CISA’s strategic plan is ushering in a new cybersecurity era

The federal government has once again signaled that our traditional approach to cybersecurity, one predicated solely on prevention and perimeter defenses, is failing us. In the past two years alone, 76% of organizations were attacked by ransomware, and 66% experienced at least one software supply chain attack. Now, the Cybersecurity and Infrastructure Security Agency (CISA) is the latest federal entity to shake up cybersecurity best practices — underscoring that we need drastic change to withstand today’s dynamic threat landscape.

CISA, the group tasked with strengthening our national approach to cybersecurity and securing critical infrastructure, has released a strategic plan that outlines four goals that must be met to address the “diverse and dynamic challenges facing our nation.” The CISA Strategic Plan 2023-25 is the first of its kind for the agency, which was founded four years ago. The plan is light on details, but it’s notably marked with a move away from traditional prevention and detection approaches toward “resilience.”

The first of CISA’s outlined objectives is to “enhance the ability of federal systems to withstand cyberattacks.” Federal agencies should be prepared for and able to rapidly recover from cyberattacks and incidents, as well as maintain mission continuity during and after cyberattacks and incidents.

That the agency places this goal above the ability to actively detect cyberthreats (Objective 1.2) speaks volumes about today’s priorities. Instead of focusing first on preventing and detecting breaches, CISA is acknowledging that breaches will occur. This marks a subtle but dramatic shift in thinking. Only by recognizing that cyberattacks and breaches are inevitable can we effectively reduce their impact.

A Marked Shift Away From Prevention

Detection, firewalls, and perimeter defenses represent cybersecurity’s status quo — fundamentally, the same strategy employed since the dot-com era. But in the past decade, hyperconnectivity and hybrid work have become the norm — drastically expanding the attack surface. The painful takeaway from the long string of ransomware attacks and breaches we’ve witnessed during the past three years (Colonial Pipeline, Kaseya, SolarWinds, and many more) is that legacy solutions and traditional cyber approaches focused solely on keeping bad actors out no longer provide adequate protection.

If we consider CISA’s plan in combination with the Biden Administration’s May 2021 Executive Order on Improving the Nation’s Cybersecurity, which mandated that federal agencies must implement zero-trust architectures, it’s clear that protecting our most critical infrastructure is now more about ensuring continuous operations, proactive risk mitigation, and resilience than preventing digital break-ins entirely. In fact, CISA’s strategic plan mentions the word “resilience” 30 times.

Withstanding attacks through resilience is among zero trust’s core principles, along with the concepts of assume breach, least privilege, and “never trust, always verify.”

To read the complete article, visit Dark Reading.