These questions and more are addressed in the new White House National Cybersecurity Strategy Implementation Plan, which was released on July 13, 2023.
A fact sheet on the topic offered the headline “Biden-Harris Administration Publishes the National Cybersecurity Strategy Implementation Plan” and said:
“President Biden has made clear that all Americans deserve the full benefits and potential of our digital future. The Biden-Harris Administration’s recently released National Cybersecurity Strategy calls for two fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace:
- Ensuring that the biggest, most capable and best-positioned entities — in the public and private sectors — assume a greater share of the burden for mitigating cyber risk
- Increasing incentives to favor long-term investments into cybersecurity
“Today, the Administration is announcing a road map to realize this bold, affirmative vision. It is taking the novel step of publishing the National Cybersecurity Strategy Implementation Plan (NCSIP) to ensure transparency and a continued path for coordination. This plan details more than 65 high-impact federal initiatives, from protecting American jobs by combatting cyber crimes to building a skilled cyber workforce equipped to excel in our increasingly digital economy.”
Federal News Network — White House puts national cyber strategy into practice with implementation plan: “The Biden administration is giving agencies marching orders to make its cyber policy goals a reality. …
“The plan puts 18 agencies in charge of leading at least one initiative, although much of its goals will require interagency coordination.
“Acting National Cyber Director Kemba Walden said Thursday that the implementation plan is a ‘living document’ that will be updated annually to reflect the federal government’s evolving response to emerging threats.
“Walden said agencies are already putting many of the implementation plans into practice, and that a ‘version 2.0’ will be released next spring.
“'A strategy is only useful if it guides coherent action,' Walden said at an Information Technology Industry Council event marking the release of the implementation plan."
Dark Reading — White House Fills in Details of National Cybersecurity Strategy: “Several security professionals this week perceived the NCSIP as important for Biden's cybersecurity strategy to move forward and said its relatively aggressive deadlines convey the right sense urgency to stakeholders. But some wondered — as they have previously — about how it would succeed without adequate funding and bipartisan support in Congress.”
CSO Magazine — Implementation plan turns US National Cybersecurity Strategy into concrete objectives: “It’s pretty unusual to see as detailed of an implementation plan published for a national strategy. The administration and the ONCD [Office of the National Cybersecurity Director] should get credit for pushing through and publishing an implementation plan like this,” Michael Daniel, head of the Cyber Threat Alliance and former White House cyber official, tells CSO.
“Like the strategy itself, the NCSIP is structured according to five pillars:
- Defending Critical Infrastructure
- Disrupting and Dismantling Threat Actors
- Shaping Market Forces and Driving Security and Resilience
- Investing in a Resilient Future
- Forging International Partnerships to Pursue Shared Goals.
“The NCSIP adds a sixth element not contained in the original strategy: Implementation-wide initiatives, which calls for future reporting on strategy implementation progress, applying lessons learned from implementing the strategy, and ensuring federal budgetary guidance aligns with the strategy’s implementation.”
Help Net Security — White House publishes National Cybersecurity Strategy Implementation Plan: “The administration looks forward to implementing this plan in continued collaboration with the private sector, civil society, international partners, Congress, and state, local, tribal and territorial governments. As an example of the administration’s commitment to public-private collaboration, ONCD is also working on a request for information regarding cybersecurity regulatory harmonization that will be published in the near future.
“The NCSIP is not intended to capture all Federal agency activities in support of the NCS.”
OTHER COMMENTS FROM CYBER INDUSTRY LEADERS
I’ve received many emails from cyber industry leaders who provided their comments on the new implementation plan. Here is a sampling of their thoughts:
Ron Nixon, federal CTO, Cohesity: “I’m glad to see the White House prioritizing the standardization of best practices for cyber resiliency and creating a foundation for trust between different government agencies and the private sector. Implementing a strong foundation for information exchange between these different groups (such as CISA’s effort to improve information exchange platforms) will make it easier for organizations with fewer resources to understand, prioritize and respond to threats. Initiatives like the one CISA is taking to provide resources, training and threat scanning to high-risk ransomware targets, like hospitals and schools, are a great thing to see.
“However, the balance between accountability for security best practices and not over-regulating remains tricky. I’d like to see more clarity around how different agencies will lay down industry-specific guidance, as groups like hospitals, banks and SaaS startups will all have different assets, talent and capabilities. My hope is that once the National Security Council clarifies this, and private-sector organizations are clear on best practices and nuances for their specific industry, they can then bring their entire organization up to par, holding their leadership — from cyber, to IT, risk, legal and HR — accountable for fulfilling their end of the bargain.”
John Hernandez, president and general manager, Quest Software: “The White House’s new national cybersecurity strategy implementation plan helps fill a crucial gap in guidance and education regarding protecting cloud and hybrid environments, especially as organizations like federal agencies, hospitals and schools move away from legacy infrastructure. The federal government has been boosting cloud-first initiatives since 2016 and made a push on zero trust in recent years, but they’ve taken even greater strides in promoting cyber protection by investing in updating the National Cyber Incident Response Plan, working with other agencies to fully implement cyber incident reporting requirements through [the Cyber Incident Reporting for Critical Infrastructure Act of 2022] CIRCIA, and prioritizing holding IaaS providers and software makers to secure-by-design standards.
“However, while the strategy can take away much of the burden of setting cybersecurity standards and helping organizations with limited resources, private-sector leaders still need to hold themselves accountable and create a proactive, long-term resilience strategy. My recommendation is for enterprises with legacy infrastructure to invest in resilience from the inside out, from both a technology and culture perspective, and ensure everyone has a stake in adapting to the latest ups and downs in the security ecosystem.”
Tom Kellermann, senior vice president of cyber strategy at Contrast Security, who served on the Commission on Cybersecurity during the Obama administration: “Plausible deniability is dead. Liability regimes will now be expended. You can no longer just say you’re a victim when you’ve been negligent with cybersecurity in the private sector. Cybersecurity sectors will modernize in parallel.
“The U.S. government will invest more robustly in cybersecurity. U.S. government is demanding that agencies utilize existing authorities to regulate cybersecurity within critical infrastructure.
“I’m most enthusiastic about the functional shift in agencies who now have the authority to go on the offensive and disrupt and dismantle cyber crime cartels and spies around the world forcing the once untouchable adversaries to play defense.
“To be clear, there has never been a holistic proactive national cybersecurity strategy ever enacted. But in the same vein, the cyber insurgency and guerrilla war in American cyber space has reached a tipping point.”
Colin Little, security engineer with threat intelligence provider Centripetal: “I applaud the Biden-Harris administration for putting cybersecurity and the awareness for cybersecurity at the forefront. As an industry, we are failing to keep up with the cyber criminals. By 2025, cyber crime will cost the world $10.5 trillion annually, and every day we read about a cyber incident that has major implications to enterprises, consumers and communities around the globe. The recent cybersecurity strategy that has been outlined by the administration is a good first step but it’s missing some core details. Cyber threat intelligence needs to be at the center for all enterprises because we know that 95 percent of all breaches had available threat intelligence and therefore could have been prevented.
“Organizations need to explore what their threat intelligence feeds do for them and what they protect from. The fundamentals of working with intelligence of any kind is to gather the intelligence from multiple sources. Some feeds only focus on malware or phishing attacks. It’s imperative that companies implement more than one threat provider to protect themselves from emerging cyber threats. Education and awareness around this is a great first step, but what’s more important is putting this into action and implementation.”
FINAL THOUGHTS
I echo the comments of former White House cyber official Michael Daniel (see above) that this type of detailed plan is pretty rare and this release offers a breath of fresh air regarding government cybersecurity strategies and plans.
Why? Because they will be held more accountable for real action.
While we can argue about specific details, and I’m sure we will in the years ahead and as these projects get implemented or not, the overall effort offers a new approach to dealing with our substantial national problems related to cyber defense.
I look forward to seeing how this process progresses, and the updated report next spring and emphasis on a “living document” by Acting National Cyber Director Kemba Walden make this an important historical milestone in the creation and implementation of cyber plans globally.
The whole world is watching, so let’s get to work America.
