image_pdfimage_print

Last week, the White House released the updated National Cybersecurity Strategy for 2023—“A Path to Resilience.” It’s the first official update to the strategy since 2018, building on the 2020 Ransomware Memo that addressed a slew of high-profile attacks. In addition to identifying new trends and threats, the strategy aims to bolster critical infrastructures, U.S. intelligence and defense, and the global cyberspace as a whole—and we all have an important role to play.

The strategy comes just in time as innovations in AI and quantum computing raise questions about not just opportunities but threats. As you review the key objectives and recommendations, ask yourself: Is my security architecture resilient?

Ransomware

New Threats Require New Defenses

“[As we build] next-generation telecommunications and IoT to distributed energy resources, and prepare for revolutionary changes in our technology landscape brought by artificial intelligence and quantum computing, the need to address this investment gap has grown more urgent.” – National Cybersecurity Strategy

Many of the report’s objectives are in response to new technologies that aren’t just making their way into our lexicon—they’re in the toolboxes of cybercriminals, too. Innovations from the last few years that could prove to be double-edged swords include:

  • Smart, connected digital supply chains
  • Quantum computing, with “the potential to break some of the most ubiquitous encryption standards deployed today,” requiring “replacement of hardware, software, and services that can be easily compromised”
  • Artificial intelligence—with tools like WormGPT just scratching the surface of what AI will do in the wrong hands
  • Analog → digital operations, as transformation remains a post-pandemic priority
  • Telemedicine—convenient, but creating more of the types of data hackers want most

The strategy also addresses ransomware further, promising global collaborations to dismantle ransomware and state-sponsored cyber espionage

The overall goal: to lighten the load on individual organizations and users. It’s a step in the right direction, but there are many fronts in the war against cybercrime, and the most important one will almost always be in your own data center.

A Spotlight on Critical Infrastructure

The pipeline disruption of 2021 taught us a valuable lesson: Taking out one critical infrastructure provider can have a devastating ripple effect. The 2023 strategy includes new mandates that infrastructure providers must meet a baseline of cybersecurity standards—including water, power grids, rail, and pipelines because it is a known fact that nefarious nation-state attackers have already infiltrated a number of our nation’s critical infrastructure assets.

Even if your organization is not among these, it’s an approach worth emulating. Now is the time to be vigilant and take steps to protect the digital assets most important to your business. You may not have time to do so once more attack floodgates open.

Key Pillars and Objectives to Note

Here are the objectives I believe will be most relevant for C-suite leaders and IT decision-makers as they build more resilient infrastructures and harden data security policies:

1. Invest in a resilient future 

It’s the fourth pillar, but the most critical in my opinion. The federal aim is to “realign incentives to favor long-term investments in security, resilience, and promising new technologies.” Those investments add up to one concept: a tiered resiliency architecture. A three-tiered resiliency architecture can protect your entire data estate, which I outlined how to do do this in this article. It’s the best way to have every chance at recovering after a security event.

According to the strategy, investing in a resiliency architecture means: 

  • Reducing vulnerabilities in foundational technology—including critical infrastructure such as storage, which should be capable of tiered backups, immutable snapshots, and fast recovery times.
  • Staying on top of emerging technologies, such as encryption capable of standing up to quantum-powered hacking attacks. 
  • Digital identity solutions with the “right” controls to limit or prevent compromise.
  • Deploying a clean energy infrastructure to build in another layer of resilience from increasing energy costs and outages.
  • Training everyone to be a security expert. It’s a field that’s in demand and we need skilled experts. Beyond multifactor authentication and password strategies, everyone should keep security top of mind.

Read more: What Is a Resiliency Architecture and How Do You Build One?

2. Defend critical infrastructure

In addition to modernizing its own systems, the government is working to mitigate widespread disruptions that can occur when critical infrastructures are taken out at the knees. New regulations for this sector (including aviation, rail, oil and gas, energy, and more and their third-party providers) will require mandatory compliance with updated frameworks. 

Called out in the priorities are:

For the private sector, note a CISA-led objective to improve coordination of federal incident reporting and response, should you need assistance in recovery efforts. 

Read more: How to Put CISA’s “Shields Up” Recommendations Into Action

3. Target and disrupt threat actors

The administration has vowed to use “all instruments of national power” to target malicious actors, tapping the expertise and resources of the private sector but also directly targeting ransomware attackers. That means knowing who they are and what they’re after. The strategy specifically calls out:

  • Discouraging companies from paying the ransom—which requires you to have a resilient architecture with secure backups as a component to make paying ransoms a moot point
  • Scaling up disruption campaigns
  • Improving DoD cyberspace operations
  • Improved bi-directional intelligence sharing—in which CISA can share warnings and give private organizations means to share classified threats through “hubs” for more organized reporting efforts
  • Targeting illicit cryptocurrency exchanges 

To do your part and best leverage these resources, you’ll want fast, accurate, accessible security logs, SIEM with powerful underlying storage technologies, and backup plans for the forensic process.

4. Shape market forces to drive security and resilience

A key theme in the strategy is reducing the onus on individuals and small businesses while the attack surface area continues to expand with third-party providers, software as a service, and increased connectivity. Enforcing more and better data compliance and privacy policies will hopefully help hold “sellers of software and hardware to be liable if they fail to employ recognized security development practices.”

This pillar aims to incentivize security and resiliency by holding organizations more accountable for data security, enforcing:

  • Protection of sensitive personal data by limiting collection and use. It’s a good time to check in on your compliance best practices.
  • Development of secure IoT devices
  • Liability for vulnerabilities in software
  • Required compliance of any federal vendors (e.g., FIPS or SOC 2 Type II)

The government is also exploring the possibility for a cyber insurance “backstop” fund to help with catastrophic security events.

5. Forge International Partnerships

The government will continue to engage with foreign countries to promote “an open, free, secure Internet.” It’s no small feat, but collaboration and communication are vital to shrink attack surface areas, counter threats, secure global supply chains, and support one another after an attack.

While the government works to promote “responsible state behavior” and give allies their best shot at cybersecurity resilience, the fact remains that organizations will be a target as long as they’re in operation. For you, this means staying diligent and preparing for a worst-case scenario. At Pure, we help customers not only prepare for the worst but recover from it in record time.

How Can You Stay Ready? Get Proven, Layered Resiliency with Pure Storage

The strategy notes that it doesn’t expect all organizations to be ready now, or even within the next decade. But it is possible to be ready now—and your business could depend on it.

The most effective way to do this is to create a tiered resiliency architecture, allowing your business to recover in seconds or minutes vs. hours or days:

  1. Tier 1: Primary, mission-critical data and secure backups. Store applications critical to operations and three to seven days of SafeMode™ Snapshots. Depending on your application’s performance requirements, you could use FlashArray//X™, FlashArray//XL™, or FlashArray//C™ to create this layer.
  2. Tier 2: Affordable second-tier data, snapshot archives, and forensic data. Maintain offloaded tier-1 snapshots affordably (preferably 6-12 months) and data required for forensics after an attack. Build a replica archive for “longer-term” storage (6-12 months—or longer, if possible) on FlashArray//C, FlashBlade//S™, or FlashBlade//E™.
  3. Tier 3: Fast backup tier. This tier is for extreme scenarios and long-term retention for compliance or applications that don’t warrant snapshots. Use FlashArray//C or FlashBlade//S, or FlashBlade//E to replace traditional spinning disk backups.
  4. Tier 4: A one-way data bunker. For large-scale disasters, data bunkers are highly secure and provide extra, optional disaster recovery sites behind primary and secondary backup sites. You could store years of data at the Tier 4 layer on FlashArray//C or FlashBlade//S, or public cloud S3 targets and cloud-adjacent bare metal services such as Equinix Metal. 

Pure is also now offering what other storage providers can’t: a ransomware recovery SLA in Evergreen//One™ that includes next-business-day shipping of clean recovery array(s) so you have a clean environment to recover to after a cyber event*. It’s the ultimate peace of mind in this evolving cyberthreat landscape, and one more way to ensure business resilience.

*If shipping to North America, Europe, or the UK. For Asia-Pacific, it will be 48 hours.