White House Releases Plan to Implement National Cybersecurity Strategy
After months of speculation, U.S. President Joe Biden’s administration announced it has an implementation plan for the National Cybersecurity Strategy released earlier this year.
The National Cybersecurity Strategy was released in March 2023 and contained two major shifts in how the United States would approach cybersecurity:
- Ensuring that the biggest, most capable, and best-positioned entities—in both the public and private sectors—assume a greater share of the burden for mitigating cyber risk.
- Increasing incentives to favor long-term investments into cybersecurity.
“Today, the Administration is announcing a roadmap to realize this bold, affirmative vision,” the White House said in a fact sheet released on Thursday. “It is taking the novel step of publishing the National Cybersecurity Strategy Implementation Plan (NCSIP) to ensure transparency and a continued path for coordination."
The implementation plan contains more than 65 “high-impact” federal initiatives that are designed to facilitate the fundamental shifts in the cybersecurity strategy, according to a White House fact sheet.
But, as any good project manager knows, plans are meaningless if their objectives are not assigned and given a timeline for completion.
The NCSIP assigns roles to agencies and provides clear timeframes for when tasks are meant to be accomplished. Eighteen U.S. government agencies will carry out this work, with the Office of the National Cyber Director (ONCD) coordinating activities under the plan.
One challenge, however, is that the ONCD is without a permanent director. Chris Inglis, who formally held the role, retired earlier this year, and President Biden has not nominated another individual to take the job. Kemba Walden is currently the acting director.
U.S. Senator Angus King (I-ME) and U.S. Representative Mike Gallagher (R-WI), co-chairs of the Cyberspace Solarium Commission, released a statement praising the implementation plan and calling for a new national cyber director—a role created following the commission’s recommendation in 2019—to be nominated to lead the initiative.
“The National Cybersecurity Strategy issued in March provided a well-thought-out vision for our nation’s cyber defense; this implementation plan is a forward-thinking, comprehensive policy plan that can turn the strategy into action,” the co-chairs wrote. “While this implementation plan charts an appropriate and aggressive course, it only adds urgency to the need for a permanent national cyber director to be nominated to navigate the path forward.”
Below is a brief analysis of some of the main initiatives in the five pillars of the NCSIP that will likely impact a broad swath of security professionals. As an editorial note, the U.S. federal government’s fiscal year is 1 October through 30 September of the following year.
Pillar One: Defending Critical Infrastructure
A main initiative under this pillar is to update the 2016 National Cyber Incident Response Plan to ensure the U.S. federal government acts in a coordinated manner and that the private sector—and state, local, tribal, and territorial partners—knows how to get help when responding to an incident.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) will lead this effort, along with providing guidance to external partners about the roles and capabilities of federal agencies during incident response and recovery, to be completed by the first quarter of fiscal year 2025.
In a statement, CISA Director Jen Easterly said the NCISP will help develop a roadmap for a more secure, defensible, and resilient digital ecosystem.
“The NCSIP captures much of CISA’s vital work to improve the cybersecurity of our nation and better secure the critical infrastructure Americans rely on every hour of every day,” Easterly said. “From our efforts to strengthen cyber incident response and reporting to our work with the private and public sector to mitigate the risk of ransomware to our focus on ensuring technology that is secure by design, CISA looks forward to leading the way on our assigned key initiatives in concert with our partners.”
In coordination, the National Security Council will lead a policymaking process to set cybersecurity requirements across critical infrastructure sectors, to be completed by the second quarter of fiscal year 2025.
Pillar Two: Disrupting and Dismantling Threat Actors
Ransomware is a clear target under pillar two of the implementation plan, which calls the FBI and CISA to continue to work together through the Joint Ransomware Task Force to disrupt operations in the ransomware ecosystem (completed by fourth quarter of fiscal year 2023).
The FBI is tasked with working with partners to disrupt virtual asset providers that enable laundering of ransomware proceeds and other material support for ransomware threat actors. CISA, meanwhile, will be tasked with offering training, cybersecurity services, technical assessments, pre-attack planning, and incident response to high-risk targets for ransomware—such as hospitals and schools—to make them more resilient to these attacks.
Additionally, the second pillar calls for the U.S. Department of Defense to publish an updated cyber strategy that is aligned with the National Security Strategy, National Defense Strategy, and National Cybersecurity Strategy, and focused on challenges posed by nation-state and malicious actors that pose a strategic-level threat to the United States and its interests (completed by the first quarter of fiscal year 2024).
The U.S. Department of Justice (DOJ) is also tasked with expanding its platforms dedicated to disruption campaigns (to be completed by the first quarter of fiscal year 2025). DOJ will do this through increasing the speed and volume of disruption campaigns against cybercriminals and nation-state actors, as well as by hiring qualified attorneys for cyber work.
U.S. federal agencies, led by the Office of the Director of National Intelligence, will also lead an effort to remove barriers to sharing cyber threat intelligence and data to critical infrastructure owners and operators. This could include expanding the availability of security clearances and intelligence access, and be completed by the third quarter of fiscal year 2024.
Pillar Three: Shaping Market Forces and Driving Security and Resilience
A major focus of pillar three is CISA’s Software Bill of Materials (SBOMS) to give market actors greater understanding of their supply chain risk and how to hold vendors accountable for secure development practices.
Along with continuing to build out the SBOMs program, CISA is also tasked with exploring requirements for a globally accessible database for end of life software support and to organize a global staff-level working group on SBOMs (completed by the second quarter of fiscal year 2025).
Separately, the National Security Council will initiate a U.S. government Internet of Things security labeling program by the fourth quarter of fiscal year 2023.
Pillar Four: Investing in a Resilient Future
Looking to the future, pillar four tasks the U.S. National Institute of Standards and Technology (NIST) with convening an Interagency International Cybersecurity Standardization Working Group to coordinate on international cybersecurity standardization and enhance U.S. participation in the process (completed by first quarter of fiscal year 2024).
NIST will also be responsible for finishing standardization of one—or more—quantum-resistant public key cryptographic algorithms (first quarter of fiscal year 2025).
Additionally, by the third quarter of 2025, the National Security Agency (NSA) will implement the transition of National Security Systems to quantum-resistant cryptography. The NSA will prioritize transitioning vulnerable public networks and systems first, while also developing complementary mitigation strategies to provide cryptographic agility “in the face of unknown future risks,” according to the implementation plan.
The @DOJNatSec announced a new section to help boost the department’s capacity to disrupt and respond to malicious cyber activity. https://t.co/pTUjopmOeM
— Security Management (@SecMgmtMag) June 21, 2023
Pillar Five: Forging International Partnerships to Pursue Shared Goals
Continuing with global engagement, the U.S. Department of State is tasked with publishing an International Cyberspace and Digital Policy Strategy and will work to develop staff knowledge and skillsets related to cyberspace and digital policy (completed by first quarter of fiscal year 2024).
Furthermore, the FBI is responsible for strengthening law enforcement collaboration with allies and partners to increase disruption campaigns against cybercriminals and nation-state adversaries (by the fourth quarter of fiscal year 2025).
Initial Feedback
In an article on the release of the implementation plan, R Street Institute’s Director of Cybersecurity and Emerging Threats Brandon Pugh and Resident Fellow Amy Chang called the NCSIP a “good-faith step” in the unified effort required to ensure America’s cybersecurity. They also, however, cautioned that the living implementation document could result in scope and mission creep.
“The stage is set to make full implementation a reality, but there is a lot of work ahead,” Chang and Pugh wrote. “There will need to be continued efforts to harmonize cybersecurity regulation to help avoid multiple—and sometimes conflicting—cybersecurity standards. Consider incident and breach reporting, for example. Numerous federally issued requirements already exist, which could result in a compliance nightmare and even limit the goal of improving our cyber posture.”
Cybersecurity experts did praise the elements of the implementation plan that broaden the U.S. federal government’s ability to disrupt cybercrime and malicious actors.
“I’m most enthusiastic about the functional shift in agencies who now have the authority to go on the offensive and disrupt and dismantle cybercrime cartels and spies around the world, forcing the once untouchable adversaries to play defense,” said Tom Kellermann, senior vice president of cyber strategy at Contrast Security and former member of the Commission on Cyber Security, in a statement shared with Security Management. “To be clear, there has never been a holistic proactive national cybersecurity strategy ever enacted. But in the same vein, the cyber insurgency and guerilla war in American cyberspace has reached a tipping point.”
Experts also said they hoped to see further iterations of the implementation plan as work progresses, including Angus and Gallagher.
“This document needs to be the first of numerous implementation plans,” the congressmen wrote. “Ideally, we should expect to see a new National Cybersecurity Strategy Implementation Plan annually. If there is anything that we have learned about government over the last 20 years, it is that ‘execution is as important as vision,’ and that strategic plans pertaining to cybersecurity that are not properly implemented are destined to fail.”