Cyber strategy

 Cybersecurity is a global problem, requiring global solutions.  U.S and EU regulators are moving to regulate cyber security for Critical National Infrastructure (CNI) providers, Financial Institutions, public entities register on U.S Capital Markets and infrastructure.  Regulation that sets requirements for public and private sector organisations to comply with requirements for cybersecurity risk management.  Requirements that if not harmonized between partner nations set different levels of cyber compliance between nations, and their public and private sector firms. 

Cyber attacks are increasing in complexity, frequency and financial impact.  Invariably national cyber strategies are offensive and not defensive in nature, and the defensive cyber strategies that exist do not address the needs of most public and private sector organizations. 

 All of which results in increasingly successful cyberattacks, increased costs of cyber compliance, higher cyber insurance premiums, and more recently a rise in cyber regulation.  At a time when cyberspace is increasing in complexity, there is a global shortage of cyber talent and corporate board rooms face increased pressure to oversight and assure cyber risk.   

US Federal government has been working unsuccessfully to resolve cybersecurity since the passing by Congress of the Federal Information Security Management Act (FISMA) in 2002 and modified in 2014 (Modernization).  

FISMA requires the adoption of the Risk Management Framework (RMF, NIST SP 800 - 37R2) by all Federal Agencies, their contractors, and the development of C-SCRM policy, the application of risk management practices that align with both FISMA and Office of Management and Budget (OMB) A-130 (‘Managing Information as a Strategic Resource’).  

Regulators are moving rapidly to develop and implement cybersecurity risk management legislation, regulations and regulatory enforcement programs.  Cybersecurity risk management programs that need to be aligned globally to facilitate national sovereignty, nation and international security. 

 Nations operate to different cyber security frameworks, standards and practices and failure to consider these differences results in nations applying different levels of cybersecurity controls and security to their own and their partners data.  Failure to harmonise cybersecurity risk management practices has an adverse effect on national security and international trade. 

Even though the Federal government has been working to resolve cybersecurity (Information) since the passing by Congress of the Federal Information Security Management Act (FISMA) in 2002 and modified in 2014 (Modernization), these laws have not been effective in reducing the impact from cyber events. 

Cyber regulation, specifically the adoption of FISMA, is a reasonable solution to the management of cybersecurity risks.  A solution that has been in place, but poorly adopted by Federal Agencies since 2002.

 Risk management, SCRM, and cybersecurity has been developing across the Federal Government since the passing of the FISMA in 2002 and its update in 2014.  Alongside the DoD is undergoing significant cyber-risk transformation to achieve superiority against all adversaries in all warfighting domains, including cyberspace.  Formalizing FISMA and the RMF across the Army, Navy, and Air Force, requiring the services to adopt a risk-based approach under DoD 8510.01 to weapon system cybersecurity, risk management and acquisition under DoDi 5000.90.