The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched a new initiative called “CI Fortify” aimed at helping critical infrastructure operators prepare for disruptive cyberattacks linked to geopolitical conflicts. The initiative comes amid growing concerns over nation-state cyber threats targeting operational technology (OT) systems that support essential services across the United States. The CI Fortify initiative focuses on improving critical infrastructure resilience through two key objectives: isolation and recovery. CISA said the effort is designed to help operators maintain essential operations even if adversaries compromise telecommunications networks, internet services, or industrial control systems. According to the agency, nation-state actors are no longer limiting their activities to espionage. Instead, threat groups have increasingly been pre-positioning themselves inside critical infrastructure environments to potentially disrupt or destroy systems during future geopolitical conflicts.

CI Fortify Initiative Focuses on Isolation and Recovery

Under the CI Fortify initiative, CISA is urging critical infrastructure organizations to assume that third-party communications and service providers may become unreliable during a crisis. Operators are also being asked to plan under the assumption that threat actors may already have some level of access to OT networks. Nick Andersen, Acting Director at CISA, emphasized the need for organizations to prepare for worst-case operational scenarios. “In a geopolitical crisis, the critical infrastructure organizations Americans rely on must be able to continue delivering, at a minimum, crucial services,” Andersen said. “They must be able to isolate vital systems from harm, continue operating in that isolated state, and quickly recover any systems that an adversary may successfully compromise.” The isolation strategy outlined under CI Fortify involves proactively disconnecting operational technology systems from external business networks and third-party connections. CISA said this approach is intended to prevent cyber impacts from spreading into OT environments while allowing organizations to continue delivering essential services in a degraded communications environment. The agency advised operators to identify critical customers, including military infrastructure and other lifeline services, and determine the minimum operational capabilities needed to support them during emergencies. CISA also recommended updating engineering processes and business continuity plans to support safe operations for extended periods while systems remain isolated.

Recovery Planning Central to Critical Infrastructure Resilience

Alongside isolation, the CI Fortify initiative places strong emphasis on recovery planning. CISA urged operators to maintain updated system documentation, create secure backups of critical files, and regularly practice system replacement or manual operational transitions. The agency noted that organizations should also identify communications dependencies that could complicate recovery efforts, such as licensing servers, remote vendor access, or upstream network connections. CISA encouraged operators to work closely with managed service providers, system integrators, and vendors to understand potential failure points and establish alternative recovery pathways. The initiative also highlights broader benefits of emergency planning beyond cybersecurity incidents. According to CISA, the same planning processes can help organizations maintain operations during weather-related disruptions, equipment failures, and safety emergencies. The agency said isolation planning can help cut off command-and-control access to compromised systems, while strong recovery preparation can reduce incident response costs and shorten recovery timelines.

Security Vendors and Service Providers Asked to Support CI Fortify

The CI Fortify initiative extends beyond infrastructure operators and calls on cybersecurity vendors, industrial automation suppliers, and managed service providers to support resilience planning efforts. Industrial control system vendors are being encouraged to identify barriers that could interfere with isolation and recovery procedures, including licensing restrictions and server dependency issues. Managed service providers and integrators are expected to assist organizations in engineering updates, local backup collection, and recovery documentation planning. Meanwhile, security vendors are being asked to support threat monitoring and provide intelligence if nation-state actors shift from espionage-focused activity to destructive cyber operations. CISA also requested vendors share information related to tactics that could undermine recovery or bypass isolation protections, including malicious firmware updates and vulnerabilities affecting software-based data diodes.

Volt Typhoon Cyberattacks Continue to Shape U.S. Cybersecurity Strategy

The launch of CI Fortify is closely tied to ongoing concerns surrounding the Volt Typhoon cyberattacks, which U.S. officials have linked to Chinese state-sponsored threat actors. CISA’s initiative specifically references the Volt Typhoon campaign as an example of how adversaries have attempted to establish long-term access inside U.S. critical infrastructure systems to potentially support disruptive actions during military conflicts. The Volt Typhoon operation first became public in 2023, when U.S. authorities revealed that Chinese hackers had infiltrated multiple sectors of American critical infrastructure. Former CISA Director Jen Easterly stated in 2024 that the agency had identified and removed Volt Typhoon intrusions across several sectors. She later reiterated in 2025 that efforts continued to focus on identifying and evicting Chinese cyber actors from critical infrastructure environments. Despite these operations, cybersecurity researchers and some government officials have warned that Chinese threat actors may still retain access to portions of critical infrastructure networks. Several experts have argued that nation-state groups remain deeply embedded in certain environments despite years of remediation efforts. With the CI Fortify initiative, CISA appears to be shifting focus toward operational resilience, recognizing that prevention alone may not be sufficient against sophisticated nation-state cyber threats targeting U.S. critical infrastructure.

OpenAI has announced a major expansion of its Trusted Access for Cyber (TAC) program, alongside the introduction of GPT 5.4 Cyber, a model designed to support defensive cybersecurity use cases. The move comes as the company prepares for more advanced AI systems in the coming months, with a focus on strengthening cyber defense while managing risks tied to increasingly capable models. The expansion of the Trusted Access for Cyber initiative aims to onboard thousands of verified individual defenders and hundreds of security teams responsible for protecting critical software and infrastructure. The program is positioned as part of a broader strategy to scale cybersecurity defenses in parallel with advances in artificial intelligence.

Trusted Access for Cyber Program Expands for Wider Defender Use

At the center of the announcement is the scaling of the Trusted Access for Cyber program, which was first introduced earlier this year. The initiative is designed to provide vetted cybersecurity professionals with controlled access to advanced AI tools that may otherwise be restricted due to their dual-use nature. With this expansion, OpenAI is introducing additional access tiers based on identity verification and trust signals. Individual users can now verify themselves through structured onboarding, while enterprises can request access for their teams. The goal is to extend advanced defensive capabilities to a broader group of legitimate users without opening the door to misuse. The company says this approach reflects a shift away from manually deciding who gets access. Instead, it relies on objective verification methods such as identity checks and usage signals to determine eligibility.

GPT 5.4 Cyber Built for Defensive Cybersecurity Workflows

A key component of the expanded Trusted Access for Cyber program is the launch of GPT 5.4 Cyber, a specialized version of its latest model fine-tuned for cybersecurity tasks. Unlike general-purpose models, GPT 5.4 Cyber is designed to be more permissive in handling cyber-related queries. This allows security professionals to perform advanced tasks such as binary reverse engineering, vulnerability analysis, and malware investigation without facing restrictive safeguards that might otherwise block legitimate work. However, access to GPT 5.4 Cyber is currently limited. OpenAI is deploying the model in a controlled manner to vetted security vendors, organizations, and researchers. This phased rollout reflects concerns around the dual-use nature of such capabilities, which could be exploited if widely accessible without safeguards.

Cybersecurity Strategy Focuses on Scaling Defenses with AI

The expansion of the Trusted Access for Cyber program is part of OpenAI’s broader cybersecurity strategy, which is built on three principles: democratized access, iterative deployment, and ecosystem resilience. The company argues that cyber risks are already widespread and growing, even before the rise of advanced AI. At the same time, AI tools are increasingly being used by both defenders and attackers. This dual-use reality has shaped OpenAI’s approach to gradually expanding access while strengthening safeguards. Since 2023, OpenAI has supported cybersecurity efforts through initiatives such as its Cybersecurity Grant Program and the development of safety frameworks for AI deployment. More recently, it introduced tools like Codex Security, which helps identify and fix vulnerabilities across codebases. According to the company, Codex Security has already contributed to fixing thousands of high and critical vulnerabilities, highlighting the potential for AI to accelerate defensive workflows.

Balancing Access and Risk in Trusted Access for Cyber

A central challenge addressed by the Trusted Access for Cyber program is how to balance accessibility with security. Cyber capabilities are inherently dual-use, meaning the same tools that help defenders can also be used by threat actors. To address this, OpenAI is combining broader access to general models with stricter controls for more advanced capabilities. Higher levels of access require stronger verification, clearer intent signals, and greater accountability. The company also notes that some limitations will remain in place, particularly in environments where visibility into usage is restricted. This includes scenarios involving zero-data retention or third-party platforms where monitoring is limited.

A Shift Toward Structured Cyber Defense Access

The expansion of the Trusted Access for Cyber program reflects a growing recognition that restricting access alone is not a sustainable cybersecurity strategy. As AI capabilities advance, defenders require equally powerful tools to keep pace with evolving threats. By focusing on verification and trust-based access rather than blanket restrictions, OpenAI is attempting to create a more structured model for deploying sensitive capabilities. This approach acknowledges the complexity of modern cybersecurity, where access to advanced tools can be both necessary and risky. At the same time, the controlled rollout of GPT 5.4 Cyber suggests that concerns around misuse remain significant. The success of this model will likely depend on how effectively access controls and monitoring mechanisms can scale alongside adoption. As AI continues to reshape cybersecurity, initiatives like the Trusted Access for Cyber program highlight the challenge of enabling defenders without inadvertently empowering attackers.

Analysis of the Trump administration’s concise 2024 cybersecurity strategy arguing for policy-led government, private-sector implementation, deregulation to spur innovation, and elevation of AI security as a national priority.

The post The White House Got the Cyber Strategy Right — By Knowing What Not to Do appeared first on Security Boulevard.

Today’s CISO is a strategic leader responsible for risk communication, security culture, education, and executive alignment. Technical expertise remains essential, but influence, clarity, and leadership now define success.

The post How the CISO’s Role is Evolving From Technologist to Chief Educator  appeared first on Security Boulevard.

The modern corporate landscape is marked by rapid digital change, heightened cybersecurity threats and an evolving regulatory environment. At the nexus of these pressures sits the chief information security officer (CISO), a role that has gained newfound influence and responsibility.

The recent Deloitte Global Future of Cyber Survey underscores this shift, revealing that “being more cyber mature does not make organizations immune to threats; it makes them more resilient when they occur, enabling critical business continuity.” High-cyber-maturity organizations increasingly integrate cybersecurity risk strategies, security practices and trust-building approaches into their business and technology transformations. And it’s all enabled by a cyber-savvy C-suite and influential CISOs.

Let’s explore how cyber maturity enhances resilience, why cyber is now being integrated into broader business budgets and what organizations can do to bolster their business continuity.

The expanding role of CISOs in corporate strategy

Historically, CISOs were typically siloed within the IT department, focusing on technical and operational aspects of cybersecurity. However, as threats have evolved, so has the role of the CISO. According to Deloitte’s report, about one-third of organizations have seen a significant increase in CISO involvement in strategic conversations about business-critical technology decisions. Furthermore, approximately one in five CISOs now report directly to the CEO, marking a shift toward greater business alignment and visibility. This expanded role places CISOs alongside other senior leaders to guide decisions on digital transformation, cloud security, and supply chain resilience.

Emily Mossburg, Deloitte’s global cyber leader, notes that “many boards and C-suites now require or need further knowledge into potential threats, security vulnerabilities, risk scenarios and actions needed for greater resilience.” CISOs are increasingly tasked with not only understanding these complex cyber landscapes but also translating them into language that senior leadership and boards can act upon.

Cybersecurity as an integral business strategy

In high-cyber-maturity organizations, cybersecurity is embedded across operations, facilitating a seamless alignment between risk management and business goals. According to Deloitte, these organizations are more resilient when incidents occur, enabling critical business continuity by preparing for and swiftly responding to cyber threats. This proactive integration is not limited to IT. It extends into every function that touches digital infrastructure — from operations and finance to customer experience and product innovation.

In modern digitally interconnected ecosystems, a cyber incident affecting one partner could impact the entire supply chain. High-cyber-maturity organizations anticipate these risks by establishing protocols and response measures that enable them to recover quickly, ensuring continuity across all critical operations. Companies with lower cyber maturity, on the other hand, face longer recovery times and can suffer more severe impacts on their revenue, brand reputation and operational capabilities.

This integration of cybersecurity into broader strategic goals reflects a more nuanced understanding of cyber resilience. Instead of viewing cybersecurity solely as a cost center, leaders increasingly recognize it as a foundational element of business value and continuity. This understanding translates into better allocation of resources and a more balanced approach to cyber risk management.

Explore cybersecurity services

Evolving cybersecurity budgets

As cybersecurity gains prominence within business strategy, budget allocations are changing to reflect its importance across multiple areas. Deloitte’s findings indicate that many organizations are beginning to integrate cybersecurity spending with other budgets, such as digital transformation, IT programs and cloud investments. This shift acknowledges the cross-functional impact of cybersecurity, particularly in organizations with complex, interconnected digital ecosystems.

The trend is mirrored by a recent IANS and Artico Search survey, which reported an 8% increase in cybersecurity spending this year, up from 6% in 2023. While modest, this increase suggests that organizations recognize the need for sustained investment in cyber resilience to keep pace with emerging threats, especially as AI and automation reshape the cyber landscape.

Integrating cybersecurity with broader budgets also aligns with the CISO’s role in risk quantification and value communication. Techniques such as the FAIR (Factor Analysis of Information Risk) model allow CISOs to translate cybersecurity risks into financial metrics, making it easier to justify investments and demonstrate ROI to the C-suite.

Navigating regulatory mandates and disclosure requirements

Regulatory mandates are also shaping the evolving role of the CISO and cybersecurity’s integration into corporate strategy. With the U.S. Securities and Exchange Commission (SEC) now requiring companies to disclose material cyber incidents and provide insights into their cyber strategy, CISOs are under pressure to ensure regulatory compliance. This disclosure requirement applies to both U.S.-based and foreign companies trading on U.S. markets, reinforcing cybersecurity’s critical role across global business operations.

The SEC’s regulatory emphasis on transparency has heightened the importance of cybersecurity within boardrooms, leading senior executives to turn to CISOs for guidance on managing risks and compliance. Beyond U.S. markets, regulatory authorities worldwide are implementing frameworks and standards that require companies to report cyber incidents, particularly as ransomware and other cyberattacks have grown more prevalent. In addition to regulatory compliance, the reputation and operational continuity tied to regulatory adherence have pushed CISOs to develop comprehensive cybersecurity strategies that align with overall business goals.

Steps to building a cyber-resilient organization

High-cyber-maturity organizations demonstrate that integrating cybersecurity into business strategy requires more than technical defenses; it demands a multi-dimensional approach encompassing governance, culture and operational resilience. Here are several key areas where organizations can focus to build a cyber-resilient structure:

1. Leadership and governance: Effective cybersecurity governance starts at the top. Organizations should establish clear reporting structures where CISOs communicate directly with the CEO or board. This positioning emphasizes cybersecurity’s strategic importance and enables informed decision-making at the highest levels.

2. Risk management practices: Proactive risk management means identifying, assessing and mitigating cyber risks in line with business objectives. High-cyber-maturity organizations use both quantitative and qualitative methods to understand and prioritize risks, creating a structured approach to vulnerability management that could impact operations.

3. Incident response and recovery: Resilient organizations are not just prepared for incidents; they are equipped to recover swiftly and minimize impact. Robust incident response plans, regularly tested and updated, are essential for ensuring that organizations can maintain continuity even amid significant cyber events. These plans should involve cross-functional teams and clear communication channels to coordinate an efficient response.

4. Continuous improvement and innovation: Cybersecurity is a dynamic field where continuous improvement is critical. Organizations should prioritize regular evaluations and updates to their cybersecurity measures, allowing them to stay ahead of evolving threats. As AI, automation and other technologies emerge, adopting them to enhance cybersecurity capabilities—such as anomaly detection and automated incident response — can further boost resilience.

CISOs take the lead

In the evolving landscape of cyber threats, the role of the CISO is becoming more integral to organizational resilience and business continuity. High-cyber-maturity organizations are leading the way, integrating cybersecurity into their strategic goals and recognizing that it is not merely an IT function but a business-critical priority. By aligning cybersecurity spending with broader business budgets, they can enhance resilience and drive long-term value.

The post CISOs drive the intersection between cyber maturity and business continuity appeared first on Security Intelligence.

The nature of cyber warfare has evolved rapidly over the last decade, forcing the world’s governments and industries to reimagine their cybersecurity strategies. While deterrence and reactive defenses once dominated the conversation, the emergence of cyber persistence — actively hunting down threats before they materialize — has become the new frontier. This shift, spearheaded by the United States and rapidly adopted by its allies, highlights the realization that defense alone is no longer enough to secure cyberspace.

The momentum behind this proactive cyber strategy can be found in America’s Defend Forward initiative, the rise of cyber persistence among U.S. allies and the successful takedowns of infamous groups like LockBit ransomware. Meanwhile, the broader implications of this shift are revealed in the U.S. Department of State’s focus on digital solidarity in contrast to digital sovereignty.

Cyber persistence: A strategic pivot

The idea of cyber persistence, as opposed to cyber deterrence, is reshaping global cybersecurity efforts. Traditional deterrence theory, which aims to dissuade adversaries through the promise of retaliation, has failed to address the complexities of cyber criminal behavior. Malicious cyber actors, including state-sponsored entities and organized crime groups, continue to exploit vulnerabilities, which leads to critical infrastructure compromise, sensitive data theft and government or corporate network disruption.

In response, the U.S. Department of Defense 2023 Cyber Strategy reinforced the country’s commitment to “Defend Forward,” a proactive approach designed to directly disrupt adversaries’ operations. This strategy empowers cybersecurity forces to identify malicious activities before they escalate, track adversaries and take action to prevent or mitigate attacks. U.S. allies like the United Kingdom, Japan, Canada and the Netherlands have subsequently adopted similar strategies. They’ve all come to realize that cyberspace requires constant vigilance and operational persistence to stay ahead of evolving threats.

As the U.S. DoD outlines, engaging adversaries early in planning is essential to creating a more secure cyberspace. This involves tracking the capabilities and intentions of malicious actors and degrading their ability to act. Such a proactive stance requires cooperation, coordination and trust among allies. This is especially true since cyber campaigns often involve joint operations where one nation may invite another into its networks to assist in defense.

The shift from deterrence to persistent engagement

Increasingly, nations like the UK and the Netherlands are taking proactive measures to combat cyber threats by operationalizing cyber persistence. For example, the UK’s National Cyber Strategy highlights the importance of actively tackling adversaries’ cyber dependencies and emphasizing the need for persistent engagement in cyberspace. Further examples of this shift include Japan’s efforts to introduce active cyber defense and Canada’s participation in “Hunt Forward” operations. Both aim to actively search for and disarm malicious actors.

NATO has also acknowledged the necessity of a more proactive cyber stance. The 2022 NATO Strategic Concept recognizes that cyberspace is “contested at all times.” The document explicitly states that the cumulative effect of cyber activities could reach the level of an armed attack, potentially triggering NATO’s mutual defense obligations under Article 5. This signals the acceptance of cyber persistence as a critical aspect of national and collective security.

While deterrence remains a core strategy for nuclear and conventional warfare, it is becoming clear that in cyberspace, persistence — constantly identifying, mitigating and neutralizing threats — is critical to preventing large-scale cyber incidents.

Explore IBM X-Force Red offensive security services

The LockBit ransomware takedown: A case study in persistence

The February 2024 takedown of the LockBit ransomware group under Operation Cronos serves as a prime example of how persistent cyber strategies can effectively neutralize significant threats. LockBit, one of the most prolific Ransomware-as-a-Service (RaaS) groups, was responsible for approximately a quarter of all ransomware attacks in 2023. This included attacks on hospitals and other critical services during the COVID-19 pandemic.

Operation Cronos, a coordinated international effort, resulted in significant arrests, sanctions and the seizure of LockBit’s operational infrastructure. This was not just a technical takedown but a broader effort to undermine the group’s viability. Law enforcement agencies managed to access LockBit’s internal communications, expose its affiliates and disrupt its financial networks. This cumulative disruption severely damaged the group’s reputation, making it difficult for them to regain support within the cyber crime community.

While LockBit’s ringleader, known as “LockBitSupp,” has tried to claim the group’s resurgence, analysis shows that the law enforcement operation has had lasting effects. The exposure of the group’s inner workings has sowed distrust among affiliates, with many distancing themselves from the group. The takedown’s success demonstrates the power of cyber persistence, as it involved not only technical measures but also strategic psychological operations aimed at eroding the group’s support base.

Digital solidarity vs. digital sovereignty

At the heart of the United States’ international cyber strategy lies the concept of digital solidarity, which stands in stark contrast to the protectionist policies of digital sovereignty. Digital solidarity promotes collaboration and mutual support among nations, emphasizing the need for a secure, inclusive and resilient digital ecosystem. This strategy, unveiled in the U.S. Department of State’s 2024 International Cyberspace and Digital Policy Strategy, advocates for building international coalitions, aligning regulatory frameworks and fostering a free flow of data across borders.

The key pillars of digital solidarity include promoting an inclusive digital ecosystem, aligning governance approaches to data and advancing responsible state behavior in cyberspace. These efforts aim to ensure that all nations, especially emerging economies, have access to secure digital infrastructure and that global cooperation can thwart cyber threats through shared intelligence and mutual defense efforts.

In contrast, digital sovereignty emphasizes national control over digital infrastructure and data. Countries that adopt this stance seek to protect their digital assets by restricting foreign access to their markets and mandating data localization. While proponents argue that this approach can reduce dependence on foreign technology and enhance security, critics warn that it fragments the global digital ecosystem and makes it harder to respond collectively to cyber threats.

The tension between digital solidarity and digital sovereignty has significant implications for global cybersecurity. As the world’s digital infrastructure becomes more interconnected, the U.S. and its allies argue that collaboration, not isolation, is the key to addressing the complex cyber challenges of the future.

The future of proactive cyber defense

The shift from deterrence to persistence in cyberspace represents a new era of proactive cyber defense. By identifying vulnerabilities, disrupting adversaries’ operations and engaging in continuous cyber campaigns, the U.S. and its allies are reshaping the way nations approach cybersecurity.

Operations like the LockBit takedown underscore the effectiveness of this strategy. Plus, the emphasis on digital solidarity highlights the importance of international cooperation in creating a safer and more resilient digital ecosystem. As cyber threats continue to evolve, the persistence approach will likely become a cornerstone of modern cybersecurity. The goal is to ensure that nations can stay ahead of their adversaries and secure the future of cyberspace.

The post Taking the fight to the enemy: Cyber persistence strategy gains momentum appeared first on Security Intelligence.

The threat of cyberattacks against critical infrastructure in the United States has evolved beyond data theft and espionage. Intruders are already entrenched in the nation’s most vital systems, waiting to unleash attacks. For instance, CISA has raised alarms about Volt Typhoon, a state-sponsored hacking group that has infiltrated critical infrastructure networks. Their goal? To establish a foothold and prepare for potentially crippling attacks that could disrupt essential services across the nation.

Volt Typhoon embodies a threat far beyond everyday cyber crime. It indicates the dangerous reality of cyber pre-positioning — a tactic that allows cyber actors to infiltrate systems, maintain persistence and potentially launch massively destructive operations. With lifeline sectors such as communications, energy, transportation and water and wastewater systems under threat, the question is no longer if attackers are embedded within U.S. infrastructure but how deeply they have rooted themselves. And the implications directly impact national security.

Nation-state pre-positioning goes beyond espionage

Employed by nation-state actors, pre-positioning goes beyond mere intelligence gathering. By silently lurking within critical infrastructure networks, actors gain the capability to wreak havoc at a moment’s notice. These intrusions, particularly in sectors like water systems and energy grids, serve little espionage value, per Anne Neuberger, the Deputy National Security Adviser for Cyber and Emerging Technologies. This indicates that the infiltrations are likely precursors to far more disruptive objectives.

Volt Typhoon’s methodical approach has allowed them to infiltrate U.S. systems for extended periods — up to five years in some cases — without detection. They’ve targeted the infrastructure that millions of Americans depend on daily. In a time of heightened geopolitical tension, a well-timed cyberattack could grind vital systems to a halt, leaving the nation vulnerable to cascading failures across multiple sectors. The fallout could be unprecedented, impacting national security, the economy and everyday life.

Volt Typhoon’s tactical mastery

Volt Typhoon is no ordinary hacking group. This state-sponsored entity has displayed a level of sophistication that challenges even the most robust cybersecurity defenses. Through its living-off-the-land (LOTL) tactics, the group exploits legitimate network administration tools, blending seamlessly with normal traffic and making detection extremely difficult. Their use of known vulnerabilities in public-facing devices such as routers and VPNs allows them to gain access, while compromised administrator credentials give them the power to burrow deeper into networks and assess operational technology (OT) systems.

The group’s calculated patience is noteworthy. Instead of seeking short-term gains, they carefully study their targets and gain an understanding of the nuances of the systems they infiltrate. In one case, Volt Typhoon spent nine months moving laterally through a water utility’s network, gaining access to crucial OT assets, including water treatment plants and electrical substations. These infiltrations are more than a technical breach — they represent a looming threat to physical infrastructure that could manifest in catastrophic failures.

Read CISA cybersecurity advisories

The FOCAL Plan’s strategic response

In the face of these threats, CISA has developed a robust response: the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan. This strategic framework aims to shore up federal cybersecurity defenses by driving coordinated action across agencies. The FOCAL Plan outlines how federal agencies can adopt best practices to defend against pre-positioning and other sophisticated cyber threats, promoting a holistic approach from prevention to incident response.

The FOCAL Plan focuses on five critical areas: asset management, vulnerability management, defensible architecture, cyber supply chain risk management and incident detection and response. Each area plays a crucial role in safeguarding federal systems from persistent threats like Volt Typhoon:

1. Asset management: Without knowing what assets exist within an organization, it is impossible to protect them. The FOCAL Plan emphasizes comprehensive, continuous visibility into all IT and OT assets to ensure that any unauthorized access can be detected and mitigated quickly.

2. Vulnerability management: Regular vulnerability scanning and timely patching prevent hackers from exploiting known weaknesses, shutting down one of their primary entry points.

3. Defensible architecture: Organizations must build resilience into systems, assuming that attacks will happen. This includes implementing zero trust principles to restrict lateral movement within networks and limit the damage attackers can do, even if they gain access.

4. Supply chain risk management: This addresses the growing reliance on third-party vendors. With many cyberattacks exploiting vulnerabilities in third-party systems, the FOCAL Plan emphasizes the need for agencies to closely monitor their supply chains and ensure that their vendors adhere to strict cybersecurity protocols.

5. Incident detection and response: This is the FOCAL Plan’s approach to real-time cyber defense. CISA urges agencies to deploy advanced tools like endpoint detection and response (EDR) systems, which can identify and respond to threats before they cause significant damage. The ability to share threat intelligence and coordinate responses across federal agencies is essential for ensuring that the government can act swiftly in the event of an attack.

Mitigation urgency and action

The threat landscape outlined by Volt Typhoon’s actions calls for an urgent response — not just from federal agencies but from every organization that operates critical infrastructure. The key to stopping attackers from exploiting pre-positioned access is to adopt a mentality of constant vigilance and proactive threat hunting. It’s not enough to react to attacks after they happen. Organizations must actively hunt for threats, continually monitor their systems and act quickly to patch vulnerabilities before they can be exploited.

CISA’s FOCAL Plan provides a framework, but it is up to individual organizations to implement these measures at every level. Regular security audits, comprehensive asset management and adherence to the latest cybersecurity best practices are non-negotiable. Organizations must be prepared for the reality of an attack, ensuring that they have backup systems in place. It’s vital to practice incident response through tabletop exercises and maintain open communication channels with CISA and other federal agencies.

The harsh reality is that many organizations may already have pre-positioned attackers within their networks. The objective now is to limit the damage they can do and to ensure that attackers cannot trigger even more widespread disruption.

The clock is ticking

The presence of cyber actors like Volt Typhoon in U.S. critical infrastructure is not hypothetical — it’s happening now, and the consequences of inaction could be devastating. The ability of these attackers to remain hidden within networks for years, studying their targets and preparing for destructive actions, underscores the importance of robust, proactive cybersecurity measures.

The FOCAL Plan is a step in the right direction, but the fight against pre-positioned cyber actors is far from over. It will require a sustained, coordinated effort between federal agencies, private organizations and international allies to ensure that U.S. critical infrastructure is protected and remains resilient.

Explore cybersecurity services

The post Are attackers already embedded in U.S. critical infrastructure networks? appeared first on Security Intelligence.

As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.

The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?

Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should we be looking out for?

To get the answers to these pressing questions, we spoke with Jake Braun, former Principal Deputy National Cyber Director under President Biden and lecturer and senior advisor at Harris School of Public Policy at the University of Chicago.

The current state of cybersecurity

According to Braun, the current state of cybersecurity in the country is showing significant progress. Still, he says, it remains a work in progress.

Recent initiatives, such as the White House’s efforts to modernize security policies, are moving the needle forward. Braun notes that the push towards using memory-safe programming languages like Rust to replace older, vulnerable languages and initiatives for improving BGP security are signs that national-level cybersecurity is receiving strategic attention.

“The focus has shifted from addressing specific vulnerabilities to eliminating entire classes of threats by enhancing infrastructure fundamentals,” he said.

Another exciting development is the government’s approach to the cybersecurity skills gap, as they move away from requiring traditional four-year degrees for cybersecurity roles. Instead, there’s a push towards skill-based training, aiming to fill gaps in cybersecurity staffing quickly and effectively.

“We need to move past the outdated notion that every cybersecurity role requires a Ph.D. or even a four-year degree,” Braun said. “Many of these roles can be filled by individuals with hands-on experience and targeted skills training, which allows us to broaden the talent pool and address critical workforce shortages more effectively.”

While challenges like over-regulation and fragmented compliance requirements still exist, there is notable progress in streamlining these areas to free up resources for actual security improvements.

What will government cybersecurity look like in 2025?

Government cybersecurity is expected to evolve into a more cohesive and strategically aligned effort. There will likely be continued work on harmonizing cybersecurity regulations, which will reduce the bureaucratic overhead for corporations and government entities alike.

“By 2025, I expect we will see a much more unified approach to cybersecurity regulations,” he said. “It will significantly reduce the burden on corporations and allow them to focus on real security measures rather than compliance paperwork.”

Another key area of focus, while not directly cybersecurity-related at first glance, is improving the resilience of critical infrastructure. The Bipartisan Infrastructure Law (BIL), the CHIPS Act and the Inflation Reduction Act have already laid the groundwork for enhancing cybersecurity in sectors like energy, transportation and telecommunications. These investments are expected to bring about significant improvements in the security posture of both public and private infrastructure — essentially ensuring that cybersecurity is built into the core of modernization efforts rather than being an afterthought.

One example Braun points to is modernizing the electrical grid and water systems, including enhanced cyber protections to prevent both physical and digital disruptions.

“Those three bills make up almost $2 trillion of investment in our infrastructure around the country,” he said. “And while cyber’s only called out explicitly in a few places, it’s kind of implicit in pretty much every single aspect of these bills. You can’t build a new wind farm and hook it up to the grid without there being cyber involved.”

Another effort that is expected to continue is the focus on public-private partnerships. While a distrust in information sharing still exists, the government recognizes that effective cybersecurity cannot be achieved in isolation. Increased collaboration with private sector companies will be critical for sharing threat intelligence, aligning security standards and responding swiftly to emerging threats.

Circling back to the skills gap issue, Braun expects there will be an increased emphasis on cybersecurity education and workforce development. Programs to re-skill workers, provide hands-on training, and promote diversity within the cybersecurity workforce will be expanded.

“While technology is inherently not secure because… just talk to any hacker at DefCon and they’ll tell you that you can hack pretty much anything… I do think that we’re being more strategic, and we’ve got more resources and more initiatives that are strategic and not just tactical going on now than we did before.”

What threats should we be aware of?

Despite the many reasons for optimism, potentially harmful threats are on the horizon. According to Braun, geopolitical tensions, particularly with Ukraine as well as China’s ambitions in Taiwan, pose significant cybersecurity challenges.

“These situations could dramatically influence the evolution of cyber threats and how we need to position ourselves defensively,” he said.

The outcome of these international developments will shape how cyber threats evolve and how the U.S. can position itself to defend against both state-sponsored and independent actors.

Braun suggests that The New Great Game over control of the internet — whether it will remain free and democratic or become fragmented and authoritarian — is another issue that governments around the world must pay attention to. The outcome can impact the future of digital freedom across the globe.

“China’s Belt and Road Initiative has put many smaller countries in a tough predicament, giving China leverage to push their authoritarian model of internet governance. This could lead to a fragmented global internet, which would have serious implications for cybersecurity and digital freedom.”

Facing cybersecurity in 2025 with proactive measures

Still, Braun is approaching 2025 with cautious optimism. He emphasized that while technology will always have inherent vulnerabilities, the strategic approach of the government — coupled with substantial investments — lays the foundation for the future of national cybersecurity to be more promising than it has been in previous years.

“The country will likely be better prepared due to the significant investments in infrastructure and security standards, as well as initiatives to enhance workforce capabilities,” he said. “The significant investments we’re making in infrastructure and cybersecurity standards are going to put us in a much better place. We’re seeing proactive measures, like bolstering cybersecurity in critical areas such as water utilities, which are crucial for both civilian and military stability.”

The post Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in appeared first on Security Intelligence.