Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

As a Busy 2021 Draws to a Close, What is Capitol Hill Focusing on Next?

Cybersecurity priorities like zero trust, infrastructure security and more must remain top of mind for Congress in 2022 

2021 has proven to be a big year for cybersecurity. Zero trust, a concept introduced 10 years ago, suddenly gained attention as the next hot cybersecurity solution. Congress made important strides toward securing our physical and digital infrastructure through the bipartisan infrastructure bill. The nation improved its international cybersecurity cooperation. And the Senate confirmed the first-ever National Cyber Director. So, as we look toward next year, which cybersecurity issues will Capitol Hill focus its attention on next?

Zero trust

Zero trust is emerging as the favored approach for tackling many of today’s cybersecurity issues. Capitol Hill will undoubtedly turn its attention to zero trust frameworks within cyber infrastructure as more federal agencies move toward zero trust models in response to President Biden's Executive Order 14028 on improving the nation’s cybersecurity.

As more agencies move toward zero trust, Congress should provide guidance to ensure that all agencies can be successful in their zero trust strategy by requiring agencies to have full visibility into their connected devices and a strong risk-based vulnerability management program to ensure that dangerous threats are taken care of quickly.

What it means for cybersecurity leaders

Developing and implementing a zero trust architecture is not as easy as flipping a switch. Starting a zero trust journey requires taking a hard look at your organization's cyber hygiene practices and considering security tools that enable you to continuously monitor and verify every attempt to request access to corporate data at all levels, whether that's a device, app, user or network attempting to make that connection.

Infrastructure security

As Congress works toward passing the bipartisan infrastructure bill, a truly once-in-a-generation opportunity to modernize the nation's physical and digital infrastructure, state and local governments (SLGs) are seeing an unprecedented level of cyberthreats. And Americans are worried. A recent study by the Pearson Institute and The Associated Press-NORC Center for Public Affairs Research shows that two-thirds of Americans are"very" or "extremely concerned" about a cyberattack involving their personal information, financial institutions, government agencies or utilities. Developing cybersecurity plans as part of grant eligibility requirements for state and local governments is imperative to protecting our most valuable – and critical – infrastructures. This should not be controversial – why spend money upgrading the backbone of our society if we're going to leave the door open for digital adversaries? Why update the power grid to be able to handle more extreme weather, only for it to be taken down by hackers?

Unfortunately, as we saw earlier this year, the nation's critical infrastructure and its operators are top targets for criminal groups, adversaries, and lone hackers. According to a recent PwC Global Digital Trust Insights Survey, half of organizations say they expect to see more cyberattacks in 2022 than this year. Securing our SLG networks increases the nation's cybersecurity and Congress must commit to providing SLGs with additional tools and resources to implement strong cyber plans. As Congress continues to debate the broader infrastructure package, it must not lose sight of cybersecurity efforts across the board.

What it means for cybersecurity leaders

The ability to disrupt attack paths takes on greater significance when you consider the potential for attackers to move laterally between IT and operational technology (OT) environments. Without vIsibility into the entire attack surface — including IT, OT and internet of things (IoT) — protecting critical infrastructure will remain a challenge.

International cybersecurity cooperation 

Ransomware attacks against critical infrastructure, such as the energy sector, have increased substantially over the past two years. Such attacks, which have resulted in hundreds of millions of dollars spent in ransomware payments, are increasingly being recognized as national security threats. While ransomware attacks are not new, the scope and scale of their impact has grown significantly as organizations embrace digital transformation and the attack surface expands.

Earlier this year, Senator Mark Warner of Virginia, the chair of the Senate Intelligence Committee, realized the importance of cybersecurity partnerships and collaboration with the European Union, bluntly pointing out that "our failure to have any kind of joint cybersecurity policies or even joint cybersecurity norms could be something that could really be potentially devastating." Luckily, NATO leaders were on the same page and endorsed a much-needed Cyber Defense Policy designed to "Strengthen Allied coordination to ensure the Alliance is resilient against the increasingly frequent and severe threats we face from malicious cyber activity perpetrated by state and non-state actors, including disruptive ransomware attacks against critical infrastructure."

President Biden and EU Commission President von der Leyen also announced a U.S.-EU partnership on technology and trade during the World Economic Forum in Davos in June. This partnership will promote joint standards on emerging technologies and commitments to better protect the global digital ecosystem and keep adversaries at bay.

This week, President Biden is convening a virtual meeting with senior officials from 30 countries and the EU to rally allies and partners to coordinate and increase efforts to counter the shared threat of ransomware. The White House Fact Sheet noted “Ransomware incidents have disrupted critical services and businesses worldwide — schools, banks, government offices, emergency services, hospitals, energy companies, transportation, and food companies have all been affected.” The meeting will feature four sessions on resilience, disruption, virtual currency and diplomacy, each individually led by India, Australia, the U.K. and Germany.

These initiatives are a great start. Partnerships between America and other nations on cybersecurity must continue to be a significant priority for the White House and Congress in 2022. Cybersecurity doesn’t exist in a silo, and we have to work together to protect our critical infrastructure and federal networks. Governments must increase collaboration and use all tools at their disposal to protect against cyberattacks.

What it means for cybersecurity leaders

Multinational alignment on cybersecurity standards and practices could, ultimately, ease compliance challenges and help reduce risk. Cybersecurity leaders would do well to watch these efforts closely and prepare to factor them into their long-term strategy.

National Cyber Director and the Cybersecurity and Infrastructure Security Agency

The U.S. has a Senate-confirmed National Cyber Director, a role critical to promoting inter-agency collaboration on cybersecurity and coordinating a whole-of-government approach to cyberthreats. It’s now up to Congress to fund the office and ensure that Chris Inglis and all future NCDs have the resources and tools they need to protect the nation from cyberattacks.

Concurrently, Congress has expanded the role of the Cybersecurity and Infrastructure Security Agency (CISA) as the leading agency charged with civilian cybersecurity, helping the private sector navigate ransomware attacks and keeping our elections secure. As its scope grows, Congress must ensure CISA remains well-funded, staffed and prepared to execute its mission. The threat landscape isn’t going anywhere — we must ensure CISA has the resources to keep the nation safe.

What it means for cybersecurity leaders

Any opportunity to improve coordination between the public and private sectors will ultimately benefit cybersecurity leaders, particularly in the event of ransomware attacks. As the attack surface continues to expand, the ability to coordinate standards and practices across the vast network of government agencies and the private sector organizations that support them will help all organizations improve cyber hygiene and reduce risk.

Looking ahead to 2022

As we approach the end of a record year for ransomware attacks, government and the cybersecurity industry must look to our recent past for our future growth. Bolstering the nation’s cybersecurity posture should be top of mind every single day as we move into 2022 and our digital attack surface grows. Securing our digital infrastructure and developing cybersecurity plans and strategies both domestically and abroad is more important than ever.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.