[UPDATE May 5, 2025, The GSA has published proposed enhancements to the Federal Acquisition Rules pertaining to US Government procurement practices to include "Strategic Acquisition Guidance" (SAG)]
[UPDATE March 20, 2025, FERC is exploring methods to enhance software supply chain security to protect the Bulk Electric System from risky software, providing further evidence of the paradigm shift away from "plain old cybersecurity approaches" to more holistic "Cyber Risk Management" practices adopted by the US Government]
[UPDATE June 28, the US Government General Services Administration (GSA) has announced the SCRIPTS RFQ; the era of "Secure by Design" and radical transparency has begun and the status quo is being replaced with more modern cybersecurity protections designed to detect and stop the scourge of ransomware from causing harm - BRAVO!]
[UPDATE May 14, 2024 An announcement from the US GSA stating that only approved, secure software will be acquired and used by the Agency is another indication of the paradigm shift that is underway. Organizations selling software products to the US Government GSA will need to submit their "Secure Software Attestation Forms" and other artifacts, i.e. SBOM, in the CISA RSAA portal, mentioned in the GSA memo.]
[UPDATE April 30, 2024 The paradigm shift took a "giant leap" with the US announcement of an entirely new strategy to secure national critical infrastructure that we all depend on. The National Security Memorandum NSM-22 is available online]
[UPDATE March 11, 2024 CISA released the secure software attestation form that software producers will need to submit to US Federal Government Agencies as part of the software procurement process, now in effect. I will be presenting on this important attestation form topic on April 15, 2024 to a Federal Agency preparing to collect attestations, starting in June, 2024.]
For many years Cybersecurity polices and practices were viewed as one of those “IT Tasks” that needed to be performed, like doing backups and printing reports. The tasks associated with cybersecurity practices frequently fell on the shoulders of IT personnel, like the CIO. This practice remains true even today, many cybersecurity tasks are being implemented by IT organizations, somewhere deep in the ranks of personnel working in an IT department. "Cyber is “technical stuff,” the IT team’s job, or an afterthought in defensive planning. The United States Needs a New Way to Think About Cyber!
The term "cybersecurity" is a relic of the status quo. Today, we perform much more comprehensive risk management functions that are best described as "Cyber Risk Management" as part of Business Risk Management and the people doing the work are "Cyber Risk Management Professionals". This is a fundamental shift in mindset, a paradigm shift, that must be adopted if we want to have any hope of creating a more resilient Cyber Ecosystem across critical infrastructure operations and prevent hacker attacks from succeeding.
In 1992 I recall setting up DEC SEAL Firewall (thanks for your help Marcus), this is when cybersecurity tasks amounted to a number of specific technical tasks mostly relating to access control management, like firewall rule configuration and other tasks that were considered “cybersecurity related”. Yes, firewall rules management, and patching continues to this day and remains an important part of the Cyber Risk Management functions that must be managed with due care and precision. 22 Energy companies in Denmark were breached in 2023 when a common firewall device was not properly updated to patch a known CISA KEV. A US GAO report from October 2022 warned of coordinated cyber-attacks against the electric grid and recommended that FERC take action to prevent these coordinated attacks from occurring. I reiterate this concern from the GAO in my recent FERC comment filing for Docket AD23-9-000.
Then somewhere after the Internet became open for commercial use (1994) hackers discovered how to make lots of money disrupting business operations. Today, ransomware and data theft are a lucrative business with a virtually guaranteed revenue stream. Hackers are finding many “easy targets” in companies that apply antiquated "status quo" practices to cybersecurity that focus on completing “checklist technical tasks”, such as password resets, user account creation/deletion, log scanning and other tasks that fall under the “cybersecurity” umbrella. FYI: Password resets can be a leading indicator of a cyber-attack, as MGM is now well aware.
In 2023 we know all too well that the status quo approach to cybersecurity is not stopping hackers from carrying out cyber-attacks using sophisticated methods, such as ransomware and data theft for profit. It is a very successful business model that takes advantage of 1984 thinking. Mediocrity is the most likely outcome from the status quo approach given the sophistication, innovation and capabilities of the cyber-adversaries we face.
Why?
Because companies continue to treat cybersecurity as a “checklist” of specific tasks to be completed, following the advice of "highly paid cybersecurity experts" that continue to advise on failed cybersecurity practices that represent the status quo, as they promote their own investments in cybersecurity companies. Some people seem to rely on a business strategy that is committed to 1984 thinking, which I've started referring to as "Cybersecurity Status Quo Inertia" (CSQI), CSQI=1984. I'm beginning to think that "Group Think phenomenon" may be the reason why people are so committed to these 1984 status quo cybersecurity practices (CSQI). 2023, will be marked as the “inflection point” where regulators have stepped in to let Officers and Directors know, without doubt, that cybersecurity risk is business risk and the SEC Cybersecurity Regulations that go live in December 2023 mark the beginning of a paradigm shift in how companies need to address cybersecurity policies and practices more holistically as business risk, and govern cybersecurity accordingly. Cybersecurity needs to be viewed as a business risk and the work that goes into cybersecurity policies and practices, including both proactive and reactive practices need to replace the ”status quo cybersecurity checklist tasks” with a broader set of business risk management strategies, policies and practices, referred to as "Cyber Risk Management", to protect the business from cyber-risks that can disrupt business operations, that sometimes lead to bankruptcy, especially in smaller entities with limited resources. Many smaller organizations also need to be prepared to address this cybersecurity paradigm shift. CISA has provided guidance for these smaller organizations, given their specific constraints and limited resources.
Hold on there, Brooks, where’s the evidence that this paradigm shift is really happening. One answer “MATERIALITY OF A CYBER-INCIDENT”. Many CISO’s aren’t “tuned into a method to measure materiality” of a cyber-incident in terms of real business risk and impact, quantitatively or qualitatively. Fortunately, I am not alone in acknowledging and describing this paradigm shift in cybersecurity, as this December 6, 2023 article from the Harvard Law School Journal shows and this article by ThriveDX describing the Clorox cyber-incident, which emphasizes the impact SEC Regulations are having as an under-current driving change. The EU DORA regulation is also proof of this paradigm shift taking shape. The Energy Central PowerSession held on December 14 also discussed how materiality of a cyber-incident is altering the role of CISO's. Some articles, such as this one in Fortune, are referring to this paradigm shift as a quiet revolution. I see it more like "the shot heard around the world"; it seems everyone is aware of the new cybersecurity regulations that went live in December 2023 and the court cases involving CISO's, like the Solarwinds SEC complaint, are getting lots of attention. Not to mention the fact that hackers are attacking every day reminding us the status quo approach to cybersecurity remains ineffective, like the Magenot Wall. The message is loud an clear, a paradigm shift is happening and cybersecurity practices will continue to evolve, out of necessity.
“We are in the midst of a fundamental transformation in our Nation’s cybersecurity,” - National Cyber Director Harry Coker and the cyber insurance carriers are making adjustments accordingly
You may be asking, what does this change in the cybersecurity paradigm look like? The SEC Cybersecurity Regulations provide clarity:
- Managers across the Company are, collectively responsible for effective “good faith” cybersecurity policies and practices in order to satisfy SEC Cybersecurity Regulations
- The “status quo” checklist tasks will continue to be implemented, but they will be thoughtfully applied to support specific risk management strategies and priorities that "Cyber Risk Management Professionals" have deemed necessary to protect the “crown jewels” of the business. “We need to protect diamonds like diamonds and pencils like pencils.” – Scott Aaronson at EEI.
- Thoughtless “cybersecurity tasks” that do not support specific risk management priorities of the company will be reconsidered and the resources that are assigned to these tasks may be reassigned to focus on more important priorities that align with the Company risk management strategy and priorities. One often overlooked priority today is the monitoring of CISA Known Exploited Vulnerabilities (CISA KEV) that can be used to carry out a successful cyberattack. More attention will be given to monitoring for CISA KEV’s resulting in immediate action to mitigate the risks of CISA KEV’s, to prevent harm. The "blast radius" from a coordinated CISA KEV attack can be very broad, affecting potentially hundreds of companies, globally.
- More attention will be given to documenting cybersecurity controls including their alignment in support of business risk management priorities and government regulatory requirements, with guidance provided by CISA
- Evidence of these controls being performed will need to be preserved in a tamper-proof system of record Evidence Locker, following a "digital chain of custody protocol" so that it can be presented to regulators or in a court of law during litigation, knowing that the evidence is credible and trustworthy and will be effective at protecting company Officers, including CISO's, from personal risk if/when a cyber-incident does occur.
- Evidence of the need for a digital "Trust Registry" capability as a foundational capability for the digital world is making progress. In 2024, just like in 1984, Apple continues to show that it is the leader in innovations designed to improve lives and help protect people from harmful software and digital products, by announcing a "Trust Registry" capability for ios Apps in the EU, which they call a "notarization service for ios apps".
- The need for a "Trust Anchor" was pointed in at the World Economic Forum Davos Conference in 2021 with this article and the associated white paper.
This “Cybersecurity Paradigm Shift” is a worldwide phenomenon. Australia is one of the leading countries with regulations that are designed to treat cybersecurity risk holistically, as a business risk. The EU is also implementing regulations that will change how cybersecurity is being managed by companies, with hefty fines for those that fail to comply with these regulations. Risks to the economy and even human health are becoming a concern that regulators now recognize and are taking steps to address those cybersecurity methods that need to be elevated to the attention of top management. The US FDA now requires medical device manufacturers to address CISA KEV's (see page 31 of the September 2023 FDA Guidance Document). SEC regulations make it clear that management owns cybersecurity processes and practices and failure, and will be held accountable. Energy companies across the US that are public companies will be subject to these SEC regulations. Software consumers will be one of the many beneficiaries of this paradigm shift as more software products will be identified as "trustworthy" using a cyber trust mark registered in a "Trust Registry", similar to a "Registry of Deeds" type of service where only legitimate "trust labels" will be allowed for registration in the Trust Registry. We must have a trust anchor for the digital world. A trust anchor is key to radical transparency and the ability for people to ascertain and verify trust in "digital things" to prevent from becoming victims of cyber-crime. Collaboration is a critical success factor to achieving a foundation of international trust in digital products.
We are just at the beginning of this cybersecurity paradigm shift, but momentum and motivation are strong, with regulators providing much of the motivation for much needed change. We should expect to see more changes like this one as the paradigm shift continues. It's time to "THINK DIFFERENT" about cybersecurity and call it what it really is, "Cyber Risk Management" as part of Business Risk Management.
Watch out for those CISA KEV cyber-icebergs in your path, they can ruin your day. Don’t ignore those CISA KEV alarm bells.
I hope you can join us for the PowerSession on December 14 where an expert set of panelists representing the Board Room to the front lines of critical infrastructure operations will discuss preparations for the SEC Cybersecurity Regulations that go live in December 2023.