U.S. President Joe Biden laid out his plans to secure the future of America’s digital ecosystem in the latest US National Cybersecurity Strategy, released March 2nd by the White House. The 32-page paper spells out five pillars of import to meet the objective of a “connected future” that is acknowledged must rely on “the cybersecurity and resilience of its underlying technologies and systems”.
Eventually “the strategy will position the United State and its allies and partners to build digital ecosystems together, making it more easily and inherently defensible, resilient and aligned with our values”.
This is a JFK moment for America and the west – to excecute these objectives “not because they are easy, but because they are hard.” And necessary, IMHO.
So What are the 5 pillars?
The five pillars are itemized as:
- Pillar One | Defend Critical Infrastructure
- Pillar Two | Disrupt and Dismantle Actors
- Pillar Three | Shap Market Forces to Drive Security and Resilence
- Pillar Four | Invest in a Resilient Future
- Pillar Five | Forge Internal Partnerships
The first two objectives are self explanatory – given all the hacks and the take-down of Colonial Pipeline. The third pillar is almost a JFK moment of the whitehouse challenging the western software software industry to step up “their game” in cybersecurity. The fifth pillar is a call-out to our international partners and allies that we see this as a collaborative effort.
The one this blog will focus on is, Pillar #4, “Invest in a Resilient Future”.
Pillar Four | Invest in a Resilient Future
I applaud the inclusion of this section. As us innovators, especially those in the identity field, realize that a secure future must include secure identity.
And the preamble of the section, a call out to us in security to lead:
Decades of adversaries and malicious actors in or influence our electoral process, and undercut our national defenses—has demonstrated that leadership in innovation without security is not enough.
Key Section to Identity is Section 4.5
It is good to see that the document recognizes that identity has to be the foundation of secure cyber system.
The Federal Government will encourage and enable investments in strong, verifiable digital identity solutions that promote security, accessibility and interoperability, financial and social inclusion, consumer privacy and economic growth.
The section goes on to discuss the importance of NIST-led guidance under the CHIPS and Science act.
It important to note how key the work that NIST has done and will continue to play in security guidances and the edicts use by not only the rest of the US government – but by the industry in general.
Amongst experts there is a strong believe that both the guidance and the regulations and thus fines and penalties will be based on the NIST best practice documents. Most of these guidance reference the NIST SP 800-53 r5, the Cyber Security Framework.
This document specifically calls out best practices for identity. Of relevance to identity, and specifically identity attestation are:
- PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.
- PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
- PR.AC-6 Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
These controls will no doubt be part and parcel of any future guidnaces and regulations around identity security.
To YouAttest the most interesting part of the section was this piece:
“and develop digital identity platforms that promote transparency and measurement”
There is no question that Attestation, and thus YouAttest, will be part of any identity platforms and types of platforms the future will bring. There is no way that practice of Least Privilege (PR.AC-6) can exist without identity attestation, and thus user access reviews.
Equally interesting is the call-out for “measurements” – e.g. metrics for cybersecurity. For this – please contact us at YouAttest, and we’ll be happy to share under NDA!