After lengthy negotiations and revisions, the White House has finally released its National Cybersecurity Strategy document, outlining it's priorities and goals. It's a wide-ranging and ambitious document consisting of five major areas of focus, or "pillars". What's new here? What will it mean for businesses and critical infrastructure? And what does this mean for you and I? Today I'll cover all of that and more with Josh Corman from I Am the Cavalry and formerly with the US Cybersecurity and Infrastructure Security Agency (CISA).

Interview Notes

National Security Strategy doc: https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf

Consequential Cybersecurity: https://claroty.com/blog/consequential-cybersecurity-brace-yourself-for-the-white-house-national-cybersecurity-strategy 

PPD-21: https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil 

Known Exploited Vulnerabilities catalog : https://www.cisa.gov/known-exploited-vulnerabilities-catalog 

Swimming with Sharks TED talk: https://www.youtube.com/watch?v=rZ6xoAtdF3o 

I Am the Cavalry: https://iamthecavalry.org/ 

CISA Secure by Design: https://www.cisa.gov/securebydesign

Further Info

Nominate someone for a challenge coin: https://fdsd.me/quest 

Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch 

Give the gift of privacy and security: https://fdsd.me/coupons 

Send me your questions! https://fdsd.me/qna 

Support our mission! https://fdsd.me/support 

Subscribe to the newsletter: https://fdsd.me/newsletter 

Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book 

Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest 

Generate secure passphrases! https://d20key.com/#/ 

Table of Contents

Use these timestamps to jump to a particular section of the show.

0:01:55: Interview setup

0:04:00: What is this strategy document, at a high level?

0:14:02: What are some of the more important or novels aspects?

0:18:05: Do agencies have the budget and authority to implement these strategies?

0:22:11: Will having a gov't backstop actually encourage attacks or discourage preparation?

0:30:40: Should the gov't actively scan US firms/orgs for vulnerabilities?

0:36:56: What should we do about the marketplace for zero-day hacks?

0:39:52: How aggressive should the US be against hackers?

0:41:03: What is NOT addressed by this strategy?

0:45:55: How should be manage our dependencies on foreign software and hardware?

0:52:59: What can everyday people take away from these strategies?

0:59:50: Has this document already had impacts? How do we monitor progress?

1:03:56: Interview wrap-up

1:07:40: Looking ahead