Tag Archive for: Wayne Lloyd

Exploring the Implications of the New National Cyber Strategy: Insights from Security Experts

In March 2023, the Biden Administration announced the National Cybersecurity Strategy, which takes a more collaborative and proactive approach.

RedSeal teamed up with cyber security experts, Richard Clarke, founder and CEO of Good Harbor Security Risk Management, and Admiral Mark Montgomery (ret.), senior director of the Center of Cyber and Technology Innovation, to discuss the latest strategy. Both have developed previous national cybersecurity strategies so we couldn’t be more privileged to hear their take on the newest national strategy’s impact on cybersecurity regulations. This blog covers the importance of harmonizing the rules, trends in resilience planning, the role of cyber insurance, the transfer of liability, and the need to keep pace with AI and quantum computing. Keep reading to learn more, or click here to listen in.

Expanding Cybersecurity Regulations

Although this is the first time the administration gives a clear and intentional nod to cybersecurity regulations, the federal government has regulated every other major sector for over 20 years. This step makes sense. Clarke points out, sectors with heavy cyber regulations have fared better in the past two decades than those without. Montgomery predicts that most changes will happen in areas where regulations are lagging, such as water, oil pipelines, and railroads.

But many agencies don’t have the resources for effective enforcement. The government must thus use a combination ofregulations, incentives, and collaboration to achieve meaningful outcomes.

The Importance of Harmonizing the Rules

The new strategy aims to “expand the use of minimum cybersecurity requirements in critical sectors to ensure national security and public safety and harmonize regulations to reduce the burden of compliance.” But the expansion of cybersecurity regulations must come hand in hand with better coordination.

Clarke observes, today’s regulations aren’t well-coordinated. Agencies must share lessons learned and align their approaches. Private sectors will benefit from the standardization of various regulations to streamline compliance, reducing cybersecurity complexity and lowering costs.

However, coordination and standardization doesn’t mean a one-size-fits-all solution. Agencies must tailor their regulations to each specific sector. The good news is that we can apply the same network security technologies to any industry and encourage knowledge-sharing across verticals. For instance, we can take the high standards from the defense industry and apply them to healthcare and transportation without reinventing the wheel.

A Focus on Resilience Planning

The cybersecurity definition of resilience has evolved as the world has become more digital. We will get hacked. It is a certainty. Instead of only looking to protect systems from attacks, regulatory mandates must also focus on prompt recovery. The government should also hire industry experts to assess digital resilience plans and stress-test them for reliance.

Cyber resilience must be applied to national security as well as private business. Transportation infrastructure must be able to operate without extended interruption. The economy (e.g., the power grid and financial systems) is our greatest weapon, and must keep functioning during conflicts and crises. Lastly, we must have the tools to quickly and effectively battle disinformation, a new frontier in the fight against nation-state threats.

The Impact of the Internet of Things (IoT)

Regulations must also cover IoT devices, but focus on the networks instead of the thousands of individual endpoints. Clark suggests that organizations should install sensors on their networks and conduct regular vulnerability scans. Montgomery adds to this, emphasizing the need for certification and labeling regimens as part of a long-term plan to make vendors responsible for their products’ performance and security.

Shifting Liability to Vendors

Speaking of making vendors responsible for their products’ performance and security, the new strategy intends to transfer liability to software vendors to promote secure development practices, shift the consequences of poor cybersecurity away from the most vulnerable, and make our digital ecosystem more trustworthy overall.

Clarke agrees that this approach is necessary, but holds that the current regulatory framework can’t support the legal implementation. IT lobbyists, some of the most well-funded and influential players on Capitol Hill, will make enforcement of such a shift an uphill battle. Clarke believes that, unfortunately, this hard but necessary shift may not happen until a tragedy shakes the nation and leaves it the only way forward.

Keeping Pace with AI and Quantum Computing

We, as a nation, have many issues to consider around AI, including beyond security. Clarke points out that we must establish rules about transparency: what’s the decision-making process? How did AI get to a conclusion? Is it searching an erroneous database? Is the outcome biased? Large language models (LLMs) are constantly learning, and adversaries can poison them to impact our decision-making.

While AI is the big problem of the moment, we can’t afford to continue ignoring quantum encryption challenges, cautions Montgomery. We have already fallen behind and must spend a substantial sum today to prepare for what’s in store in 10 years. We must start building quantum security into our systems instead of attempting to jury-rig something on later, adds Clarke.

The Rise of Cyber Insurance and Real-time Monitoring

Montgomery predicts that, if run properly, the cyber insurance market can bring these pieces together. Insurance companies may, for instance, encourage proactive measures by reducing premiums for organizations that invest in cybersecurity upfront and establish a track record of reliability and resiliency.

But organizations must prove they’re continuously protected instead of merely showing “point in time” compliance to take advantage of lower premiums. Real-time monitoring will play a critical role in lowering premiums and maintaining cybersecurity.

A Step in the Right Direction

The new National Cyber Strategy introduces timely and much-needed shifts. We must harmonize regulations to maximize the benefits without overburdening the private and public sectors.

In anticipation of the impending changes, organizations must approach their cybersecurity strategies proactively and implement the right tools and services to stay compliant. These include a comprehensive network security solution for complete visibility and ongoing monitoring, cloud security tools to protect all IT assets, and professional services to ensure airtight implementation and continuous compliance.

RedSeal has extensive expertise and experience in delivering government cybersecurity and compliance solutions. Get in touch to see how we can help you stay ahead in today’s fast-evolving digital environment.

Simplifying and Securing Hybrid Clouds

GovLoop | October 26, 2021

President Joe Biden’s executive order (EO) on cybersecurity suggests the cloud will play a pivotal role in the federal government’s future; it urges agencies to maximize the technology’s flexibility and scalability rapidly and securely.

But what can happen if agencies embrace the cloud too rapidly? The answer is haphazard and insecure IT environments. These environments often occur when agencies combine on-premises and cloud-based IT in a hybrid model.

Cyber Readiness Pillars and RedSeal

Cybersecurity readiness is an excellent tool that has the ability to provide you with the right services. It has the ability for identifying, preventing and responding to cyber threats. This tool is required by organizations all over the world, and organizations that lack this strategy are prone to more cybersecurity threats.

The Cybersecurity and Infrastructure Security Agency (CISA) suggested and developed the Cyber Essentials for small businesses. Along with these businesses, the local government leaders are also provided with ideas on how to successfully make an actionable understanding of how to implement organizational cybersecurity practices.

CISA leaders offered a detailed awareness of how the pillars of Cyber Essentials are important. Building a corporate culture is required for cybersecurity and the organization which fails to do so faces cyber-attacks. During a webinar with the U.S. Chamber of Commerce on June 29, CISA provided a starting point for better flexibility considering cyber readiness.

“From human resources to marketing to sales and procurement, it is almost guaranteed that you rely on one or more digital platforms to facilitate the success of your business operations. The Cyber Essentials are a series of tools and practices that we have assembled to provide what we consider to be the basics of cyber organizational readiness,” Trent Frazier, deputy assistant director of the Stakeholder Engagement Division at CISA, said.

Every team requires to have a safe cybersecurity practice. If you don’t have a holistic approach towards it, then, you are one organization that is in danger. Great help from the global leader is what you require in this case. RedSeal is a company that you can depend on for sophisticated cybersecurity.

RedSeal as a force multiplier for every other security device within a network is indulged in cybersecurity. If you have short of skilled cybersecurity personnel, then, don’t forget to connect with us.

The 6 Pillars of Cyber Readiness 

Creation of Cyber Readiness Culture 

Pillar One 

Pillar one of cyber readiness is leadership. The leaders are always the backbone of an organization and a great help in maintaining the business culture.

That is why it is suggested that the leaders shouldn’t forget to keep the essential cybersecurity in mind. The leaders should not overlook the essential investment required in cybersecurity. They should also determine how much work is dependent on IT and have a trusted relationship with the sector partners and government agencies. It is required to have a trusted relationship so that the cyber threat information can get easily accessed.

Pillar Two

The second pillar of cyber readiness is the staff. The people associated with the organization’s system are an essential part of this readiness. This element’s task is developing awareness and alert about cybersecurity.

Systems and Data Environment in Cyber Readiness 

Pillar Three

The third pillar consists of systems and leaders being taught and trained on what is present in their network. Also, they are offered knowledge on how to maintain hardware and software assets inventories. It will help them in letting them know what is there and what things are at risk because of the attack.

Pillar Four 

The fourth pillar advises the leaders to have knowledge on:

  • The network
  • Maintenance of inventories of network connects including user accounts and vendors
  • Multiple-factor authentication for every user, starting with those who have privileged, administrative, and remote access

Pillar Five

The fifth pillar of cyber readiness is the data, intellectual property along with another delicate information present within the organization. In this case, the leaders and staff get tasked with learning how the data can get protected.

Respond to and Recover from a Crisis 

Pillar Six

Crisis response is the sixth and last pillar in the Cyber Essentials. It focuses on restricting the damage and rushing restoration of the normal operations after a cyber-attack.

The Cyber Essentials have given the authority and tasked leaders for the development of an incident response along with a disaster recovery plan. This plan should outline the roles and responsibilities and should get tested often for cybersecurity needs.

Leaders should know and be aware of the cybersecurity of the organization. Their assessment will influence the business impact as well. Also, the leaders should have proper security on which systems should be recovered at the earliest.

As a leader, the person should be well aware of who to call for help if they don’t have sufficient staff for it. Learn who should be the people that you should call for help first. These can include outside partners, government, technical advisors, and law enforcement.

If by any chance you are looking for cybersecurity services, then, our platform is the one. We offer the following cybersecurity services.

RedSeal Service Offerings 

  • Cloud Cyber Inventory Assessment
  • Cyber Visibility Assessment
  • Health Check Service
  • Secure Remote Work Assessment
  • Managed Service
  • Cyber Cloud Access Assessment

Our professional services are the solution to all your cybersecurity answers. We work as a team and offer skilled and trained cybersecurity personnel. Along with them, we offer cybersecurity products that make your investment more valued.

The Bottom Line 

Organizations need a cybersecurity strategy to protect both infrastructure and customer data from growing cybersecurity threats. The Cybersecurity and Infrastructure Security Agency (CISA) developed the Cyber Essentials as a guide for small businesses and local government leaders to develop an actionable understanding of where to start implementing organizational cybersecurity practices.

Behind the Firewall: 5 security leaders share incident response plans

Cybersecurity Dive | July 30, 2021

First, it’s good you have a plan to begin with. But have you tested it?

That is, have you gathered all your stakeholders, from the C-suite to the trenches, and run through your plan? And testing it once is not good enough. Your teams and networks are constantly changing, so your plan should evolve as well with time.

When an incident occurs, that is not the time to find out if your plan works. Testing turns up simple things, like having the ability to use outside communication mechanisms. If your system gets locked down by ransomware there is a good chance your address book in Outlook will be inaccessible.

Part of testing is also getting to know your network by modeling it and examining how it’s all connected. Having a continuously updated model of your network greatly speeds up your response time.

DOD’s Forecast Post-JEDI: Multi-Cloud with a Chance of Peril

NexGov | July 20, 2021

The Pentagon’s abandonment of the Joint Enterprise Defense Infrastructure, or JEDI, contract was an anticlimactic demise for the once visionary single-cloud network.

…the protracted legal battle pushed JEDI past viability. While the cloud titans fought for their slice of the pie, other actors within the federal government, most significantly the intelligence community, transitioned to a multi-cloud network. As a result, the decision to retire JEDI is best seen as an inevitable step toward DOD’s multi-vendor destiny.

EO Gives Momentum to Federal Cloud Movement

Communications Daily | May 27, 2021

President Joe Biden’s cybersecurity executive order will boost the federal government’s reliance on cloud services and information sharing, experts told us. The EO directs federal civilian agencies to “accelerate movement to secure cloud services,” including software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS).

“That’s really the best way for the government” to secure data, said RedSeal Federal Chief Technology Officer Wayne Lloyd. He expects the EO to drag agencies “kicking and screaming” into the cloud: “It’s something that’s long overdue,” from which the commercial sector has long seen the benefits.

After pipeline attack, former DHS cyber leader says ‘stop with the half measures’; security pros urge action in infrastructure bill

Inside Cybersecurity | May 11, 2021

“The President’s new infrastructure plan must incorporate cybersecurity or the new ports, electrical grids and rail systems it proposes will become a bonanza for hackers looking to exploit supply chains along with critical infrastructure,” said Wayne Lloyd, CTO of Federal at RedSeal.

“We live in a digitized world, and the facilities that would be constructed will add to the complexity of the critical infrastructure networks and further expose unintended access points,” Lloyd said. “These networks are increasingly exceeding the ability of humans to fully account for, making it essential that the White House secures the infrastructure by mandating compliance with existing NIST frameworks for the IT & OT systems and funding for technologies that can help automate and monitor the state of compliance for things such as network segmentation, or we’re going to experience another breach on the scale of SolarWinds.”

What You Need to Know About CMMC Certification

MSSP Alert | April 15, 2021

As the Cybersecurity Maturity Model Certification (CMMC) nears full implementation, affected organizations are scurrying to ensure they’ll pass the certification process.

The goal is simple: organizations must meet minimum cybersecurity standards, and in doing so, they do their part to improve national security. The stakes are extraordinarily high for the estimated 300,000 defense industrial base (DIB) organizations which will soon need to be certified to one of the five CMMC levels to be eligible to be awarded a federal contract. Simply stated: no certification, no contract. From the perspective of the U.S. Government and the Department of Defense, the stakes have always been high since the DIB plays such a critical role in the defense of our nation. The only way to ensure the protection of our data and the integrity of the supply chain is to hold industry to a higher standard.

What You Need to Know About CMMC Certification

Supply Chain Brain | October 7, 2020

As the Cybersecurity Maturity Model Certification (CMMC) nears full implementation, affected organizations are scurrying to ensure they’ll pass the certification process.

The goal is simple: organizations must meet minimum cybersecurity standards, and in doing so, they do their part to improve national security. The stakes are extraordinarily high for the estimated 300,000 defense industrial base (DIB) organizations which will soon need to be certified to one of the five CMMC levels to be eligible to be awarded a federal contract. Simply stated: no certification, no contract. From the perspective of the U.S. Government and the Department of Defense, the stakes have always been high since the DIB plays such a critical role in the defense of our nation. The only way to ensure the protection of our data and the integrity of the supply chain is to hold industry to a higher standard.

Supporting the DoD’s Defend Forward Initiative

 

What is Defend Forward?

The DoD’s Defend Forward operational concept has been rolling out over the past few years. Policy makers and cyber defenders in government realized that, as the situation in Afghanistan led directly to the rise of Al-Qaeda and the 9-11 attacks, the situation in cyberspace was going to lead to crippling cyber-attack of similar power.

However, unlike Afghanistan, where a power vacuum was created by the withdrawal of the Soviet Union, the Internet was designed from the outset to be open. By design, there are no police; no organization with the authority with the power to punish bad actors. The cavalry are stuck in the fort.

Something had to change.

Cyber Protection Teams (CPTs) working at the Department of Defense (DOD) were restricted to preparing for and responding to attacks on their own network. Hacktivists, cyber criminals, and nation state adversaries were not restricted in the same way. This unequal playing field was addressed by removing the restriction on CPTs and allowing them to operate, if asked, in the networks of foreign countries. This new operational concept is called Defend Forward.

The goal of Defend Forward is to move out into cyberspace and inflict costs on bad actors, especially other nation states. As most adversary cyber teams tend to use and reuse the same tactics, techniques, and procedures (TTPs), finding malware on foreign networks and publicizing it forces those cyber attackers to create new methods. This takes time, effort and money. By shining a light on these playbooks, friendly nations, other parts of government and civilians will know what to look for, further disrupting cyber attacked operations. Lastly, this serves as a signal to enemies that we know about their procedures and puts them on the defensive.

 

How Do We Protect the Base?

While Defending Forward is off to a promising start, it is only a part of the ongoing cyber war. A “whole – nation” effort is needed –involving both government and industry. Only 10% of the critical infrastructure networks in the U.S. are controlled by our government. Industry needs to do its part and protect the home base.

We need to know our networks better than the attackers do. We need to make sure our networks are set up securely as we intended. We need to find and mitigate the highest risk issues first. Our complex networks make this very hard to do without technical support.

RedSeal’s cyber terrain analytics platform and professional services help all organizations improve their resilience to security events by understanding what’s on their networks, how it’s all connected, and the associated risk. RedSeal verifies that network devices are securely configured; validates network segmentation policies; and continuously monitors compliance with policies and regulations. RedSeal continually checks to see if a network’s segmentation is working as designed, ranks end point vulnerabilities in order of risk, and adds knowledge of your network to determine how accessible the vulnerability is to untrusted networks and what it will expose if compromised.

Click here to view the webinar titled, “Defend Forward, But Protect Your Base” with Wayne Lloyd, RedSeal Federal CTO and Mike Lloyd, RedSeal CTO.

Contact us for more information about how RedSeal can help you support our cyber protection teams.