A Real Gem for Cyber Hygiene - CISA's SHIELDS UP Campaign

At the start of the Russian invasion of Ukraine in February of 2022, the U.S. Cybersecurity Infrastructure and Security Agency (CISA), released the SHIELDS UP campaign. The campaign aims to maintain a heightened cybersecurity posture as a result of the invasion. It's been five months since the campaign was released, and I wanted to go over more detail on not only the usefulness of this initiative for organizations, but also assess the long term challenges that the campaign will need to tackle. The cyberthreat environment will always be complex, dynamic, and dangerous. One thing that comes to my mind is how will this campaign deal with fatigue, from any potential persistent cyberattacks that the nation could be impacted by? Ukraine and other European countries, have already experienced spillover impacts on their networks from relentless Russian cyberattacks. At the time of publishing this post, the U.S. has not to date suffered a major Russian state-sponsored attack. There has been reconnaissance consisting of scanning of networks of five U.S. energy companies according to an FBI advisory. All of this is a clear indication that we all need to maintain our shields up, ensuring a heightened cybersecurity posture. An important question to raise following our statement is when will we be able to put our shields down? Is this even possible in cyberspace? One without even thinking would say of course this is not possible! As we already mentioned, the cyberthreat environment is complex, dynamic, and dangerous. This is why our shields will continue to be up for the foreseeable future. This leads to the main challenge that I also brought up earlier that will be the focus of this post. How will we deal with the resulting fatigue as a result of maintaining a maximum alert posture?

Handling Vigilance Fatigue

Fatigue is very common throughout cybersecurity. From alert fatigue for those in security operations center (SOC) analyst roles, to what we are discussing here about the government and private sector needing to work together in handling the elevated risk of cyberattacks and malicious activity, we can see that it is not easy for anyone. It's just as important that the government continues to support cybersecurity initiatives which the U.S. does a really good job in, especially recently with the Biden administration's 2023 fiscal budget allocating roughly $10.9 billion for civilian cybersecurity related activities, an 11% increase compared to 2022. However, investing is simply not enough. There needs to be continued coordination and support with advisories that support communication which security teams at organizations can use to work together with leadership to ensure resilience is improved. If the private sector and its leaders work together with the government in addressing cyber resiliency, then this significantly improves the cybersecurity baseline of the nation making the nation, "collectively more secure and resilient to cyberthreats - including both the current threats from Russian cyber actors as well as ongoing and future threats from other nation state advisories and criminal groups." Another approach to this challenge that is unique in the sense that it is not affiliated with the government or an entity that specializes in cybersecurity, is content created from security professionals such as myself. When more people are creating content either in a blog post or YouTube video, they are reinforcing the educational aspect to ensure there is alignment and a sense of teamwork between government and the general public, which is the main theme of this blog post and the reason why I wanted to start my own blog. Every security professional whether in government or private sector knows that staying up to date in this field is vital, and that collaboration is meaningful to ultimately ensure that we're all being proactive in using our resources to make cyberspace a more safer space for everyone!

Looking into the Future

Cyber resiliency will be the main objective of many organizations for the foreseeable future. We must maintain a heightened alert posture, but also be wary of vigilance fatigue. Education and collaboration will be the best resources to ensure fatigue is kept at a minimum. I would say that fatigue is unfortunately inevitable especially in this field. We must recognize that it is not sustainable to maintain such heightened alert posture because what could end up happening is that we not only burn ourselves out, but we end up exhausting our resources because we are not using them efficiently. This is why working as a team, we will collectively see results, "we can make it so that our adversaries will have to beat all of us to beat one of us".