Last week continued the deluge of documents and activity from the US Government on the nation’s cybersecurity. The two most important for OT security were the 2024 Report On The Cybersecurity Posture Of The United States and the National Cybersecurity Strategy Implementation Plan.
Let’s start with the Cybersecurity Posture of the United States. The document’s first paragraph:
The 2024 Report on the Cybersecurity Posture of the United States assesses the cybersecurity
posture of the United States, the effectiveness of national cyber policy and strategy, and the
status of the implementation of national cyber policy and strategy by Federal departments and
agencies.
The report doesn’t “assess the cybersecurity posture of the United States”, which would provide some information on “the effectiveness of national cyber policy and strategy”. It is almost entirely “the status of implementation” of a variety of government efforts and activity. This and that document were published. This effort was stood up. This program was funded. Lots of money spent and lots of activity.
33 of these 36 (92%) initiatives were completed on time and three remain underway. An additional 33 NCSIP Version 1 initiatives have completion dates over the next two years and are on track.
Remember Coach Wooden’s wise words “never mistake activity for achievement”.
The Posture document claims improvement.
Over the past year, U.S. national cybersecurity posture improved, driven by steady progress
towards the 2023 National Cybersecurity Strategy’s (NCS) vision of a defensible, resilient, and
values-aligned digital ecosystem achieved through fundamental shifts in the underlying
dynamics that shape cyberspace.
Who knows? There may be improvement, progress. The document was almost entirely absent of any achievement or results metrics, and none seem to be likely next year at this time. One of the only achievement or posture metrics in the report is the number of ransomware incidents and total costs.
Following a brief decrease in 2022, the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) received a 22% increase in reported ransomware incidents from American victims. Reports to the IC3 also reflected a 74% increase in the cost of ransomware incidents in 2023, relative to 2022.
Not evidence of an improved posture. One other metric in the report:
The FBI’s Internet Crime Complaint Center Recovery Asset Team streamlines communications
with financial institutions and FBI field offices to assist with freezing, seizing, and returning
funds for victims and had a 71% success rate in 2023.
While not OT related, total number of claims and total amount of claims along with returned funds could useful metrics if compared year over year.
There’s a lot of discord in the documents themselves. On one hand the USG asserts they are doing good work and on the other hand they warn things are worse than ever. Volt Typhoon being a prime example of a posture that would described as worse if a key adversary “gained access to critical infrastructure”.
the PRC’s pre-positioning activity is a threat unlike any America has previously faced. In 2023, a PRC actor tracked as Volt Typhoon gained access to critical infrastructure in the United States and the Indo-Pacific region.
The documents lack any serious discussions of what didn’t work and lessons learned. It’s all going according to plan. We only need more resources and keep down this path. Again, I can’t say they’re wrong. The absence of anything but activity metrics could be hiding success as well as failure.
After pleading for metrics for years, I’ve promised to provide a handful of OT metrics that I believe would be helpful for the government to track, and that we can track independently if the government continues to avoid measurement. My first metric was out two weeks ago, impacted people days. I’ll get off my butt, and write the other four up before the end of June.
Version 2 of the National Cybersecurity Strategy Implementation Plan is more of the same as the Cyberspace Solarium Commission Recommendations and Version 1 of the Implementation Plan. You can get a feel for it just by reading the first few words of each initiative in the roll-up / summary section:
- Establish an initiative
- Set cybersecurity requirements
- Increase agency use
- Promote adoption of
- Explore
Those are the first five and they are followed by many establish, explore, investigate, promote … Things that can certainly be accomplished, as 33 of 36 were this year, but do they make a difference in the national cybersecurity posture? I have my thoughts and analysis, but I don’t know. And the USG either doesn’t know or chooses not to share.