Depending on how you look at it, President Biden’s Wednesday memorandum—which gave the NSA the type of authority over agencies operating national security systems that the Cybersecurity and Information Security Agency (CISA) has on civilian agencies—is either an example of the administration delivering on its promise to bolster cybersecurity or an example of it being a little slow putting teeth to the executive order the president signed last spring. Or maybe it’s both.
“The SolarWinds intrusion that ravaged government networks occurred in December of 2020. The Biden administration published Executive Order 14028 (Improving the Nation’s Cybersecurity) in May of 2021, yet we are just now seeing guidance for National Security Systems,” said Rick Holland, CISO, vice president of strategy at Digital Shadows. “Given the threat landscape and the urgency to build defensible and resilient government networks, I’m surprised that the directive has taken this long to come out.”
But better late(ish) than never. “The NSA has a great deal of expertise in the domain of cybersecurity, and further empowerment of this agency to advise, support and direct the broader mission is likely to mitigate risks to our nation’s information system infrastructure,” said Tim Wade, technical director, CTO team, Vectra. “This order reflects the consensus that technology reflects a critical war front in today’s digital age and one of national importance.”
Biden’s directive, bearing the officious name National Security Memorandum 8, “Improving the Cybersecurity of National Security, Department of Defense and Intelligence Community Systems,” represents the implementation of last spring’s EO 14028 that set out cybersecurity requirements for national security systems (NSS) sprawled across the federal government and those that contain classified information or are crucial to military and intelligence activities. The memorandum named General Paul M. Nakasone, Commander, U.S. Cyber Command, Director, NSA/Chief, Central Security Service as national manager for NSS.
“We stand ready to fulfill our role, and our responsibility, in securing our nation against foreign malicious actors, and any efforts to exploit our national security systems,” Nakasone said in a release.
Nakasone’s authority will include the ability to issue binding directives to those agencies and departments operating NSS. Those directives include requiring they take action against cybersecurity threats and vulnerabilities and report mitigation actions and assessments to Nakasone. And Biden’s guidance requires those agencies to also alert the national manager to any suspected NSS incidents and compromises.
“The new authorities will provide us with the necessary cybersecurity visibility into our most important systems,” Rob Joyce, NSA Cybersecurity Director and Deputy National Manager for national security systems, said in the release. “This new insight will allow us to identify vulnerabilities, detect malicious threat activity and drive mitigations to better secure all national security systems.”
Just because a program is designated a National Security System (NSS), it isn’t necessarily “far more secure” than its unclassified or private sector counterparts. “‘Military grade’ isn’t always synonymous with better or more secure,” said Holland. “Protecting classified systems has many of the same challenges that we all face. The memorandum highlights asset discovery, logging, zero-trust, incident response, which are universal and perennial opportunities for improvement.”
The memorandum also compels federal entities to modernize the encryption protocols used on those systems.“This seems like a straightforward directive to create solitary authority and control of these types of systems so one person can be accountable and responsible for protecting it,” said John Bambenek, principal threat hunter at Netenrich. “These systems contain the most sensitive information there is and it’s important that there is ‘one throat to choke’ when there are failures.”
Whether the memorandum is successful depends on the exception management process, which will make or break it, according to Holland.
“There are lofty goals around multifactor authentication and encryption. If an agency cannot meet the timelines, they can request exceptions,” he explained. “How these exceptions are assessed and validated is critical; if the national manager doesn’t challenge exceptions and hold agencies accountable, much of this memorandum will be a paper tiger.”
While recent cybersecurity-oriented initiatives coming out of the Biden administration “are great,” said Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, “the reality is that cyberattacks are happening now and we must act fast to reduce the risks of a major catastrophe happening sooner rather than later.”
Security teams must address overarching issues and prioritize their actions according to importance or criticality. “We must prioritize what we can do now and what we must do in the future. We must look to accelerate the need for skilled workers in cybersecurity and fast-track them into the industry as the skills shortage is only getting larger,” said Holland. “Cybersecurity is no longer just an industry issue. It is one that can impact all of society; that means cybersecurity training is needed for everyone to reduce the risks from cyberattacks. Cybersecurity is no longer just a career path. It is an essential skill in today’s digital society.”