ONCD releases 2024 report on the cybersecurity posture of the U.S.

On May 7, the Office of the National Cyber Director (ONCD) released the 2024 Report on the Cybersecurity Posture of the United States. This new document is a report card on how well cyber policy followed the guidelines set by the National Cybersecurity Strategy, introduced in March 2023.

Here’s what you need to know about the newly released report.

Over the past year, the U.S. national cybersecurity posture was driven by the 2023 National Cybersecurity Strategy’s vision of a defensible, resilient and values-aligned digital ecosystem.

This vision is based on two fundamental shifts in the allocation of roles, responsibilities and resources in cyber space, which are:

1. Rebalancing the responsibility to defend cyber space away from end users and to the most capable and best-positioned actors in the public and private sectors, and
2. Realigning incentives to favor long-term investments in future resilience.

The Federal Government was tasked to complete 36 initiatives by the second quarter of 2024. A total of 33 out of 36 (92%) initiatives were completed on time. The three initiatives that remain underway include:

• Developing an action plan to continue to secure unclassified Federal Civilian Executive Branch Systems
• Increasing the speed and scale of disruption operations
• Publishing a Notice of Proposed Rulemaking to change the Federal Acquisition Regulation to incorporate new requirements outlined in Executive Order 14028

As per the report, five key trends drove change in the strategic environment in 2023. These trends included:

1. Evolving risks to critical infrastructure: Nation-state adversaries are more willing to attack critical infrastructure with no inherent espionage value. Some intrusions could “enable disruption of operational technology systems in critical infrastructure and interference with U.S. and allied warfighting capabilities.”
2. Ongoing ransomware attacks: Threat groups increasingly collaborate on malware development, attack execution and ransom collection. This specialization makes ransomware especially potent and effective.
3. Supply chain exploitation: Adversaries are taking advantage of complex and interconnected relationships between suppliers, customers, vendors and service providers. The compromise of a single node can grant surreptitious access to victims worldwide.
4. Commercial spyware: Spyware enables threat actors to access devices remotely, extract content and manipulate components without the device owners knowing. Spyware lets hackers target journalists, activists, human rights defenders and government officials.
5. Artificial intelligence: The continued evolution of Artificial intelligence (AI) in 2023 presented opportunities and challenges for cyber risk management at scale. AI is a double-edged sword: it offers new possibilities as well as unprecedented risk.

The report included 12 core actions taken by the federal government during the period covered. Some highlights include:

1. Establishing cyber requirements to protect critical infrastructure: In the past year, new or updated cybersecurity guidelines went into effect for several agencies, including the TSA, SEC, FDA and DoD.
2. Enhancing federal cooperation and partnerships: CISA was named the National Coordinator for the Security and Resilience of Critical Infrastructure. Information sharing was enhanced with law enforcement, the intelligence community and critical infrastructure owners and operators.
3. Improving incident preparedness and response: The DOJ, FBI, CISA and U.S. Secret Service investigated cyber crime; employed threat experts for incident attribution and analysis; shared threat intelligence to inform victim responses; provided decryption capabilities or other mitigation tools; and assisted in freezing, seizing and returning extorted funds.
4. Disrupting and degrading adversary activity: All tools of national power are being recruited to counter cyber crime, including diplomatic, information, military, financial, intelligence and law enforcement capabilities.
5. Defending federal networks at speed and scale: Zero Trust principles are being adopted across the Federal enterprise, modernizing legacy technology systems and expanding the use of shared services.
6. Strengthening the National Cyber Workforce: As of March 2024, more than 90 organizations have made commitments in support of the National Cyber Workforce and Education Strategy (NCWES). Over 13,000 people were hired in cyber jobs, and over USD 280 million was invested in educating and transforming the cyber workforce.
7. Advancing software security to produce safer products and services: This includes advancing Secure by Design principles, Software Bills of Material (SBOM) and memory-safe programming languages. The goal is to shift responsibility for security onto organizations best positioned to mitigate risk.
8. Enabling a digital economy that empowers and protects consumers: A U.S. Cyber Trust Mark certification and labeling program for IoT devices was launched to promote competition and accountability.
9. Investing in resilient next-generation technologies: Initiatives have been applied across the clean energy sector and efforts related to artificial intelligence. Also, USD 70 million in funding went to enhance the security of electric cooperatives, and municipal and small investor-owned utilities.
10. Managing risks to data security and privacy: The Attorney General was authorized to prevent the large-scale transfer of Americans’ personal data to countries of concern. Protections extend to genomic data, biometric data, personal health data, geolocation data, financial data and certain kinds of personal identifiers that adversaries might exploit.
11. Enhancing resilience across the globe: Efforts are being made to build coalitions of like-minded nations to provide support to victims of ransomware and other cyberattacks, align national policy and promote secure and resilient global supply chains.
12. Advancing a rights-respecting digital ecosystem: This includes an affirmative vision of an open, free, global, interoperable, reliable, accessible and secure Internet. Also, measures are being taken to prevent the proliferation and misuse of digital technologies like spyware while shaping emerging technologies to align with democratic values and human rights.

Based largely on the 2024 Report on the Cybersecurity Posture of the United States, the Biden-Harris Administration recently released Version 2 of the National Cybersecurity Strategy Implementation Plan. A great deal was accomplished during the past year. Let’s hope the progress continues forward at speed.