Over the past decade, due to the increase of sophisticated cyber threats and the success of malicious cyber threat actors, it has become increasingly clear that perimeter based cyber defenses have not been effective enough to protect public or private sector organizations. The SolarWinds breach, the 2021 Microsoft Exchange Server compromise, the Capitol Pipeline and JBS Foods Ransomware attacks, CISA’s 2022 ‘Shield’s Up’ warning as well as other high-profile attacks around the world, are just a few reminders of the damage that malicious cyber campaigns can cause and their threat to national and economic security.
Additionally, advances in quantum computing, despite the benefits, have also introduced concerns regarding the future security of public key cryptography. For example, according to a White House memorandum a Cryptanalytically Relevant Quantum Computer (CRQC), when available “will be capable of breaking much of the public-key cryptography used on digital systems across the United States and around the world” (2022).
To address these expanding concerns, over the span of a year the White House released a handful of official documents related to cybersecurity that have significant implications for the future of national and economic security across both the public and private sector. These include the following documents: Executive Order 14028 Improving the Nation’s Cybersecurity; National Security Memorandum (NSM) on Improving Cybersecurity for Critical Infrastructure Control Systems; National Security Memorandum/NSM-8 Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems; and National Security Memorandum/NSM-10 National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems.
Examining all of these documents together, can provide some important insights into some key cybersecurity concerns that will face organizations well into the future, as well as steps that are being taken to address those concerns. Though many of the mandates in the memorandums are directed at U.S. federal agencies, they have important implications for the private sector as well.
Executive Order 14028
According to Executive Order (EO) 14028, it is the policy of the Biden Administration that “the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security” (2021). In order to improve efforts to identify, protect against and respond to malicious cyber threat actors, the Executive Order maintains that the U.S. Federal Government will need to make ‘bold changes’ and invest significantly in cybersecurity.
Some of the requirements outlined in the EO include removing additional barriers related to cyber threat information sharing, implementing zero trust architecture, mandating deployment of multi-factor authentication and encryption, moving to secure cloud services and improving processes for identifying and managing cybersecurity risk in federal systems. There are additional requirements, and vendors who work with the Federal Government will need to adhere to the changes.
What is Zero Trust?
Developed by John Kindervag in 2010, one fundamental part of zero trust is that every system and every user operating within or outside a cybersecurity perimeter must be verified. According to IBM, zero trust “works by assuming that every connection and endpoint is considered a threat. The framework protects against these threats, whether external or internal, even for those connections already inside” (n.d.). Microsoft maintains that zero trust is designed to address modern, complex work environments, because regardless of where a request is from or the resources it requires, the zero trust model is based on the principle of “never trust, always verify” (2022).
Following the release of the May 2021 executive order, a plethora of resources has been made available to help those responsible for implementing zero trust in their organizations, though it is important to remember that there are a wide variety of models of zero trust and solutions for developing a zero trust enterprise vary. A few good references include: NIST Special Publication 800-207 Guidance (Zero Trust Architecture); CISA’s Zero Trust Maturity Model, and The Department of Defense Zero Trust Reference Architecture to name a few.
Improving Cybersecurity for Critical Infrastructure Control Systems
Another important memorandum was signed by President Biden in July 2021, “Improving Cybersecurity for Critical Infrastructure Control Systems.” This document calls for the Cybersecurity and Infrastructure Security Agency (CISA), and the National Institute of Standards and Technology (NIST) to establish voluntary cybersecurity goals for the owners and operators of critical infrastructure. The initiative also provides a channel to deploy cybersecurity technologies to critical infrastructure owners for essential control systems. Additionally, the memorandum creates a path for “government and industry to collaborate to take immediate action, within their respective spheres of control, to address serious threats” (2021). In response to the memorandum, CISA and NIST identified nine categories of recommended cybersecurity practices and used these categories to help create the voluntary cybersecurity goals for private critical infrastructure owners (2021).
National Security Memorandum/NSM-8
In January 2022, the White House released National Security Memorandum 8 Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems. This document mandates that the cybersecurity protections for National Security Systems (NSS) are at least at the same level as the cybersecurity requirements for Federal Information Systems outlined in Executive Order 14028 (Improving the Nation’s Cybersecurity) and establishes “methods to secure exceptions for circumstances necessitated by unique mission needs.” National Security Systems may contain classified information or are those that are imperative for military and/or intelligence activities. NSM-8 also calls for increased visibility of cybersecurity incidents that occur on NSS and requires agencies and the NSA to protect critical systems especially those that transfer information between classified and unclassified systems. NSM-8 provides the Director of the NSA, General Paul M. Nakasone, in his role as the National Manager for NSS, with greater authorities to safeguard NSS more effectively as well as the authority to “issue binding direction to departments and agencies operating NSS to take action against cybersecurity threats and vulnerabilities” (2022).
In preparation for the future, as quantum computing continues to advance, NSM 8 requires that government agencies modernize their cyber defense, move to a zero trust architecture, where warranted, and prepare for quantum resilient cryptography and post-quantum communications.
According to General Nakasone, “As the nation’s leader in cryptography, NSA will play a significant role in ensuring cryptographic interoperability among national security system users through cryptographic standards for use on NSS” (2022).
National Security Memorandum/NSM-10
On May 4, 2022, the White House released another document related to the risks to cyber, national and economic security, National Security Memorandum 10 Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems. While recognizing both opportunities and risks provided by quantum computers, the memorandum calls for a multi-year plan to migrate U.S. National Security Systems to quantum-resistant cryptography.
According to a White House fact sheet increased investments in quantum computers will also bring great risks as “Cryptanalytically Relevant Quantum Computers (CRQC) will have the ability to jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions” (2022).
Though it will take time, NSM 10 provides a plan to transition the Nation’s cryptographic systems to interoperable quantum-resistant cryptography.
As part of that plan, the National Manager for National Security Systems, the Director of NSA will oversee the transition to quantum-resistant cryptography in agencies using National Security Systems (NSS). Additionally, the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) will ensure U.S. critical infrastructure and other U.S. Government systems also move toward quantum-resistant cryptography. Given that the U.S. critical infrastructure is mostly owned by the private sector, this will have additional implications for organizations across the nation and around the world.
Organizations like Google, Microsoft, D-Wave Systems, IBM, Intel and NIST have already been making great advances in quantum computing. Additionally, the White House will continue to make significant investments in quantum computing; however, to prepare for the exposure introduced by advances in quantum computing, collaboration between the Federal Government and the private sector will be necessary.
These four documents outline broad security investments that will occur in both the public and private sector well into the future. The adoption of Zero Trust and the migration to quantum resilient cryptography and post-quantum communications will be key priorities over the coming years. Given that national and economic data as well as Intellectual Property (IP) and trade secrets are currently being stolen and could be stored with the intention of decrypting it as soon as powerful quantum computers are available, there has been an increased urgency related to protecting critical information and transitioning to quantum resilient cryptography. In fact some from NIST believe that, “Nothing can be done to protect the confidentiality of encrypted material that was previously stored by an adversary” (Shakland, 2021).
With developments in computing advancing every day, it is vital to continue to take steps, as the four executive documents mandate, to protect national and economic data, critical infrastructure, and National Security Systems as we move toward an exciting, but uncertain future. As noted in EO 14028, “The trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced” (2021).
CISA. (n.d.). Zero trust maturity model. https://www.cisa.gov/zero-trust-maturity-model
CISA. (2021, September). Control systems goals and objectives. Critical Infrastructure Control Systems Cybersecurity Performance Goals and Objectives. https://www.cisa.gov/control-systems-goals-and-objectives#:~:text=The%20National%20Security%20Memorandum%20establishes%20a%20voluntary%20initiative,infrastructure%20community%20to%20improve%20cybersecurity%20of%20control%20systems.
DISA. (2021, February). Department of Defense (DOD) Zero Trust Reference Architecture [PDF]. https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf
IBM. (n.d.). Zero trust security solutions. https://www.ibm.com/security/zero-trust?utm_content=SRCWW%26p1=Search&p4=43700058737843477&p5=e&gclid=5b2046b03e1e13a2c200243d27eae28a&gclsrc=3p.ds
NIST. (n.d.). Zero trust architecture. https://www.nist.gov/publications/zero-trust-architecture
NSA. (2022, January 19). President biden signs cybersecurity national security memorandum. National Security Agency/Central Security Service. https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2904637/president-biden-signs-cybersecurity-national-security-memorandum/
NSA. (2022, May 4). President biden signs memo to combat quantum computing threat. National Security Agency/Central Security Service. https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3020175/president-biden-signs-memo-to-combat-quantum-computing-threat/
Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). Zero trust architecture [PDF]. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
Shankland, S. (2021, May 24). Quantum computers could crack today’s encrypted messages. that’s a problem. CNET. https://www.cnet.com/tech/computing/quantum-computers-could-crack-todays-encrypted-messages-thats-a-problem/
White House. (2021a, May 12). Executive order on improving the nation’s cybersecurity. The White House. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
White House. (2021b, July 28). National security memorandum on improving cybersecurity for critical infrastructure control systems. The White House. https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/
White House. (2022a, January 19). Memorandum on improving the cybersecurity of national security, department of defense, and intelligence community systems. The White House. https://www.whitehouse.gov/briefing-room/presidential-actions/2022/01/19/memorandum-on-improving-the-cybersecurity-of-national-security-department-of-defense-and-intelligence-community-systems/
White House. (2022, January 19). Fact sheet: President biden signs national security memorandum to improve the cybersecurity of national security, department of defense, and intelligence community systems. The White House. https://www.whitehouse.gov/briefing-room/statements-releases/2022/01/19/fact-sheet-president-biden-signs-national-security-memorandum-to-improve-the-cybersecurity-of-national-security-department-of-defense-and-intelligence-community-systems/
White House. (2022b, May 4). National security memorandum on promoting united states leadership in quantum computing while mitigating risks to vulnerable cryptographic systems. The White House. https://www.whitehouse.gov/briefing-room/statements-releases/2022/05/04/national-security-memorandum-on-promoting-united-states-leadership-in-quantum-computing-while-mitigating-risks-to-vulnerable-cryptographic-systems/