It’s important to hold adversaries accountable for recent cyber incidents, but Carole House, the director of cybersecurity and secure digital innovation on the White House National Security Council (NSC) stressed that “we need to hold ourselves accountable to the shortcomings” at home as well.
During a virtual event held by AT&T on Sept. 21, House shared how the Biden administration’s cybersecurity executive order (EO) was created from three key lessons learned from recent cyber incidents.
First, recent cyber incidents highlighted the “critical urgent need for change,” according to House.
“For too long, both public and private sectors have failed to take the necessary steps to implement basic cyber hygiene practices and cybersecurity defenses,” House said. “We can’t accept that we will move from one incident response to the next. And while rapid reaction is essential, the breadth of these compromises compels us to do more to get ahead of these threats and not just be reactive.”
The second lesson recent cyber incidents have highlighted is the “role that poor cybersecurity hygiene and poor software security” played in making the United States more vulnerable to cyberattacks, House said.
“We must prioritize modernizing our defenses and building secure software,” House explained. “Security can’t be an afterthought – it has to be integrated by design.”
Finally, the third lesson recent cyberattacks highlighted is the fact that “anyone can be a potential target,” according to House.
“Whether government, large corporations, small companies, or critical infrastructure, all of us can be targets of malicious nation-state or cyber-criminal actors,” House said. “More importantly than just being a target, everyone has a role and a responsibility to defend against these threats. So, these partnerships between public and private sectors are only growing more critical to the safety of our nation in cyberspace.”
House also noted that identity played a critical role in the creation of the cyber EO “for good reason,” as many cyberattacks could have been avoided with a strong digital identity.
“Many cyber incidents have involved vectors of compromise that could have been thwarted through implementation of stronger identity practices, including implementation of multi-factor solutions,” House said.
“We’ve heard estimates from industry that a vast majority of ransomware incidents could have been prevented simply through implementing multi-factor authentication,” she added. “So, under the EO, as part of modernizing Federal government cybersecurity, we’ve directed agencies to adopt MFA [multi-factor authentication] and encryption for data at rest and in transit to the maximum extent possible.”
House said identity “plays a key role in many other areas” the Biden administration is pursuing in regards to cybersecurity and there is “a lot of opportunity” for industry and the Federal government to work together on future identity efforts.