In the midst of the Russian invasion of Ukraine, escalating tensions between China and Taiwan, and the rise of cyberattacks on critical infrastructure like power plants and water-processing facilities, the US government faces a challenging task of safeguarding its cyber defenses. MITRE, a nonprofit tech and engineering consultancy, has put forth a set of priorities for the incoming presidential administration to address, regardless of who wins the 2024 election.
MITRE’s memo titled “Don’t Trust but Verify: Strengthening U.S. Leadership To Safeguard Our Cyber Defenses” highlights key areas that need urgent attention. These include preparing for advancements in quantum computing, protecting critical infrastructure, clarifying leadership roles in cybersecurity, and implementing a zero-trust framework within the federal government.
The first priority outlined by MITRE is to protect critical infrastructure. The organization calls on the US Department of Homeland Security (DHS) to update recovery plans for the sector within six months and integrate large-scale critical infrastructure attacks into its National Preparedness System. MITRE recommends conducting simulations similar to natural disaster drills to test reactions to cyber incidents and upgrade legacy systems to comply with zero-trust principles such as microsegmentation. The use of software bills of material (SBOMs) should also be enforced, with a focus on listing out “cryptographic details.” Additionally, within 90 days, the federal government should find ways to assist local and state governments in enhancing their security practices.
The second priority emphasized by MITRE is the implementation of zero trust and SBOMs. To better protect critical infrastructure, the federal government should transition fully to a zero-trust model and mandate secure software development through SBOMs within the initial six months of the new administration.
The third priority set by MITRE is to prepare for the era of quantum computing. The organization advises the federal government to assess its readiness for post-quantum cryptography (PQC) based on National Institute of Standards and Technology (NIST) standards within six months. MITRE suggests leveraging cryptographic data from SBOMs to identify systems in need of upgrades and recommends seeking guidance from the PQC Coalition, an industry group focused on ensuring compliance with NIST’s PQC standards.
Lastly, the fourth priority outlined by MITRE is the need to clarify and strengthen cybersecurity authorities. The organization proposes a comprehensive mapping of the roles and responsibilities of cybersecurity leaders across key government offices within the first 90 days of the new administration. MITRE suggests expanding the authority of relevant personnel as necessary and considering the possibility of spinning out the Cybersecurity and Infrastructure Security Agency (CISA) as an independent entity separate from the DHS.
In conclusion, MITRE’s recommendations reflect the evolving and complex nature of cybersecurity threats facing the US government. By prioritizing the protection of critical infrastructure, implementing zero-trust measures, preparing for quantum computing, and enhancing cybersecurity authorities, the federal government can better safeguard its cyber defenses in the face of escalating cyber threats.