The U.S. is overdue for a dramatic shift in its cybersecurity strategy–but change is finally coming
In 2021, ransomware attacks hit 649 U.S. critical infrastructure entities, according to the FBI. Even worse, the FBI’s Internet Crime Complaint Center (IC3) revealed that “of the 16 critical infrastructure sectors … 14 sectors had at least one member that fell victim to a ransomware attack in 2021.” Almost 90% of all U.S. critical infrastructure sectors were hit by a successful ransomware attack in 2021. It’s a dismal and harrowing reality.
U.S. critical infrastructure has long had a very large and obvious target on its back. But in the past four years, as our entire world has become increasingly digital, cyberattacks on our nation’s most valuable assets have become incessant–and increasingly catastrophic. This unfortunate fact pattern is the reason why the Cybersecurity and Infrastructure Security Agency (CISA) was formed in 2018. CISA, the “quarterback for the federal cybersecurity team,” was created to work across sectors to bolster national resilience in cyberspace.
Since that time, the threat landscape has shifted drastically. In the past two years alone, more than 76% of organizations have been attacked by ransomware and 66% have experienced at least one software supply chain attack.
The world will spend nearly $170 billion on cybersecurity in 2022, and nearly $20 billion of that will be spent by the U.S. Federal Government–yet we’re still hemorrhaging losses to ransomware. It’s clear that the way we’re approaching cyber is wrong–and it’s on all of us. That’s why the 2023-2025 CISA Strategic Plan–the agency’s first document of its kind–is so highly anticipated, and frankly, such a big deal. It’s not only affirmation and acknowledgment of the problem (we’re moving much too slowly in a threat landscape that changes faster each day), but also outlines a new path forward: one predicated on resilience.
In fact, the very first objective (1.1) in the plan is to “enhance the ability of federal systems to withstand cyberattacks and incidents”–ensuring that “FCEB agencies are prepared for and able to rapidly recover from cyberattacks and incidents” and “maintain mission continuity during and after cyberattacks and incidents.” This is an evident and deliberate shift away from the traditional security approaches of keeping attacks out (prevention) and detecting them quickly when they break through the perimeter. Unfortunately, our track record is proving again and again that these tactics no longer reliably work.
The traditional security models that we’ve relied on for decades aren’t designed to solve the problems posed by a hyperconnected, digital-first landscape. Ransomware and bad actors are bound to breach the perimeter and evade detection. It’s the inevitable reality of today’s technology and data-enabled world.
And so now, finally, we enter the era of breach containment and resilience. Organizations are focusing on isolating and minimizing breaches to reduce the impact and recover much more quickly. We are focusing on enhancing visibility across networks, workloads, endpoints, and critical infrastructure since you can’t defend what you cannot see. Risk reduction and resilience are finally serving as the north star for cybersecurity.
We know that government and legislation tend to be slow-moving in nature. But in an industry as dynamic, fast-paced, and far-reaching as cyber, we have long been behind the ball when it comes to mandating and regulating cybersecurity strategy across both public and private industries. CISA’s plan demonstrates that even at the federal level, there is enormous value in pivoting as the circumstances change and the need for a new strategy becomes evident. The attackers are experts at failing fast and adjusting, and the defender’s job is to always be as agile, and hopefully a step ahead.
This plan is yet another industry calling card to rectify the way we approach national resilience and cyber at large. Organizations and agencies are going to be attacked. Breaches and ransomware will remain the norm and those are now operating assumptions that should be held as facts. What we can control is how much (or little) damage or operational fallout those breaches incite.
CISA is the first federal agency to acknowledge that not only is the threat landscape shifting, but the way we must approach and defend against today’s evolving threat landscape must dramatically change as well.
Andrew Rubin is the CEO of Illumio.
The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not reflect the opinions and beliefs of Fortune.
More must-read commentary published by Fortune:
- Recession or resilience? Here’s how the U.S., Europe, and Asia stack up
- Patagonia: ‘We are turning capitalism on its head by making the Earth our only shareholder’
- How Germany’s regulators beat the SEC in the race for crypto regulation–and convinced me to establish my business there
- Week-to-week management could be the solution to employers’ distrust of remote work
- Don’t spoil the unique chemistry between America’s universities and pharmaceutical companies
Sign up for the Fortune Features email list so you don’t miss our biggest features, exclusive interviews, and investigations.