The much-anticipated implementation plan for the Biden administration’s National Cybersecurity Strategy was released late last week and a flurry of work in updating and improvement is now expected, particularly at federal civilian agencies that maintain legacy systems.
The document, which was referred to as “living” (and will likely see a second version released in less than a year), establishes 65 high-impact initiatives that agencies will be required to meet within set timelines for each. A greater degree of public-private partnership is also being promoted, and critical infrastructure companies are looking at new ransomware payment and cyber incident reporting requirements.
Cybersecurity strategy calls for “fundamental shift” in cyberspace responsibilities
The growth of public-private partnerships is a central focus for the administration’s cybersecurity strategy, named as the first of the listed “fundamental shifts” that the implementation plan requires. Most interestingly, the plan calls for looping in private sector partners on operations to actively disrupt players in the “ransomware ecosystem.” The plan also calls for more government involvement in developing software bill of materials (SBOM) standards, to be applied to third-party vendors in a bid to reduce supply chain risk. The plan names the “biggest, most capable, and best-positioned entities” as those expected to carry additional weight in these areas.
The National Cybersecurity Strategy Implementation Plan (NCSIP) contains a total of 65 federal initiatives, each to be assigned to at least one responsible agency and given a timetable for completion. In total there are 18 agencies that are leading some sort of initiative, with the Office of the National Cyber Director (ONCD) coordinating and issuing an annual report to the President and Congress on how implementation is coming along. ONCD is also reportedly working on cybersecurity regulatory harmonization guidance that is expected to be published in the near future, and will head up exercises and teams aimed at disrupting threat actors.
In addition to the “fundamental shifts” of onboarding more private sector cybersecurity strategy partners and spurring long-term investment in cybersecurity via an incentive system, the implementation plan names five “pillars” that represent the core strategic objectives: defending critical infrastructure, disrupting and dismantling threat actors, shaping market forces in driving security and resilience, investing in a resilient future, and forging international partnerships to pursue shared goals.
Actual impact of implementation plan debated by experts
A formal update to the “2.0” version of the implementation plan is set for spring 2024, but the document is designed to be updated at any time in response to emerging cyber threats.
Some of the included cyberstrategy initiatives have already been completed, such as formal authorization of the Cyber Safety Review Board and development of a new cyber implementation plan for the Pentagon. Rather than mapping out all cybersecurity improvements made by all federal (and civilian) agencies, the plan is focused on “high impact” efforts that are both a matter of strategic priority and that involve inter-agency cooperation.
Conversely, some of the cyberstrategy initiatives are more long-term with completion dates set for sometime in 2025. Among the more near-term goals are a public-private project to create a standardized label for Internet of Things (IoT) devices that would allow consumers to easily see the country of origin, key safety features and indicators about data collection practices. At the moment, the plan is a standardized barcode or QR code that consumers can scan to quickly bring this information up on a phone or tablet. Another piece of the implementation plan slated for early 2024 is the establishment of a federal “backstop” for cyber insurance that could be called in during “catastrophic” events. In its present state the plan is funded through fiscal year 2026, which runs until the end of September in that year.
One of the most long-term and involved projects is the DOJ’s proposed expansion of scope of the False Claims Act to specifically pursue “knowing” cybersecurity failures among vendors with federal contracts and grants. This would see civil actions brought against contractors that willfully misrepresent their cybersecurity status or practices, that make use of or provide deficient cybersecurity products, or that fail to properly monitor and report breach incidents.
Though the implementation plan is large and ambitious, security experts remain divided on how effective it will ultimately prove to be. Amy Baker, Security Education Evangelist for Security Journey, sees an issue with the lack of training requirements: “There are a number of promising takeaways from the implementation plan for the White House Cyber Strategy, particularly given the significant software security focus. It’s great to see not only initiatives directed at leveraging SBOMs to mitigate risk and shift liability for insecure products, but also dedicated plans for improving IoT security. This is a crucial step given that in the healthcare industry for example, the safety of connected devices continues to cause serious concerns – around 53% of IoT devices in hospitals have known critical vulnerabilities – and could even pose a threat to life. Yet the plan does miss a key component: training. How can developers deliver more secure software, use SBOMs and ensure the safety of IoT devices without being empowered by knowledge of secure coding. When secure coding isn’t prioritized by higher education or industry, developers aren’t an active part of the solution for reducing vulnerabilities. Without prioritizing education for developers and everyone that supports them across the software development lifecycle, application security may not be achievable and implementing these initiatives will simply not be effective.”
And Chris Hauk, Consumer Privacy Champion at Pixel Privacy, sees trouble brewing in the cybersecurity strategy’s lack of organizational control over patching requirements: “One of the three biggest lies is “I’m from the government, and I’m here to help.” So I am admittedly suspicious of any regulations or agreements any government puts into place. Relying on the government or big tech to protect users’ privacy or to protect against cyber attack is a fool’s errand. It appears that the initiative may require software and operating system vendors to automatically update their software and OS with little to no effort on the user’s part. While this would help protect against future cyberattacks, it could also cause trouble for corporate IT departments. As a former IT worker, I know that the companies I have worked for first run any patches or updates on test machines to ensure that the updates do not break other software or cause issues with hardware. If automatic updates and patches are a part of the future, users should have the opportunity to delay such updates so that they may be tested.”
And Ani Chaudhuri, CEO of Dasera, thinks that the cybersecurity strategy overlooks small-to-medium businesses, which are by far the bulk of government vendors: ” … I would like to challenge the primary emphasis on the responsibilities of the ‘biggest, most capable, and best-positioned entities.’ While these entities undoubtedly have a role to play, it’s crucial to remember that cybersecurity is not merely the domain of the large and powerful. Small and medium enterprises (SMEs), which constitute the vast majority of businesses and are often part of the supply chains of larger corporations, must also be equipped with the tools and knowledge to defend against cyber threats … despite the ambitious plan laid out, execution will be key. The question now is whether these policies will be implemented in a way that effectively reduces cyber risk. As a cybersecurity professional, I look forward to seeing these initiatives take shape and am hopeful about the impact they could have on our nation’s cyber defenses.”
Other analysts see much more positive than negative in the implementation plan’s terms. Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, is one of its most enthusiastic supporters: “Where do I start? This is a landmark good! There are so many great pearls of wise strategy that I hardly know where to start. It is easily the best piece of cybersecurity guidance to come out of the federal government. CISA and Jen Easterly’s fingerprints are all over this document and she knows better than anyone else what it is going to take to pull off federal-scale cybersecurity solutions. I’m in love with all the agility they are putting into the plan, putting a priority on speed. I’m in love with the idea of proactively taking away cybercriminal safe havens. I’m in love with the idea of an annual assessment and taking the lessons learned to update the next plan.”
And Sounil Yu, Chief Information Security Officer at JupiterOne, sees the focus on standardized regulations as the biggest positive for organizations: “Regulatory harmonization as the first item on the implementation plan is a great sign that the White House is hearing industry’s concerns. Without harmonized regulations, we must comply with a multitude of different standards, much of which are redundant and sometimes even conflicting. Harmonization will help make the already difficult job of cybersecurity a bit easier and more streamlined.”
Avishai Avivi, CISO at SafeBreach, additionally notes that the format of the cybersecurity strategy is such that it is set up for success: “With the release of the National Cybersecurity Strategy Implementation Plan, the Biden-Harris Administration took a critical step most organizations fail to take after creating a strategy. The Administration created a crucial mapping of each of the strategic objectives it established earlier in the year to an implementation plan. Each objective contains one to five specific initiatives. These initiatives are described at a high level, along with the agency that owns the initiative, the different agencies that will contribute, and a specific timeline for the initiative to be completed. Most of the initiatives are set to complete by the end of 2024 and the beginning of 2025, with only two initiatives set out to complete in 2026. As a lifelong leader, I am truly impressed with the level of detail and specificity that The Administration set forth in this document. It provides quite a bit more clarity as to how it intends to convert strategy into action. In the next week, I will do a deep dive to unpack this plan along the same lines I unpacked The Administration’s cybersecurity strategy.”