The administration first released its broad vision for improving national cybersecurity in March. The new National Cybersecurity Strategy Implementation Plan — released late last week — now outlines clearer steps for putting the objectives of the first plan into action, attaching deadlines and identifying agencies responsible.
The new implementation plan details more than 65 high-impact initiatives, some of which are underway. It is a living document, intended to be updated annually — after all, cybersecurity is continually evolving. The Office of the National Cyber Director (ONCD) will oversee the implementation and report to Congress and the president annually. A wide-ranging document, it addresses support for state and local governments, critical infrastructure resiliency, ransomware disruption, cyber insurance, post-quantum encryption and the software security landscape, among other topics.
STATE, LOCAL SUPPORT
State, local, tribal and territorial governments, as well as other entities considered to be at high risk of ransomware attacks, can expect more federal support by the first quarter of FY 2025.
The framework calls for the Cybersecurity and Infrastructure Security Agency (CISA), Joint Ransomware Task Force, Sector Risk Management Agencies (SRMAs) and other stakeholders to collaborate on "training, cybersecurity services, technical assessments, pre-attack planning and incident response." The goal is to reduce both impact as well as the likelihood of attacks.
State and local governments can also expect to see new methods for keeping sensitive data safe in the future. The Department of Homeland Security anticipates quantum computers will be capable of cracking today's key public encryption algorithms. The National Institute of Standards and Technology (NIST) is working to find new, alternate encryption to withstand quantum computing power.
According to the framework, NIST will “finalize its process to solicit, evaluate and standardize” at least one quantum-resistant cryptographic algorithm by the first quarter of FY 25.
Transitioning to a new cryptographic system can be a lengthy process, likely taking a decade or longer, Charles Tahan, director of the National Quantum Coordination Office, has said. Organizations can prepare by figuring out where their systems use vulnerable encryption methods and identifying which data to prioritize when transitioning to quantum-resistant standards. This means considering which data will still be sensitive in the future when quantum computing emerges, said Jonah Force Hill, then-director of cyber and emerging technology policy for the National Security Council, during a May 2022 panel.
CYBER INSURANCE
The federal government is also considering whether it should support the cyber insurance market during catastrophic cyber events — something also known as a cyber insurance backstop.
The idea is that if a cyber incident causes catastrophic, widespread damages, the federal government would take steps to stabilize the economy, including supporting cyber insurance companies, Dark Reading explains. Cyber insurers that have this emergency protection in place are expected to be more willing to cover certain policyholders' risks that they otherwise would avoid.
The Government Accountability Office (GAO) notes, for example, that private insurers have been reluctant to cover losses from cyber warfare or critical infrastructure outages. And managed service providers are often regarded as “almost uninsurable” due to their high risk of supply chain attacks, said Kirsten Bay, CEO of cyber insurance provider Cysurance, during a 2022 RSA Conference panel.
The federal government sees cyber insurance as a way to encourage organizations to improve cyber postures and make them more resilient.
Would-be policyholders often must meet baseline cybersecurity measures to qualify for better insurance prices. If the backstop program encourages insurers to cover more clients, that’s more entities that have incentive to improve cyber postures.
Plenty of details still need to be hammered out, officials have noted, including what such a backstop should look like and what events would trigger it. The federal government must also consider unintended consequences, including whether a federal backstop would mean that some entities take bigger risks.
The new Implementation Plan calls for CISA, ONCD and the Treasury Department’s Federal Insurance Office to assess the need for a cyber insurance backstop by the first quarter of FY 24.
CRITICAL INFRASTRUCTURE, RANSOMWARE AND MORE
The Cyber Incident Reporting for Critical Infrastructure Act, passed in March 2022, is now set to be implemented by the fourth quarter of FY 25, with CISA releasing a final rule and establishing a method for reports to be shared with relevant agencies. Once in effect, the new approach should help the federal government better understand and respond to threats.
The federal government will also look to “harmonize baseline cybersecurity requirements for critical infrastructure” by the first quarter of FY 24, and, the following quarter, will set cybersecurity requirements for the sector.
The plan also has measures that aim to make the software used by governments safer. CISA has until the fourth quarter of FY 24 to establish principles and practices software developers should follow to make offerings secure by design and by default. CISA previously released a report on this in April.
ONCD will also look to use liabilities to spur private companies to take responsibility for making and maintaining secure software. The office will host a legal symposium exploring possible approaches to a software liability framework by the second quarter of FY 24.
New measures also direct CISA to explore a software bill of materials (SBOM), which would list the components in software. Doing this can help organizations find vulnerable code more quickly once a problem is known. Some have suggested this would’ve helped organizations following the Log4shell vulnerability.
The road map also details various actions to be taken within the next couple years to help disrupt the ransomware ecosystem.
These range from discouraging other nations from harboring ransomware actors and deepening international investigations of ransomware incidents. Other action items aim to disrupt the resources ransomware actors rely on to carry out and profit from attacks. These include money laundering via virtual asset entities, sales of initial access from brokers on dark web forums and use of digital infrastructure for illicit means.
Finally, drilling down on the last item, the Implementation Plan calls for publishing a Notice of Proposed Rulemaking on requirements that infrastructure-as-a-service (IaaS) providers and resellers must follow to deter malicious use of their offerings. It will also lay out standards and procedures for assessing if the IaaS companies already have a sufficient “risk-based prevention approach” to warrant exemption from those requirements. Expect to see this by Q4 FY 23.
