Commentary from Adam Maruyama, Garrison Technology: 2024 Cyber Posture Report from the White House
May 2024 by Adam Maruyama, Field CTO, Garrison Technology
During RSA week last week (May 7), the Office of the National Cyber Director/Executive Office of the President released the 2024 Report on the Cybersecurity Posture of the United States. It came out to almost zero fanfare.
The comments from Adam Maruyama, Field CTO, Garrison Technology.
Regarding the challenge outlined by the posture report:
“The posture report astutely acknowledges the underlying structural challenges posed by a software-based cyber ecosystem where attackers almost always have the advantage of making the first move against unpublished vulnerabilities, while defenders are forced to reactively respond by isolating compromised systems and developing and deploying patches. We’ve seen this trend get even worse over the past many months as attackers are finding vulnerabilities in the underlying enforcement and management components in the very cybersecurity applications used to secure organizations’ systems. CISA’s “Secure by Design” initiative rightly tries to address the urgent symptoms of this problem by providing near-term tactical guidance for developers of security-related software – guidance to which more than 60 companies committed at RSAC 2024. But this doesn’t shift the fundamental first mover advantage that attackers enjoy. To secure the strategic cybersecurity advantage in the long term, governments, companies, and vendors must collaborate to integrate not only secure-by-design software, but also strategically placed fixed-function hardware that can rigorously enforce security at the riskiest points in the network – such as connections to the open Internet.”
Regarding the increasingly sophisticated ransomware threat:
“The level of collaboration amongst ransomware groups that was highlighted in the report is particularly concerning in parallel with the increasing maturity of generative AI models for reconnaissance, human-targeted content generation, and malicious code generation. Yet even as the threat of ransomware has grown to a national security and economic concern for the US and UK governments, the mechanism to prevent human-vector ransomware attacks via phishing and malicious websites – phishing simulations and asynchronous training – has not. It is time for cybersecurity teams to stop expecting users to detect AI-generated content or well-obfuscated links and institute a combination of technical controls that remove the risk from malicious code and visible real-time indicators of risk to empower employees with the information they need to make risk-informed decisions.”