The White House released its National Cybersecurity Strategy laying out a path to resilience in cyberspace focused around five key pillars:
The scope of the strategy is far and wide, impacting everything from federal agencies and large enterprises to local governments and small businesses. As acting National Cyber Director Kemba Walden said, “The President’s strategy fundamentally reimagines America’s cyber social contract. It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it.”
In reading through the strategy, it became clear that there is a significant potential for MSPs, MSSPs, and others in the channel to take the lead in protecting these underserved groups. Although it will take months or years for the strategy to be formalized into policy, regulations, and other initiatives, those who take steps now will be well ahead of the curve.
In this blog, we focus on how the National Cybersecurity Strategy might impact the channel, aligning our insights to each of the key pillars laid out in the document.
This pillar focuses on instilling “confidence in the availability and resilience of [our] infrastructure and the essential services it provides.” Throughout the strategic initiatives, it’s evident there is a focus on creating additional regulatory requirements, especially for IaaS (Infrastructure-as-a-Service) and cloud providers to tilt the balance from ease and simplicity to security.
Traditionally, a more secure system increases the complexity of configuration, management, and operations. Depending on the approach providers take, this could result in a greater need for consulting or outsourcing these functions to experienced professionals. That said, the strategy also highlights how affordability of security can vary greatly by sector, which “requires modern and nimble regulatory frameworks for cybersecurity tailored for each sector’s risk profile, harmonized to reduce duplication, complementary to public-private collaboration, and cognizant of the cost of implementation.”
In essence, the strategic objective says that implementing cybersecurity practices can have varying costs across industries. The channel can play a significant role here by helping to make security more affordable for businesses of all sizes.
Another strategic objective is centered around the need to update federal incident response plans and processes. This holds true for businesses of all sizes, who should concurrently refresh their own plans and, if incident response is not a core competency, look for a trusted partner.
The final strategic initiative in this section—modernize federal defenses—also highlights the federal government’s commitment to a Zero Trust architecture strategy and Zero Trust principles. MSPs and other channel companies should follow suit, leaning into capabilities such as Todyl’s Secure Access Service Edge (SASE) module to accelerate adoption.
In this pillar, the focus is clear: “The United States will use all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interest.” Although how this plays out remains to be seen, there is the risk that such a strong stance could result in escalation of threat activity from nation-state threat actors.
That said, the strategy also highlights the need to increase the speed and scale of intelligence sharing and victim notification. Many means, methods, and processes currently exist for intel sharing, however, quality and normalization is a challenge. If access is increased to threat intelligence with a more standardized approach, for example the ability for SMB firewalls to easily hook into a government managed intelligence feed, this could improve prevention capabilities. This can impact the channel in many ways; however, one thing is clear: intelligence providers will need to evolve and threat actors may follow suit. As Indicators of Compromise (IOCs) become more broadly distributed, threat actors will likely evolve attacks in an accelerated game of cat and mouse. It's yet to be seen how this will impact the $10B+ threat intelligence market, but change is coming.
However this pillar unfolds, it’s important to take proactive steps now to strengthen security postures to reduce the likelihood of a successful attack.
Much of this pillar focused on “[shifting] the consequences of poor cybersecurity away from the most vulnerable, making our digital ecosystem worthy of trust.” A big piece of this will be holding vendors accountable to follow secure software development best practices.
This pillar received the strongest response from the community, mainly around the third strategic objective to “shift liability for insecure software products and services.” Rebalancing who is in control of cybersecurity is no small challenge. That said, enforcing adherence to practices such as the NIST Secure Software Development Framework would be difficult to enforce. We’re keeping a close eye on how this evolves as we’re excited about the intent and curious of the implementation.
At a high level, more secure systems typically mean more complexity. This will increase the need for small businesses and mid-market companies to leverage service providers such as MSPs to securely implement, monitor, and manage technology, whether it’s a security product, IaaS, cloud, or other technology.
This pillar also emphasizes the need to secure Internet of Things (IoT) and operational technology (OT). Here, the strategy outlines a labeling program that should incentivize better security across the ecosystem by increasing transparency.
Extending this out, it could open doors for better integrations with Security Information and Event Management (SIEM) or other similar tools to provide much-needed transparency and a single source of truth, as opposed to creating a separate ecosystem focused on IoT and OT. If providers go this route, it will open the doors for significantly better visibility and threat detection.
Another key part of Pillar Three is the use of federal grants and other incentives to prioritize security. This not only can fuel innovation, but it can also provide funding to different sectors or businesses to bring in outsourced experts, such as MSPs or MSSPs, to help improve security programs. By making security a core competency now, these businesses can position themselves for a potential windfall in the form of grants.
With Pillar Four, the focus is the future and how the government can, through investment and collaboration, become an innovator in secure and resilient technologies as well as infrastructure. This is especially important with the significant changes brought by the increased availability of artificial intelligence and quantum computing.
The first strategic objective here is to secure the technical foundation of the Internet. Here, they explicitly mention several pervasive concerns, including:
As part of this Pillar, the strategy lays out areas the Federal Government will make strategic public investments into innovation, R&D, and education. The key areas of investment include:
The Federal Government will also lead the charge to prepare for our post-quantum future. As mentioned in the document, they encourage the private sector to follow the government’s model, leveraging their efforts to prepare their own networks and systems.
Across all these initiatives, it’s clear that the increased investment flowing into innovation and R&D, along with the focused strategic objective of strengthening our cyber workforce, will help build the next generation of cybersecurity talent. We expect that there will be widespread availability of training programs to rapidly grow the security workforce.
That said, it won’t be a flip of the switch. Businesses need support now. By working with Managed Detection & Response (MDR) providers or other outsourced 24x7 SOCs, you can bridge the gap while keeping costs low through economies of scale.
In this pillar, the primary impact for the channel is to increase information sharing and ensure the global supply chain is secure. A large part of this is building coalitions around the globe to share information with one another. Based on this, you can again expect that threat intelligence and related information should be more widely available and accessible, helping to ensure “known, knowns” are easy to prevent and detect.
Security is a never-ending journey. Likewise, the evolution from a strategy document to regulations, policy, funding, and frameworks will continuously evolve over time. That said, the insights provided in the White House’s National Cybersecurity Strategy should serve as a north star for others to track towards.
Some steps businesses can take now include:
The objectives outlined within the document align with Todyl’s mission of empowering businesses of any size to operate an end-to-end security program. Our entire organization remains committed to making enterprise-leading capabilities available and accessible to all. We offer many different modules to help businesses on their security journey.
If you’d like to learn more about how Todyl can help elevate and simplify your security journey, contact us today.