Achieving Ecosystem-level Cybersecurity: A U.S. Policy Perspective

June 11, 2024

| | Public Sector

In today’s era of technological innovation, devices, networks and data are interconnected in a vast digital ecosystem. What organizations build in this ecosystem can affect others in it — for better or worse. We are at an inflection point when it comes to systemic challenges to the resiliency of our digital ecosystem and public policy solutions needed to address them.

Year after year, major cyber incidents perpetrated by nation-state threat actors affect government agencies and our national security. These incidents target specific agencies and government data repositories to further strategic geopolitical aims. Adversaries are evolving their techniques, logging in with legitimate credentials, automating their attack methods and adopting ransomware as a service and other malware as a service.

We’ve seen significant disruptive breaches in the past few years. What stands out most, however, is how much worse some could have been. Under different geopolitical circumstances, adversaries might have deployed wipers or ransomware-like attacks across thousands of possible victims. Consequently, impact to the victims was determined by the adversary’s prerogative — not any limitation to their access, resources or know-how. Such access is a key component in adversaries prepositioning for future attack opportunities.

The reality is, major cybersecurity incidents resulting in data breaches, services disruption and national security consequences occur with such regularity that policymakers are inundated with tactical demands. These demands pose critical questions about IT hygiene, security best practices and resourcing. This means less time is spent on long-term strategic issues like achieving cyber resiliency in our digital ecosystem.

In this blog, we discuss recent policy developments and promising initiatives built to strengthen cybersecurity across the vast digital ecosystem in which government and private sector organizations operate.

Overview of Recent Policy Developments

Within the government, which often sets the tone for broader parts of industry, we have seen recent positive developments in cyber policy:

  • The Executive Order on Improving the Nation’s Cybersecurity: The EO, a significant effort from the administration to strengthen federal IT infrastructure and security, outlines key measures to strengthen federal agencies’ cybersecurity and codified industry-leading best practices.1
  • The National Cybersecurity Strategy: This began shifting the burden of security from would-be victims to organizations better suited to provide security.2 It also prioritizes long-term investment in cybersecurity and coordination among agencies and the private sector.

Critically, we’ve also seen promising initiatives aimed at improving the ecosystem as a whole:

  • Secure by Design principles3 have been developed by CISA to promote the notion of security being part of product design and implemented by default. Secure by Design is a significant section of the National Cybersecurity Strategy and aligns with the goal of shifting the burden from would-be victims to those best suited to provide security. CISA recently launched a Secure by Design pledge, which CrowdStrike signed, to demonstrate measurable progress in securing products.4
  • The concept of Software Supply Chain Security was propelled forward by the EO and the Office of Management and Budget’s subsequent guidance5 to direct federal agencies to use software that was built following cybersecurity best practices.
  • The concept of Open Source Software Security recognizes all parts must be secure for the sum to also be so. CISA has published an Open Source Software Security Roadmap6 to begin to drive the community toward securing foundational open source software.
  • Software Bill of Materials, commonly known as SBOM,7 which due to its ability to illuminate individual software components, has become a potential tool in tackling software supply chain risk management.8
  • Leveraging Memory Safe Languages can preemptively reduce a common attack surface. CISA and international partners have worked alongside the Secure by Design campaign to address vulnerabilities in programming languages.9

These developments set a policy foundation for creating a more resilient architecture for our digital ecosystem. They are designed to improve the quality of the materials we use to construct this architecture and to help us verify the source of these materials. Now, it’s time to focus on how we implement these materials to build in a resilient way. A resilient digital architecture should be able to weather a storm, rather than collapse in the face of an incident.

From the groundwork laid by these initiatives, policymakers are in a strong position to tackle the next ecosystem-level cybersecurity challenge: concentration risk.

The Next Major Structural Problem to Solve

Many government entities are extraordinarily reliant on one major vendor. Their IT stack may include a single provider for operating system, cloud, productivity, email, chat, collaboration, video conferencing, browser, identity, generative AI and, increasingly, security. This means the building materials, the supply chain and even the building inspector are all the same. If that provider fails, the consequences for its users could be catastrophic.

If that one vendor’s security culture is inadequate, the comprehensiveness of vulnerability is dangerous.10 An example of this poor security culture can be seen at Microsoft, according to the Cyber Safety Review Board, which reported on the July 2023 breach by Chinese state actors. A subsequent breach by Russian state actors occurred in November 2023 and went undetected until January 2024.11

When viewed as one-off incidents, these problems seem as if they come and go. However, history reveals the problem is deeply rooted. A quarter century ago, the original edition of George Kurtz’s book Hacking Exposed described the GoldenTicket authentication vulnerability. By 2020, a related attack dubbed GoldenSAML permitted Russian nation-state actors to access sensitive government systems. The latest iteration, dubbed GoldenMSA, was a key feature of last summer’s Microsoft Exchange breach. What began as an impact on LocalHost now operates at cloud scale. An adversary getting the keys to a house has evolved into adversaries getting keys to the kingdom and, ultimately, becoming the locksmith. All the while, more and more critical services are unlocked with these keys.

The community is beginning to assess these problems in a more concerted way. In May 2024, we participated in a tabletop exercise hosted by the Center for Cybersecurity Policy and Law to assess how IT stack concentration risk might affect federal agencies during an attack.12 In that scenario, an agency using one vendor fared far worse than an agency with multiple IT providers. Of course, that was one scenario, and as we know, conditions change and adversaries adapt. But it’s clear more rigorous attention is necessary.

What We Can Do

Organizations need visibility into the threats they face. The status quo results in the threat of concentration risk remaining opaque until the adversary has done damage. We now have an opportunity to take this problem more seriously. The next steps are fairly clear, as evidenced by the aforementioned report by the Center for Cybersecurity Policy and Law.13

The Office of the National Cyber Director (ONCD) has demonstrated its ability to tackle complex issues and improve the way the U.S. government manages cybersecurity risk. Given its placement in the White House, ONCD is well-suited to task federal agencies such as CISA, the Department of Defense and GSA to examine and address concentration risk across agencies.

NIST, the authoritative developer of rigorous standards across IT risk and security, already has concentration risk on its radar. In guidance stemming from the EO on Improving the Nation’s Cybersecurity, NIST identified a concentration of products or services from a single supplier as a condition in the supply chain that could cause vulnerabilities.14 However, existing references are minor and lack definitions, so a more comprehensive look is warranted. Everyone — including organizations referenced in this post — should contribute to this dialogue by providing Request for Comment responses.

A thorough list of best practices, a framework or a controls document could help Federal CISOs and IT risk managers address this type of problem. Adoption of such a framework or standard in the federal space would have positive effects for broader enactment throughout the broader IT and critical infrastructure communities.

For its part, the National Security Council could build on the previous cyber EO by tasking NIST and other agencies to action these recommendations.

Congress, especially Congressional Oversight committees, should investigate and assess concentration risk across agencies. Given the significant risk successful cyberattacks pose to national security, this action is within Congress’s purview.

We can no longer tolerate solutions or architectures that risk crumbling from a single point of failure. To address this problem holistically, defenders must have a means to measure concentration risk in IT stacks.

As a community, we should have confidence that we are improving the long-term resiliency of our digital ecosystem. We must not leave consequential, strategic policy challenges — like addressing IT stack concentration risk — unmet for yet another day.

Additional Resources

  1. Executive Order on Improving the Nation’s Cybersecurity (May 2021) https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
  2. National Cybersecurity Strategy (March 2023) https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf
  3. Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure Design Software (Oct. 2023) https://www.cisa.gov/resources-tools/resources/secure-by-design
  4. Secure by Design Pledge (May 2024) https://www.cisa.gov/securebydesign/pledge
  5. Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (Sept. 2022) https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf
  6. CISA Open Source Software Security Roadmap (Sept. 2023) https://www.cisa.gov/sites/default/files/2024-02/CISA-Open-Source-Software-Security-Roadmap-508c.pdf
  7. Framing Software Component Transparency: Establishing a Common Software Bill of Materials (Oct. 2021) https://www.ntia.gov/sites/default/files/publications/ntia_sbom_framing_2nd_edition_20211021_0.pdf
  8. Software Bill of Materials (SBOM) Sharing Lifecycle Report (April 2023) https://www.cisa.gov/sites/default/files/2023-04/sbom-sharing-lifecycle-report_508.pdf
  9. The Case for Memory Safe Roadmaps (Dec. 2023) https://www.cisa.gov/sites/default/files/2023-12/The-Case-for-Memory-Safe-Roadmaps-508c.pdf
  10. Review of the Summer 2023 Microsoft Exchange Online Intrusion (March 2024) https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf
  11. Microsoft Falls Victim to Russia-Backed ‘Midnight Blizzard’ Cyber Attack (Jan. 2024) https://www.darkreading.com/threat-intelligence/microsoft-falls-victim-russian-midnight-blizzard-cyberattack
  12. Addressing Concentration Risk in Federal IT (June 2024) https://www.centerforcybersecuritypolicy.org/insights-and-research/addressing-concentration-risk-in-federal-it
  13. Addressing Concentration Risk in Federal IT (June 2024) https://www.centerforcybersecuritypolicy.org/insights-and-research/addressing-concentration-risk-in-federal-it
  14. Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (May 2022) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf
Breaches Stop Here