9 notable government cybersecurity initiatives of 2021

Cybersecurity has steadily crept up the agenda of governments across the globe. This has led to initiatives designed to address cybersecurity issues that threaten individuals and organizations.

“Government-led cybersecurity initiatives are critical to addressing cybersecurity issues such as destructive attacks, massive data breaches, poor security posture, and attacks on critical infrastructure,” Steve Turner, security and risk analyst at Forrester, tells CSO. “These initiatives provide consistent guidance on how organizations and consumers can protect themselves, provide services to companies that don’t have the knowledge or monetary means to protect themselves, legislative levers that can be utilized, means of taking offensive actions against nation state adversaries, and most of all investigation of significant cyber incidents paired with critical information sharing during or after those incidents.”

Here are some of the most notable cybersecurity initiatives introduced by governments around the world in 2021:

US Department of Defense publishes Cybersecurity Maturity Model Certification

In January, the US Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC), a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 300,000 companies in the supply chain. The CMMC reviews and combines various cybersecurity standards and best practices, mapping controls and processes across several maturity levels that range from basic to advanced cyber hygiene.

“For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats,” reads the Office of the Under Secretary of Defense for Acquisition & Sustainment website. “The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.” The CMMC is designed to be cost-effective and affordable for all organizations, with authorized and accredited CMMC third parties conducting assessments and issuing CMMC certificates to DIB companies at the appropriate level.

For Tom Brennan, CIO at Mandelbaum Barrett P.C. and US chairman of CREST, the CMMC is perhaps the most important government cybersecurity initiative of 2021 in the US. “For a long time, the DoD has told DIB contractors that they have to comply with NIST standards, but there has been zero accreditation, enforcement, or audit associated with this particular control, and it has failed miserably,” he tells CSO. The CMMC is so important because it involves legal assessments to test that government contractors are doing what they say they are from a security standpoint, and if they fail to meet CMMC requirements, they will lose their contracts, he says.

“If you’re going to be looking for new DoD contracts, those contacts will clearly state a company must be CMMC level 1, 2, 3, 4, or 5 compliant (depending on the level of maturity needed for the project) prior to undertaking new contracts.” The CMMC is also becoming of greater interest to the cybersecurity industry because a lot of audit firms and service providers realize this is a cash cow, Brennan says.

Spanish government commits €450 million to cybersecurity industry, opens Hacker Academy

In April, Spain’s state secretary for digitalization and artificial intelligence, Carme Artigas, revealed that the Spanish government would invest more than €450 million over a three-year period to boost the country’s cybersecurity sector. Artigas also announced the opening of an online Hacker Academy for Spanish residents aged 14 and over to train and attract talent. The training initiative was developed to run between May 3 and June 25 in an online format, featuring hundreds of participants competing in cybersecurity challenges.

The National Cybersecurity Institute (INCIBE) will oversee a new strategic plan for the cybersecurity spending, addressing three key pillars of boosting the business ecosystem of the sector and attracting talent, strengthening the cybersecurity of individuals, SMEs and professionals, and consolidating Spain as an international cybersecurity hub.

US government announces ambitious cybersecurity executive order

In May, the Biden administration announced a bold cybersecurity executive order to chart a “new course to improve the nation’s cybersecurity and protect federal government networks.” The document came in the wake of significant supply chain attacks on SolarWinds and Microsoft, along with the ransomware attack on Colonial Pipeline.

The executive order is designed to minimize the frequency and impact of such incidents, setting out a series of proposals for bolstering cybersecurity within federal agencies, including:

• Removing barriers to threat information sharing between government and the private sector
• Modernizing and implementing stronger cybersecurity standards in the federal government
• Improving software supply chain security
• Establishing a cybersecurity safety review board
• Improving detection, investigative and remediation capabilities around cybersecurity incidents.

“The cybersecurity executive order rapidly requires agencies to modernize their security posture through the introduction of zero trust architecture, enhanced technology procurement, develop requirement for a software bill of materials (SBOM), movement to the cloud, and so much more,” Turner says. “This is going to have extensive downstream impacts to other countries and organizations since it will force many vendors and companies that do business with the government to have specific security practices in place as well as have specific data on hand that other organizations will be able to tap into.”

Australian government introduces Critical Infrastructure Uplift Program

In May, the Australian government introduced the Critical Infrastructure Uplift Program (CI-UP) to identify and resolve vulnerabilities in critical infrastructure, helping providers to raise their cybersecurity maturity through evaluating their existing security program and implementing recommended risk mitigation strategies. The modular cybersecurity program is open to critical infrastructure entities that are ACSC partners and is designed to:

• Evaluate cybersecurity maturity of critical infrastructure and systems of national significance using a combination of the Cyber Security Capability and Maturity Model (C2M2) and Essential 8 maturity models
• Deliver prioritized vulnerability and risk mitigation strategies
• Assist partners to implement the recommended risk mitigation strategies

“With the rise in attacks on critical infrastructure such as electrical grids and pipelines, this is such a critical service to helping rapidly increase the security posture of these entities,” says Turner.

US lawmakers propose American Cybersecurity Literacy Act

In June, bipartisan House lawmakers introduced a proposal for the American Cybersecurity Literacy Act, new legislation to boost cybersecurity awareness and knowledge of data security among internet users in the US. Currently under review by the House Committee on Energy and Commerce, the act sets out that the US has a national security and economic interest in promoting cybersecurity literacy , establishing that the assistant secretary for communications and information shall develop and conduct a cybersecurity literacy campaign of best practices to reduce cybersecurity risks.

Commenting on the proposal, Dave Stapleton, CISO at CyberGRX, tells CSO that the threat of cyberattacks and the need for meaningful countermeasures is proving to be one of the few matters that enjoys bipartisan agreement in the US government. “The American Cybersecurity Literacy Act’s focus on educating the American public is spot on. Quite often the threats facing us as individuals are the same, or derivative, of those facing corporations. We see this evidenced in the number of business email compromise (BEC) attacks that are received on employees’ personal devices. The line between our professional and personal lives is increasingly blurred, making a threat to an individual a likely threat to their employer.”

Identity-based attacks are some of the most common in both corporate and private America, and for good reason—compromising a legitimate identity is an efficient method to bypass the security safeguards implemented by individuals and their companies, Stapleton says. “Therefore, it is encouraging to see that the American Cybersecurity Literacy Act, if passed, will be zeroing in on the threat of phishing and the need for everyone to enable and use multi-factor authentication (MFA) whenever possible.”

French government releases cyberattack alert system

In July, the French government launched a new warning system for small- and medium-sized companies to support them in the event of cyberattacks, informing businesses of the actions they should take in response to incidents. The system was presented by Cédric O, secretary of state in charge of Digital Transition and Electronic Communications, along with other senior officials.

According to a government press release, when a vulnerability or an attack campaign that is particularly critical for small and medium companies is detected, a brief and understandable notice for business leaders is published by the national victim assistance system and the National Agency for the Security of Information Systems (ANSSI). It is then transmitted to bodies including interprofessional organizations, the consular networks of the Chambers of Commerce and Industry (CCI) and the Chambers of Trades and Crafts (CMA), before being relayed as widely as possible to business leaders. The French government believes the speed of information and the ability to take immediate action will allow companies to better protect themselves and therefore limit the impact of cyberattacks on the French economic fabric.

UK Ministry of Defense completes maiden bug bounty program

In August, the UK Ministry of Defence (MoD) announced the completion of its first bug bounty program. In association with HackerOne, it invited ethical hackers to take part in a 30-day challenge to investigate and identify vulnerabilities in its digital assets that required fixing, granting them direct access to its internal systems. The program aimed to help the MoD better secure and defend its cyber systems and 750,000 devices, following the UK government’s new cyber strategy (released in March) to enhance the country’s cyber strength in an increasingly digital world.

Speaking at the closing of the program, MoD CISO Christine Maxwell said the MoD had embraced a strategy of security by design with transparency being integral for identifying areas for improvement in the development process. “It is important for us to continue to push the boundaries with our digital and cyber development to attract personnel with skills, energy, and commitment,” she added. “Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets. Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience.”

In the same month, the MoD also issued a call to startups to design a new generation of secure hardware and software to help the military reduce its cyberattack surface, offering to fund proposals up to £300,000 for a nine-month contract.

Italian government opens national cybersecurity agency

In August, the Italian parliament approved government plans to establish a new cybersecurity agency to combat cyberattacks targeting the nation, part of a wider strategy to create a secure, unified cloud infrastructure for the country. First announced in June, the Agenzia per la Cybersicurezza Nazionale (ACN) will consist of 300 staff initially and aims to reach 1,000 employees by 2027. It will be headed by Roberto Baldini, deputy director general of the Department of Information for Security (DIS). Its various aims include exercising the functions of national authority in the field of cybersecurity, developing national prevention, monitoring, detection, and mitigation capabilities to cope with cybersecurity incidents and cyberattacks, and contributing to raising the security of information and communications technology systems.

Adam Bangle, vice president EMEA at BlackBerry, says the success of the Italian government’s new national cybersecurity ambitions will depend on it achieving key goals. “First comes safety standardization. Establishing security standards and safe software development principles, exercising zero trust across entire systems, and ensuring that every security protocol is implemented and enforced to avoid any blind spots in perimeter defenses, should be an integral part of any national cyber strategy. Secondly, and most crucially, they must take a proactive, prevention-based security posture to cybersecurity.”

UK government kicks off Cyber Runway business growth program

In August, the UK government unveiled the Cyber Runway project aimed at sparking growth in the UK’s cybersecurity sector. In the expressions of interest phase at the time of writing, Cyber Runway will see entrepreneurs and businesses across the UK get access to business masterclasses, mentoring, product development support, networking events, and backing to trade internationally and secure investment so they can turn their ideas into commercial successes.

Minister for digital infrastructure Matt Warman says the project will tackle barriers to growth, increase investment, and give firms vital support to take their businesses to the next level. “The program will also support founders and innovators from a diverse range of backgrounds—targeting applicants from underrepresented groups in the UK’s cyber sector such as women and people from black, Asian and minority ethnic backgrounds.”

Cyber Runway aims to support 160 companies over the course of six months and is funded by the Department for Digital, Culture, Media and Sport (DCMS) with support from CyLon, Deloitte and the Centre for Secure Information Technologies (CSIT). “The UK’s cybersecurity ecosystem is at a critical and exciting point in its development, with both new challenges and new opportunities having arisen out of the pandemic,” adds Nick Morris, CEO at CyLon. “Cyber Runway will support UK innovators to develop the crucial security technologies that will safeguard the future of our digital economy.”