Feds Push for Security by Design in Critical Infrastructure Resilience

Cybersecurity leaders cite growing priorities around security by design and zero trust to protect critical infrastructure, they said at CyberScape Summit in Bethesda, Maryland, Thursday.

The Cybersecurity and Infrastructure Security Agency’s Secure by Design framework calls for baking security into technology products from the beginning, rather than adding security on as an afterthought. The concept ties closely with current efforts around zero trust.

“What do we see nation-state actors doing? We see them take advantage of seams between government and industry. We see them take advantage of trust relationships between companies and their suppliers,” said Kristina Walter, director of the National Security Agency’s Cybersecurity Collaboration Center, at the event. “Identity management, access management, network segmentation, those are the things that are going to get after these really sophisticated threats.”

“Secure by Design” aligns with zero-trust tenants by emphasizing the need for a security framework where trust is never assumed, and each user, device and system is continuously verified and monitored. One area of opportunity is bringing zero trust to the edge.

“One area I think is really under indexed is there’s a ton of places where, at the at the edge, zero trust is not fully deployed — and I get it. There’s a lot of agencies where unlimited budget is not a reality, staffing concerns,” said Matt Barry, COO at HP Federal. “We find that there’s an opportunity, frankly, for industry to do a better job of educating on the value proposition of things that we’re already doing and to serve up innovation as opportunities to explore.”

AI Amid Volt Typhoon

Emerging technology creates new avenues for adversaries to increase their attacks using artificial intelligence to craft deepfakes and prepping for post-quantum encryption.

“[AI] really puts all of those attack vectors on steroids for adversaries,” Walter said. “There’s always the conversation of, is AI better for offense or defense in cyber and who’s going to win in that battle?”

NSA’s Cybersecurity Collaboration Center stood up an AI Security Center in 2023 to bolster industry partnerships and better detect emerging threats.

“Our focus is on detecting the threats to us. … Second, operationalizing that intelligence. We’re partnered with the large frontier companies to make sure that when we see their platform being targeted or abused, we can share it with them. We can help them understand the ways in which the actors would abuse it, so they can build in those security protocols advanced,” Walter said. “Last one is really the long game of, how do we mitigate threats in the future?”

China presents a pacing threat, Walter added, and adversaries have evolved — with the emergence of advanced persistent threats like Volt Typhoon and Salt Typhoon — to present more sophisticated attacks.

Volt Typhoon, a Chinese state-sponsored cyber threat group, primarily targets non-intelligence targets critical infrastructure in the U.S., including sectors such as communications, energy, water and transportation.

“What is concerning to us about Volt Typhoon threat is, one, the sophistication with which they are getting in so leveraging zero-day vulnerabilities … two, maintaining persistence in a way that the cybersecurity industry was not tracking two or three years ago,” Walter said.

Salt Typhoon targets high value intelligence, including government, telecommunications and technology.

“The sophistication is much different, and our ability to respond really requires industry and government to work together to out the campaigns and then get the entire community hunting for them,” Walter said.

As threats evolve, industry partners are focusing on improving communication and education around tech tools to contextualize solutions with the evolution of threats.

“We need to make sure that we’re doing a good job of educating and when we come out with value prop claims like, ‘now we’re shipping laptops, PCs and printers that are quantum resistant.’ What does that mean? Taking people through an understanding of, classic encryption still there, but in a post quantum cryptographic world, we’ve got to have this different approach,” Barry said.

Sharing Threat Intelligence

The State Department has more than 270 locations in 190 different countries and at least 150 different languages, noted Jimmy Hall, CIO for the Bureau of Intelligence and Research within the State Department. This means partnerships and the intelligence sharing between them are critical.

“It’s our business to talk and negotiate with the adversaries,” Hall said. “We have to work through documents, and we have to work through various forms of social media, talking to these partners. And so, we become a self target. That’s something that I can’t stress enough. The teamwork and the interagency work that’s required to keep us all safe and secure.”

NSA stood up its Cybersecurity Collaboration Center about five years ago. 90% of U.S. critical infrastructure is operated by industry, Walter said, so public-private partnerships are essential to share threat intelligence. The center now has approximately 1,500 partners to track nation-state threats together.

“We’ve really worked over the last several years to get as much out of classified channels as we can, to get it out to where it’s actionable so net defenders can truly understand the techniques that are used [and] jointly develop detection techniques so that we can find it together and essentially hunting side by side,” Walter said.

Hall measures success of resiliency strategies by three metrics: ability to meet the agency’s mission, manage risk and secure data. The Cybersecurity Collaboration Center views success through performance and effectiveness. The center has blocked 4 billion malicious domains, averaged a 33-day patch time for critical vulnerabilities and mitigated 20,000 vulnerabilities.

“Our goal is to really require [adversaries] to pay for more things, because we’re outing their capabilities. When they have to rebuild cyber capabilities because we’ve outed them publicly or we’ve shared them with our international partners or we’ve leveraged our partnership with State Department to get them out for these global campaigns — that’s a really good day for us,” Walter said.