Cyber Bytes: White House National Cybersecurity Strategy Document
In the next installment of Sounds Good's Cyber Bytes series, Tracy Ross and the director of Murray State's Cyber Education and Research Center, Dr. Michael Ramage, discuss the White House's recently released national cybersecurity strategy document.
"Different administrations over time have released different aspects of cybersecurity and had initiatives to do this part or that part, but this is really as comprehensive of a strategy as we've ever seen from the White House. I think it has the potential to really change the way we do cybersecurity from a government, military, critical infrastructure, and private sector standpoint," Ramage begins.
"From a critical infrastructure and private sector standpoint, there are a couple things that have happened [prior to the document's release]," he continues. "One, a couple years ago, Colonial Pipeline got hit with ransomware. Ransomware had been a nuisance, but it hadn't really gotten the attention of the White House until then because gas prices started to go up. It was critical infrastructure. Things started to happen that hurt the president's approval rating, for lack of a better term. Then, they started talking."
"I think the Russian-Ukrainian war has had an impact as well. With our sanctions on Russia, Russia has—and we've talked about this before—started looking for other means of bringing in revenue. Ransomware can be a part of that. That has so many layers—it's not just ransomware, it's other cyber attacks as well. But those two things came together. There's a lot of political help that's going to be needed. Our Congress is split. It's going to take folks on both sides now."
Ramage outlines several of his key takeaways from the document. The first is around critical infrastructure. "There is a lot of critical infrastructure in our country that's not protected very well. This is going to put an emphasis on that. One of the pillars adheres to truly disrupt and dismantle the threat actors, which reads like, 'let's go on offense instead of continuing to play defense,' which is really interesting. The third pillar is the one that I find the most interesting, and for the people who are going to be listening to this conversation, number three is going to be the place where they see it the most."
"Pillar number three: shade market forces to drive security and resilience," Ramage says. "That says a lot about data privacy. If you look at the European Union, they have a data privacy law, and there's a lot of protections for individual citizens. A handful of states have that, but we, as a nation, do not have data privacy protections. Not only do we not have these same privacy protections that the EU has, the punishment if you don't keep the data protected as the provider or company aren't as strong as they should be. The burden isn't placed in the right way. This is going to try to hold the stewards of data accountable."
Ramage references small businesses who often hire managed service providers to maintain the business' data privacy. "But not all MSPs are built the same," he cautions. "If you're an electrician, there's a standard you have to meet to be a licensed electrician. In the MSP world, there is not. It is how well you sell, how well you provide services for your customers—but if the customers don't know what those services should look like, it's up to you to define that. This is going to hopefully define some of these rules around what technology providers should be providing from a security standpoint."
"Ultimately, we need a data privacy law in this country. Sure, we need one in Kentucky, but it's not really about Kentucky or Illinois or Tennessee doing it. It's about having something that's consistent across 50 states. Right now, if you're operating in California and Illinois and Kentucky and Tennessee, then you're beholden to four different laws with four different structures. It impacts Murray State because we have students in multiple states. It would be really nice to actually have a consistent framework across the country, but that would require Congress to act."
"I know that everything that's in this strategy isn't going to be implemented. Nothing is going to be perfect. But I think what's good about this is that there's a direction that we have. There's a strategy that's been put together. And if we can implement at least pieces of these, our country, critical infrastructure, and the average person who's doing business who's sharing their information with companies online, expecting those companies to keep them safe, will be safer as well," Ramage concludes.
For more information on the cyber security program Ramage heads at Murray State, visit its website. You can also read the full White House document or other Cyber Bytes installments by clicking either link.