Since the Biden administration took office in the US, cybersecurity has been a top government priority. Major cyber attacks such as the SolarWinds and Colonial Pipeline incidents have accelerated the need for better security intelligence and greater cyber resilience. The US government has already hardened its critical infrastructure by implementing a strict zero-trust protocol, and it has also established clearer baseline response, action and reporting guidelines for cyber incidents. The Department of Defence (DoD) has even introduced Cybersecurity Maturity Model Certification 2.0 to ensure contracts and third parties have sufficient cybersecurity standards in place.
On March 15th 2022, the Strengthening American Cybersecurity Act was signed into law by President Biden, a $1.5 billion funding bill to improve virtual reporting across the board. In this blog, we’ll take a look at what the act is, how it works, which businesses it will impact and how it will impact them. We’ll also review best practice security measures, and discuss the role of compliance-driven initiatives in pursuing positive outcomes.
The Strengthening American Cybersecurity Act comprises multiple bills that are designed to reduce threats to critical infrastructure and federal government. Any organization operating in industries deemed critical to running the country, such as finance, energy, transport, agriculture, manufacturing and more, will now have to report significant cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. If it’s a ransomware attack and the ransom is paid, organizations must make the report within 24 hours.
However, there’s much more going on between the lines than the new reporting requirements. The act also contains bills to modernize information security, including the use of penetration testing and threat hunting to identify, deter and minimize the risk threats. The National Institute for Standards and Technology (NIST) will also see its role expanded, partnering with industry stakeholders to develop new frameworks to improve the security and integrity of the technology supply chain.
There’s a strong case to be made that the Strengthening American Cybersecurity Act is simply a reaffirmation of cybersecurity best practice, and that’s something a compliance-driven approach can help with.
In essence, this act will impact any business that sees the US government as a potential customer, effectively increasing the “cost of doing business” by raising standards for cybersecurity across the board. These standards will not only impact federal agencies and critical infrastructure organizations directly, but potentially other businesses along their supply chains too.
There is certainly an argument to be had about whether this new act is simply a reaffirmation of existing cybersecurity best practices – things that the majority of organizations should have been doing all along. The question is whether it’s right to wait for legislation, or whether companies should be getting ahead of the curve and using their initiative to increase their own security posture anyway – and this is where compliance-driven security comes into play.
Compliance and security aren’t the same, but they are intrinsically linked. Businesses that orchestrate themselves in a compliance-driven manner are always looking ahead, preparing themselves for audits using automated monitoring and reporting tools. Those that embrace a compliance-driven mindset are already well-versed in some of the things being asked of them by the Strengthening American Cybersecurity Act, so they should be able to adhere to the new regulations and requirements with greater ease.
By taking a compliance-driven approach to security best practice, businesses give themselves a checklist of proactive and preventative steps to take instead of needing to run around putting out fires as they occur.
This is a precursor to what we at SureCloud would refer to as continuous compliance, a threat-centric and holistic approach to best practice that leverages tools such as automation to ensure requirements are met on an ongoing basis.
So, the question then becomes how businesses bridge the gap between theoretical compliance (i.e. how compliance initiatives and objectives look on paper) and practical compliance (i.e. how those objectives are met and what tooling is put in place). For instance, having specific controls in place to minimize risk is a good objective and one that’s relatively easy to meet, but if a business doesn’t stress-test those controls, they can’t determine how effective they are. In this instance, the objective might have been met “on paper”, but without the testing, it’s just a superficial tick in a box.
This compliance-driven approach also allows companies to prioritize their risk efforts and better manage their investment into risk management.
It’s no good spending $10 to protect a $1 dollar asset. Organizations should be looking to optimize their compliance with various regulations in a way that maximizes their own security posture.
For instance, let’s say an organization wants to embed a risk-driven approach to security that complies with ISO 27001. Implementing controls to optimize security management is one thing, but that organization will need to apply their own expertise when it comes to which data assets require the best protection. It’s no good spending $10 to protect a $1 asset. This level of optimization and customization is something that can be legislated for – so it’s up to businesses to comply with the best practices outlined in the Strengthening American Cybersecurity Act in a way that works for them.
Penetration testing has been a core part of cybersecurity architecture for a number of years, so its inclusion in the Strengthening American Cybersecurity Act is to be expected. Penetration testing, or “pentesting” is an exercise where a security expert will attempt to find and exploit vulnerabilities in a computer system. It’s a simulated attack that highlights weak spots and exposes vulnerabilities, hopefully before a real attacker can take advantage of them.
While penetration testing looks for scenarios that could lead to a data breach, threat hunting uncovers threats in real-time and then works backwards to pinpoint the vulnerability.
What’s more interesting about the act is the inclusion of something called “threat hunting”, which is less well-known. Unlike penetration testing, which simulates an attack to tell how threat actors could get onto your network, threat hunting does away with the simulation element and tells you what is already in your network and what it’s doing.
It’s a form of proactive vigilance that looks at a breach, and then works backwards to determine how the attacker gained access to your network and how future attackers can be prevented from using the same exploit. Used in conjunction with one another, penetration testing and threat hunting offer an incredibly robust way of ensuring optimum defense at all times so it’s great to see them both incorporated into the new act.
To learn more about the Strengthening American Cybersecurity Act, and get insights from our panel on compliance-driven best practice, watch our latest webcast on the subject here.