NSTAC to Examine Security of Cloud-Service Providers
The Biden administration Thursday directed the President's National Security Telecommunications Committee to explore principles for baseline security offerings from cloud-service providers, with a report expected in May. NSTAC met Thursday and Anne Neuberger, deputy national security adviser-cyber and emerging technology, asked for the cloud-security report.
NSTAC also heard an update on a report by its Measuring and Incentivizing the Adoption of Cybersecurity Best Practices Subcommittee, which found many companies and organizations aren’t adopting or fully implementing cybersecurity best practices and standards.
“Cloud-based services enable better and more economical cybersecurity practices, at scale -- the reason we’ve been making that push across the federal government as well,” Neuberger said: “But they are also essential to operational resilience across many sectors.” The proposed study “will help identify what steps should be taken to enable more security by default across cloud providers,” she said. These providers “have an obligation to begin security offerings,” she said.
The U.S. continues to see attacks on critical infrastructure from criminals and nations, like Iran, Neuberger said. “As this group knows better than most, defense is harder than offense,” she said: Defense needs to guard against "every potential vulnerability, every potential point of entry. Offense only needs to find one.” In the past week, Iran-affiliated hackers targeted an Israeli-made control device used in U.S. water systems, she noted.
Meanwhile, the third ransomware attack this year of a major U.S. healthcare system occurred last week, Neuberger said. It forced patients to be diverted from emergency rooms, shuttered rural clinics and jeopardized “healthcare delivery to a broad geography of Americans,” she said. Attackers exploited a security flaw more than a month after it was added to a list of known vulnerabilities, she said. “Incidents like these truly are avoidable,” Neuberger added.
Failure to implement best practices means a higher likelihood that attacks will succeed, said Tenable co-founder Jack Huffard, who co-chairs the measurement subcommittee. “Existing market forces have been insufficient to incentivize the adoption of these cybersecurity best practices and standards at the level needed to meet the evolving cyber-threat landscape,” he said.
Lack of adoption is “especially problematic” given the heightened threat level and “current geopolitical environment,” Huffard added. The subcommittee started its work in June and has received some 50 briefings from experts, he said. The government and private sector possess a significant amount of cybersecurity data that could be used to “baseline and support more effective measurements and metrics,” he said.
The subcommittee also found that metrics that are “tied to business outcomes” are more effective than those that aren’t, Huffard said. Strengthening security depends on the ability of policymakers to “make risk-informed decisions on the most effective solutions available when allocating limited resources,” he said. “Objective measurements, combined with poor metric literacy, lead to ineffective decision-making,” he said. Duplication or conflict with regulatory requirements “can impose significant burdens” on “budgets, resources and priorities,” he said.
The subcommittee also found that civil, criminal and regulatory liability, as well as the threat of reputation harm, “are barriers to information sharing” and liability protections can encourage sharing, Huffard said. The lack of qualified employees and resources to recruit and retrain them “are consistently cited as barriers to both adoption and measurement of cyber best practices,” he said.
The subcommittee's work is on a “very timely topic, aligned with our priority to ensure minimum cybersecurity requirements exist across all of our critical networks,” Neuberger said. Measurements are important, she said. People shopping for a home-alarm system, baby monitor, a personal fitness tracker or router “care about security,” she said. “They know these devices can be used potentially to disrupt service … and they also are sensitive as to what these devices can report,” she said.
The Office of the National Cyber Director is focused on implementing the president’s March national cybersecurity strategy (see 2303020051), said Drenan Dudley, acting national cyber director. An implementation plan includes 69 initiatives and “all of them are well underway,” she said. The office plans an updated implementation plan in the spring, she added.