Compliance Pointers for the New National Cybersecurity Strategy: Defending Critical Infrastructure and Investing in Tomorrow
From IC Insider Thales Trusted Cyber Technologies
By Gina Scinta, Deputy CTO, Thales Trusted Cyber Technologies
In early March, the Biden-Harris Administration released its new National Cybersecurity Strategy. The strategy builds upon momentum established by the administration’s previously released cybersecurity initiatives including the National Security Strategy, Executive Order 14028 (Improving the Nation’s Cybersecurity), National Security Memorandum 5 (Improving Cybersecurity for Critical Infrastructure Control Systems), M-22-09 (Moving the U.S. Government Toward Zero-Trust Cybersecurity Principles), and National Security Memorandum 10 (Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems).
The strategy recognizes that “robust collaboration, particularly between public and private sectors, is essential to security cyberspace.” To that end, the document seeks to build and enhance collaboration around five pillars:
- Defend Critical Infrastructure,
- Disrupt and Dismantle Threat Actors,
- Shape Market Forces to Drive Security and Resilience,
- Invest in a Resilient Future, and
- Forge International Partnerships to Pursue Shared Goals
The strategy also contains many initiatives that apply to public and private organizations, state and local governments, utilities, healthcare, and educational industries. The good news is federal agencies can get a head start on implementing several initiatives today.
It’s outside the scope of this commentary to address the details of all the five pillars in the cybersecurity strategy. Instead, we’ll focus on Defending the Critical Infrastructure, and Investing in a Resilient Future.
Let’s look more closely at each of these two pillars in particular.
Defend Critical Infrastructure: The Need for Zero Trust Architecture
In describing the “Defend Critical Infrastructure” pillar, the strategy document underscores the need to “give the American people confidence in the availability and resilience of our critical infrastructure and the essential services it provides.” Among other ways to develop confidence in the critical infrastructure, the strategy notes in particular “defending and modernizing Federal networks and updating Federal incident response policy.”
Building on the momentum of EO 14028 and NSM 8, the administration is committed to driving “long-term efforts to defend the Federal enterprise and modernize Federal systems in accordance with zero trust principles that acknowledge threats must be countered both inside and outside traditional network boundaries.”
This is as it should be, because the best way for agencies to protect their data from attacks is by implementing a zero trust architecture. That, of course, requires implementation of a variety of initiatives:
Planning. Zero trust starts by understanding that networked devices should not be trusted blindly, even if they have been verified and connected to a managed agency network. The safest place to start is to assume that networks either have been or will be compromised. From there, it’s essential to put a zero trust plan into effect.
Zero trust planning demands a data-centric approach to security. Files containing sensitive information, and anything else requiring protection, must be adequately addressed regardless of where the data resides – on premises, in the cloud, or in a hybrid environment. This should be an automatic operation, with sensitive data identified as soon as it enters an agency’s IT ecosystem. This data should be secured with policy-based protection across the data lifecycle.
Multifactor Authentication. In essence, multifactor authentication ensures that a user is who they claim to be. The more factors used to determine a person’s identity, the greater the trust of authenticity. Because multifactor authentication requires multiple means of identification at login, it is generally considered to be the most secure method for authenticating access to data and applications.
The best solutions for multifactor authentication address numerous use cases, assurance levels, and threat vectors with unified, centrally managed policies, all managed from a central platform delivered in the cloud or on-premises. Methods of authentication should include context-based authentication combined with step-up capabilities, out-of-band authentication, one-time password and X.509 certificate-based solutions. Authentication methods should be available in numerous form factors, including smart card, USB token, software, mobile app, and hardware tokens.
Data Encryption. Data-at-rest encryption with privileged user access controls can considerably improve security. It not only protects data-at-rest, but also encrypted workloads in the cloud. Role-based access policies enable a zero trust architecture by controlling who, what, where, when and how data can be accessed. Granular access controls enable administrative users to perform their duties while restricting access to encrypted data.
Optimal data-at-rest encryption solutions should be able to deliver granular encryption and role-based access control for structured and unstructured data, whether that data resides in file servers, databases, applications, or storage containers.
It is essential to protect network transmitted data against cyber-attacks and data breaches. This calls for high-assurance network encryption, with secure, dedicated encryption devices to protect data-in-transit. To truly be called “high assurance,” devices must use embedded, zero-touch encryption key management; provide end-to-end, authenticated encryption and use standards-based algorithms.
Agencies should look for network encryption solutions that provide a single platform to encrypt everywhere— from network traffic between data centers and the headquarters, to backup and disaster recovery sites, whether on premises or in the cloud. High-assurance network data encryption enables an organization to have the confidence that its data will be useless in unauthorized hands.
Manage Authorization and Access. Agencies need awareness into who and what is accessing sensitive data, including privileged users who may be assuming the identity of other users. An ideal way of monitoring that type of activity is by maintaining a log of the time, place, and individuals accessing the data, as well as what action took place.
Logs offer deep visibility into data access, which can alert administrators to unauthorized access attempts to protected data. Such logs can also be used to understand typical access patterns when combined with other infrastructure and access information. For example, consider a user that typically accesses information in small quantities inside a local network. If that user suddenly starts accessing large amounts of data remotely, that could constitute a threat, which should generate an alert and prompt an investigation.
Adopt Cloud Security Tools. Agencies must apply solutions to simplify the data security landscape. This applies to multiple cloud and legacy environments as well as cloud-oriented digital transformation applications.
Data security solutions should be able to protect data moving between clouds and out of the cloud to on-premises environments, using centralized data security solutions across multiple cloud platforms. Keep in mind that most cloud service providers (CSPs) have a “shared responsibility” view of security. These providers are responsible for securing the infrastructure that runs their cloud services. Data owners are responsible for protecting the confidentiality, integrity, and availability of their data in the cloud.
CSPs generally offer native data security solutions to their users. However, data owners need to determine the sensitivity level of their cloud-stored data and apply the most appropriate security measures to protect said data. For example, in cloud deployments where security is less critical, agencies may choose to rely on a CSP’s native encryption and deploy additional cryptographic key management services (Bring Your Own Key). Or, for deployments where the highest level of security is required, agencies may choose to deploy Bring Your Own Encryption tools to their cloud environments.
Invest in a Resilient Future: Preparing for a Post-Quantum Future
The National Cybersecurity Strategy By taking the initiative on these two key pillars of the national cybersecurity strategy – zero trust architecture and post-quantum planning – as quickly as possible, agencies will have made major steps forward in complying with the strategy across the board.
puts a great deal of emphasis on life after quantum, particularly in “Objective 4.3: Prepare for our Post-Quantum Future.” According to this objective, the nation needs to “prioritize and accelerate investments in widespread replacement of hardware, software, and services that can be easily compromised by quantum computers.”
The language in this objective goes on to say that “Strong encryption is key to cybersecurity and global commerce. It is the primary way we protect our data online, validate end users, authenticate signatures and certify the accuracy of information. But quantum computing has the potential to break some of the most ubiquitous encryption standards deployed today.”
When preparing an infrastructure strategy for quantum-safe encryption, there are a few things to keep in mind:
Know your risks. long-term data is at risk to harvesting and early attacks. IT managers and other network professionals must assess their organizations’ use of vulnerable cryptography, the expiration date of their encrypted data, and the crypto-agility maturity of their IT infrastructure.
Several sources are available to understand risks and to plan ahead. NIST offers a publication titled “Getting Ready for Post-Quantum Cryptography” to help monitor standards development, and perform risk assessment of where public-key crypto may be used in the infrastructure. It’s important reading to understand whether a network’s equipment is crypto-agile.
The National Cybersecurity Center of Excellence (NCCoE) has recently launched its “Migration to Post Quantum Cryptography” Project. Understanding that replacement of cryptographic algorithms is both technically and logistically challenging, the NCCoE is undertaking a practical demonstration of technology and tools that can provide a head start on executing a migration roadmap in collaboration with a public and private sector community. Thales Trusted Cyber Technologies is among the technology collaborators participating in this project
Another excellent source of information is the NSA Post-Quantum Cryptography FAQ, which provides an excellent summary on the subject.
Focus on crypto-agility. Crypto-agility requires flexible upgradeable technology and a hybrid approach of classic and quantum-resistant crypto solutions.
Remember that crypto-agility is not about quantum; it’s about being able to face the reality that all algorithms fail with time. Many systems today make it difficult to rotate keys, to choose different sizes/parameters, and to change mechanisms or key algorithms. These are all required for protocols to be versioned, negotiated and not to fail when presented with unknown options. They are essential for crypto-agility, and it’s important to work with providers with solutions that embrace those needs.
Start today. This cannot be understated, which is why National Security Memo 10 made a point of it. Organizations must begin now to design a quantum-resistant architecture today to protect against the emerging quantum threat.
IT infrastructure equipment often is deployed for years or decades without hardware replacement. Consequently, it is important to make sure currently deployed hardware was developed with crypto-agility principles in mind, to receive software or firmware updates once post-quantum crypto algorithms and protocols are standardized.
It is also important to check with equipment providers to see what beta or technology preview firmware they have available for testing in non-production systems, that implements pre-standardized quantum-resistant cryptographic algorithms. Testing will help identify performance or interoperability issues early and provide time to address the issues and mitigate the identified risks.
By taking the initiative on these two key pillars of the national cybersecurity strategy – zero trust architecture and post-quantum planning – as quickly as possible, agencies will have made major steps forward in complying with the strategy across the board.
About Thales TCT
Thales Trusted Cyber Technologies, a business area of Thales Defense & Security, Inc., protects the most vital data from the core to the cloud to the field. We serve as a trusted, U.S. based source for cyber security solutions for the U.S. Federal Government. Our solutions enable agencies to deploy a holistic data protection ecosystem where data and cryptographic keys are secured and managed, and access and distribution are controlled.
For more information, visit www.thalestct.com
About IC Insiders
IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.