intelligence services leverage supply chain attacks in the past, and we can expect them to incorporate valuable lessons from this latest Russian action into their own operations. Recommendations This Holiday Bear operation further highlights the need for a broader paradigm shift in both the private sector’s and the government’s approach to cyber strategy. Across the board, organizations should adopt what we in the cybersecurity industry call an “assumption of breach” approach, where defenders operate on the basis that an adversary has already gained access to their sensitive networks. The premise is simple: ● No cyberdefense system is 100-percent effective at preventing breaches; ● Even with the best training, human error will inevitably foil the smartest defense strategies; and ● Adversaries are constantly adapting to existing defense mechanisms and designing new ways to circumvent them without being detected. The only safe assumption in the cyber battlespace is to assume that networks are never safe. The assumption of breach approach is the only appropriate paradigm to govern cybersecurity strategy in this new era of great power competition. Our competitors in this contest are highly-sophisticated, well-resourced nation-state actors. We underestimate their capabilities at our own peril. Incidentally, this is not any different from the approach we already take in the physical world. As a matter of practice, we assume that at any given moment there are people inside our sensitive government agencies who have been recruited by foreign intelligence services. Our counterintelligence approach is not merely focused on preventing such recruitment. Instead, we explicitly undertake significant efforts to identify spies and limit the damage they may be able to do to our national security. We need to adopt this same approach in cyberspace. This shift in strategic paradigm necessitates a shift in practice. This Committee should be commended for its strong leadership in pushing for new and significant resources to support the federal government’s cyber strategy, most notably by creating CISA in 2018 and strengthening CISA’s authorities under the FY21 National Defense Authorization Act (NDAA). But, more needs to happen to capitalize on this momentum and deepen these commitments, and in particular, I have five recommendations for this Committee’s consideration: 1. Congress should take steps to set CISA on a path to becoming the operational CISO, or Chief Information Security Officer, of the civilian federal government. The majority of the 137 Executive agencies lack the personnel, the knowhow, and the resources to execute a comprehensive cybersecurity strategy. Congress took an important step toward centralizing federal cybersecurity strategy by creating CISA in DHS in 2018, but the next step is to give CISA both the authority and the resources that it needs to effectively execute its mission. 4
Homeland Cybersecurity: Assessing Cyber Threats and Building Resilience Page 3 Page 5