The government just released its new National Cybersecurity Strategy built around five pillars:
I have many thoughts and inputs on each of these pillars and will address them in individual installments to keep them easily digestible. I believe vigorous debate on these issues is important so we can achieve the best possible outcomes in each of these lines of effort. Implementing strategy is when the hard work begins and the stakes couldn’t be higher with this topic. We have to get it right.
There are 16 sectors in the US economy considered vital to US interests and, as such, are considered critical infrastructure. There are many things to think about here, but I want to address two up front. First, it’s important to recognize that critical infrastructure in the US is overwhelmingly owned by private industry. As anyone in business knows, there is a cost/benefit analysis that goes into all decisions. Cybersecurity is not immune from that cost/benefit analysis. Second, when ensuring “minimum cybersecurity requirements” as the strategy states, the federal government needs to ensure the minimum standards are robust, consistently reviewed, and updated as appropriate. The realities of the first point dictate that businesses will keep costs low and some will only meet minimum standard guidelines. Hence the need for the second point, to ensure standards will be sufficient for the new vulnerabilities of tomorrow, the ones of which we are not yet aware. The strategy discusses harmonizing conflicting and duplicative regulation, but hardly acknowledges that the “speed of regulation” will never keep pace with the “speed of the threat”.
Given the interconnected nature of industry and government agencies throughout critical infrastructure, any weak link presents vulnerabilities to others. Minimum standards will not stop the attacks of tomorrow. Further, woven throughout critical infrastructure sectors are Operational Technology (OT) devices that provide valuable information enabling efficiencies previously unimagined. The strategy acknowledges we need to ensure OT is addressed as robustly as Information Technology (IT). As dissimilar as they may be in function, they are equally vulnerable and can present attack vectors to malicious actors because OT and IT share a common communications link between them: Application Programming Interfaces (APIs).
To be clear, I think the strategy is a step in the right direction. It’s the outcome of the recognition that cybersecurity has become critically important to our national security. Converting the vision into specific actions that will result in measurable improvements is the hard part. Many agencies have aging infrastructure, patched and added to through the years, with bolt-on hardware placed into service at various times to solve specific problems in the past. They have disparate datasets and programs developed using different languages. To meet emerging missions and customer needs, new applications have been developed, improving operational output and increasing services. But how does it all connect? The common communications link between them all is, once again, APIs.
The US needs creative solutions to help secure current and future critical infrastructure and assets at affordable prices. Taking a decade to remove legacy systems that can’t support Zero Trust provides years of opportunity for malicious actors to maneuver. Given the significant role that APIs play in today’s technology environment, they are a logical focal point for security. API security has not just become a requirement, but it also provides an economical and creative solution to other problems such as visibility: helping to identify what’s in your network, what data is being moved, by whom, and where critical data lies.
We must aggressively pursue a stronger cybersecurity posture across government, critical infrastructure, and ultimately all industries to protect sensitive data and remain competitive for the foreseeable future. A trusted partner like Noname can help by providing robust, cost-effective API security to help fill a cybersecurity gap now.