A national cybersecurity infrastructure is possible—here’s how

The lack of a cohesive national cybersecurity infrastructure needs to be addressed, IT Brew was told by multiple security experts.

The federal government needs to step up and present businesses and state agencies alike with a standardized set of regulations and principles to help lower the likelihood of attacks and boost recovery efforts, Jordan LaRose, global practice director of infrastructure security at NCC Group, said. It’s long overdue, he added.

“We’ve seen some breaches of government employee information over the past couple of years,” LaRose said. “So, it’s definitely a good time for implementing it.”

Threat actors have multiple avenues of attack against US public and private systems in large part because there is no unifying approach to security. LaRose told IT Brew that means it’s time to get everyone on the same page.

“One of the first things to do is to make sure that there’s a coordinated strategy across all of these government offices and organizations in terms of information security,” LaRose said.

Critical issues. Mark Bowling, chief information security & risk officer (CISRO) at ExtraHop, told IT Brew that CISA has identified 16 critical infrastructure sectors that need to be protected, among them healthcare, banking and finance, electrical power distribution, and more. All have their own unique aspects and need unique consideration.

Bowling said that confidentiality, integrity, and availability make up the tactical triad that’s necessary for ensuring you’re taking care of security.

“When you talk about infrastructures, you actually have to take each one of them individually, based on the regulatory concerns,” Bowling said.

Public and private. Cybersecurity infrastructure is currently spread across the public and private sectors, said Luke Tenery, partner at StoneTurn. Tenery told IT Brew that diffusion is both a blessing and a curse, with some private enterprises like utilities being necessary critical infrastructure with national security implications and therefore requiring public sector protections.

“Some of those are partially private, partially government regulated,” Tenery said.

After a spate of attacks in recent years, including the notorious SolarWinds hack, there’s a real need for a coherent approach to the problem.

“If you’re familiar with the CIA, NSA, or basically any security organization that helps protect critical infrastructure, that’s been a great success story in terms of the government’s support of cybersecurity for critical infrastructure, public–private partnership, and sharing information to be more resilient,” Tenery said. “It’s just, how do you expand similar initiatives with shortages and talent shortages and funding to maximize that level or similar levels of effectiveness?”

NCC Group’s LaRose thinks the ideal way to make that work would be an executive order requiring zero trust across all networks in order to measure risk and assess risk and user privileges.

“Implementing that kind of zero-trust strategy as a sort of proactive measure, but one that we can benefit from that’s both proactive and reactive,” LaRose said.

Update 07/19/23: This story has been updated since it was first published.