulnerability information “with cleared ICT operators” and downgrading information to the unclassified level as much as possible.
The government will promote “adaptable, sustainable, and secure technology supply chain that supports security based on best practices and standards.”
On Sept. 4, the House approved by voice vote a bill, HR 6430, the Securing the Homeland Security Supply Chain Act of 2018, which would grant the DHS secretary the power to block an IT vendor from working with DHS if it poses a risk to national security. That falls short of the recent call from Christopher Krebs, undersecretary of DHS’ National Protection and Programs Directorate, who has said DHS would push Congress to pass legislation that would grant it wide latitude to quickly bar companies that might pose cybersecurity risks from all civilian government supply chains.
The government will also “convene stakeholders to devise cross-sector solutions to challenges at the network, device, and gateway layers, and we will encourage industry-driven certification regimes that ensure solutions can adapt in a rapidly evolving market and threat landscape,” the report says.
Further, to incentivize cybersecurity investments, the government says it “will work with private and public sector entities to promote understanding of cybersecurity risk so they make more informed risk-management decisions, invest in appropriate security measures, and realize benefits from those investments.”
From a research and development perspective, the report says the government will update the National Critical Infrastructure Security and Resilience Research and Development Plan to set priorities for addressing cybersecurity risks to critical infrastructure.
“Departments and agencies will align their investments to the priorities, which will focus on building new cybersecurity approaches that use emerging technologies, improving information-sharing and risk management related to cross-sector interdependencies, and building resilience to large-scale or long-duration disruptions,” the report says.
The government will also work with the private sector to facilitate the evolution and security of 5G wireless networks, explore technological and spectrum-based solutions, and lay the groundwork for innovation beyond next-generation advancements. Additionally, the government will examine the use of emerging technologies, such as artificial intelligence and quantum computing, “while addressing risks inherent in their use and application.”
Workforce Development Is a Key Element of Cybersecurity Plan
Technological innovation is only one side of the coin when it comes to building a more robust cybersecurity infrastructure. The report notes that a highly skilled cybersecurity workforce “is a strategic national security advantage.”
The United States, the report says, “will fully develop the vast American talent pool, while at the same time attracting the best and brightest among those abroad who share our values.”
The government will continue to invest in and enhance programs that build the domestic talent pipeline, from primary through postsecondary education, according to the report, noting that Congress may need to pass new legislation to help. The administration says it will work with Congress to “promote and reinvigorate educational and training opportunities to develop a robust cybersecurity workforce,” including federal recruitment, training, reskilling people from a broad range of backgrounds, and giving them opportunities to retrain into cybersecurity careers.
To improve recruitment and retention of highly qualified cybersecurity professionals to the government, the administration will continue to use the National Initiative for Cybersecurity Education Framework to “support policies allowing for a standardized approach for identifying, hiring, developing, and retaining a talented cybersecurity workforce.”
Additionally, the administration says it will “explore appropriate options to establish distributed cybersecurity personnel under the management” of the Department of Homeland Security to “oversee the development, management, and deployment of cybersecurity personnel across” the government, with the exception of the Defense Department and intelligence community.
The administration will also promote appropriate financial compensation for the federal cybersecurity workforce, as well as unique training and operational opportunities “to effectively recruit and retain critical cybersecurity talent in light of the competitive private sector environment.”
Further, the government will “promote and magnify excellence by highlighting cybersecurity educators and cybersecurity professionals,” and use public-private collaboration to develop and circulate the NICE Framework, “while also implementing actions to prepare, grow, and sustain a workforce that can defend and bolster America’s critical infrastructure and innovation base.”