Bipartisan Cybersecurity Legislation — Continuing the Progress in 2022

This post is also available in: 日本語 (Japanese)

Whether it’s government networks storing sensitive information or critical infrastructure systems, no entity is immune to cyber adversaries. Fortunately, the strong bipartisan consensus on cybersecurity threats has led to bipartisan interest in cybersecurity legislation.

At Palo Alto Networks, we appreciate the collaborative spirit on Capitol Hill, working with a wide range of stakeholders to get policy right. With the 2022 legislative calendar now in full swing, we see cybersecurity policy activity coalescing around several worthwhile pillars of activity.

Investing in Proactive Cyber Resilience

The American people understand the value of filling potholes on the streets and have recognized that our “digital potholes” demand equal attention. While there’s no silver bullet, we can’t ignore the economics. Better cybersecurity outcomes demand more dedicated cybersecurity investment.

History has taught us that investing in cyber resilience before something bad happens will almost always be cheaper in the long run. That’s why Palo Alto Networks was encouraged to see a State and Local Cybersecurity Grant Program included as a key provision in the Infrastructure Investment and Jobs Act.

The funds provided from this grant program will be cybersecurity game changers for jurisdictions all across the country. Similarly, the cybersecurity plans required to unlock those funds will promote a broad culture of cybersecurity vigilance that benefits us all. The multi-entity grant eligibility will promote innovative investments, such as security operations centers that span state lines.

Properly resourcing the Cybersecurity and Infrastructure Security Agency (CISA) will act as a force multiplier to ensure that investment in cybersecurity resilience is met with technical assistance and services to help organizations with capacity building. Both the House and Senate continue showing eagerness to fund CISA’s necessary maturation.

Investing in cybersecurity resilience will be foundational in gaining the upper hand on the ransomware epidemic. The White House has demonstrated strong leadership both domestically and internationally on this issue. That focus, coupled with dedicated funding, can meaningfully move the needle.

Centralized Visibility Across Attack Surfaces

You can’t secure what you can’t see. Persistent visibility gaps across federal networks, state and local governments, as well as the critical infrastructure community, have weakened our national cybersecurity posture.

We applaud Chairman Peters, Ranking Member Portman, Chairwoman Maloney, and Ranking Member Comer for drafting bipartisan language to fundamentally overhaul the Federal Information Security Management Act (FISMA). Their legislative proposals will make necessary, foundational changes to .gov security that will help promote continuous, real-time and centralized visibility across 100+ civilian departments and agencies.

Codifying these improvements will represent valuable follow-through from the May Executive Order on Improving the Nation’s Cybersecurity.

The SolarStorm cyber espionage campaign, and a string of high-profile ransomware incidents that followed, helped solidify a bipartisan consensus in Congress on the importance of providing regulatory clarity to cybersecurity incident reporting requirements. These proposed regimes will help enhance visibility across attack surfaces, but must be carefully crafted to ensure operational feasibility for the entities they apply to. The principles contained in this multi-association letter represent a worthwhile North Star, and we appreciate lawmakers and staff who earnestly listened to feedback. Bipartisan incident reporting legislation was almost included in the FY22 NDAA and is a prime candidate to be pushed across the finish line this year.

Further Integrating Security Into Digital Innovation

Bolting on security on top of legacy infrastructure will result in lackluster cybersecurity outcomes. For emerging technologies like 5G, building security directly into the service offerings is absolutely critical. We ultimately see vendor-trust and secure-by-design principles as complementary concepts.

Palo Alto Networks is proud to be the leader in 5G security, having announced a partnership with DISH to provide 5G container security, secure network slicing, real-time threat correlation and dynamic security enforcement. These will provide key security components in the nation's first cloud-native, Open RAN-based 5G broadband network. We’re also pleased to have been selected as a technology partner in NIST’s National Cybersecurity Center of Excellence’s 5G Cybersecurity Project.

Congress’ attention to 5G security is commendable. The USA Telecommunications Act, enacted into law through the FY21 NDAA, represents an important step forward in supporting the deployment and use of Open RAN 5G networks. We were particularly pleased to see this provision included in the grant criteria: “promoting and deploying security features enhancing the integrity and availability of equipment in multi-vendor networks.”

The Open RAN Policy Coalition’s paper, “Open RAN Security in 5G,” outlines how enterprise-grade security can bring new capabilities and advantages to 5G that can improve security for traditional and Open RAN architectures. It’s now incumbent on Congress to fund this important legislation, so the work can get started in earnest.

Another key element of better integrating security and digital innovation is recognizing that cybersecurity and IT modernization are inexorably linked. The FISMA reform efforts, mentioned above, include key provisions to ensure that federal government IT modernization (stemming from the Technology Modernization Fund) properly elevates cybersecurity considerations. We continue to support efforts to properly fund and optimize the TMF.

Whole-of-Society Cyber Workforce Effort

We’ve all heard the sobering statistics on the cyber workforce shortage – close to half a million unfilled cybersecurity positions in the United States alone. A layered, full-court press approach is the only way we’ll begin to close this gap.

Palo Alto Networks was proud to help shape the first ever national K-12 cybersecurity standards, released by Cyber.org in August. These curriculum standards centered around computing systems, digital citizenship and security will be foundational in building a domestic pipeline of future cybersecurity professionals.

This development can take place outside of the classroom as well. In 2018, Palo Alto Networks partnered with the Girl Scouts of the United States, creating the first-ever cybersecurity badge program. Now, well over 270,000 badges have been earned across all corners of the country.

Congressional interest continues to put wind in the sails of both federal and non-federal cyber workforce efforts. Senator Ossoff’s bipartisan Cybersecurity Opportunity Act provides funding for cybersecurity training programs at historically black colleges and universities. This is a worthy endeavor to promote diversity in our cybersecurity talent pipeline. Increasing interest and diversity in cybersecurity careers, coupled with a focus on automation to maximize the skillsets of cybersecurity professionals, should be mutually reinforcing aspects of the workforce solution.

Resilient ICT Supply Chains in an Interconnected World

We live in an increasingly interconnected world of hardware, software and services whose component parts – both physical and digital – have complicated global supply chains.

The global bottleneck of semiconductor production has become particularly acute throughout the COVID-19 pandemic. The CHIPS for America Act was included in the FY21 NDAA, but has yet to be funded. We encourage Congress to push this funding across the finish line as soon as possible.

The Executive Branch is also in the process of operationalizing the Federal Acquisition Security Council (FASC) to better coordinate exclusion and removal orders of technology deemed untrustworthy. This model represents improvement on the current “whack-a-mole” landscape. We hope that a transparent and consistent risk formula will reduce stakeholder confusion and increase federal network resilience. As the FASC continues its maturation process and as Congress contemplates extending it, we encourage looking for automated tools to help ensure compliance.

Our commitment to being part of the ICT supply chain risk management solution runs deep. We’ve been a core participant in DHS’ ICT Supply Chain Risk Management Task Force since day one. We are pleased to see our internal culture of supply chain resilience highlighted by NIST as a best practice.

Strengthening Operational Collaboration

Information sharing between government and industry has been a hallmark of the cybersecurity partnership model for the last decade. Increasingly, we’ve seen welcomed recognition that information sharing must be a springboard for even deeper integration – often called operational collaboration.

The FY21 NDAA included a provision that led to the creation of the Joint Cyber Defense Collaborative (JCDC), bringing together industry and key government partners. We are proud to be a founding alliance member in this effort. The goal here is to not just share information, but collaborate hand-in-glove, using this shared information to increase resilience. The benefits of this model were seen firsthand during the response efforts to Log4j. There is bipartisan legislation to double down on this concept, through a proposed Cyber Threat Information Collaboration Environment, currently working through Congress.

We are encouraged to see lawmakers interested in maximizing the results from cybersecurity public-private partnerships. The shift from information sharing to information enabling bodes well for the long-term resilience of the cybersecurity ecosystem.