In the same week that an industry group has put pressure on the White House to name a new National Cyber Security Director, following the departure of Chris Inglis earlier this year, the Biden administration has announced a new implementation plan to help realize its previously published National Cybersecurity Strategy.
The increasingly connected and digital nature of economies and national infrastructure mean that governments are exposed to new and ever evolving cybersecurity threats. The stakes are high as the global political environment remains unstable and managing these risks effectively, particularly when huge swathes of the public administration are ill-equipped to do so, is challenging.
The recently released National Cybersecurity Strategy called for two key fundamental shifts in how the United States allocates roles, responsibilities and resources in the digital world. It seeks to:
Ensure that the biggest, most capable, and best-positioned entities – in the public and private sectors – assumes a greater share of the burden for mitigating cyber risk. And;
Increase incentives to favor long-term investments in cybersecurity
This week the Cybersecurity Coalition wrote to the White House raising concerns that the recently resigned National Cyber Security Director, Chris Inglis, who was responsible for establishing the Office of the National Cyber Director and drafted the National Cyber Strategy, had not yet been replaced. The Coalition said that it is “concerned” about the delay and wrote:
We the undersigned organizations respectfully urge President Biden to nominate a National Cyber Director before the end of July considering the ever-changing and increasingly complex cyber landscape.
Swift action is crucial in filling this role to protect our nation against ongoing threats and effectively tackle the challenges that lie ahead of us.
This week’s implementation plan for the national cybersecurity strategy seeks to provide a roadmap for federal agencies and has 65 “high impact federal initiatives”, ranging from protecting American jobs to building a skilled cyber workforce. The plan has been described as a “living document” and will be updated as new threats and opportunities emerge.
Eighteen agencies are leading initiatives and each initiative has been assigned to a responsible agency, with a timeline for completion. The document states:
Achieving the President’s cybersecurity vision requires coordinated action across the United States Government and American society. The National Cybersecurity Strategy Implementation laan is a roadmap for this effort.
While it does not intend to capture all cybersecurity activities being carried out by agencies, it describes more than 65 high-impact initiatives requiring executive visibility and interagency coordination that the Federal government will carry out to achieve the Strategy’s objectives.
The United States Government will only succeed in implementing the National Cybersecurity Strategy through close collaboration with the private sector; civil society; state; local; Tribal, and territorial governments; international partners; and Congress.
The document adds that some of these initiatives are underway and will be completed by the end of Fiscal year 2023.
The implementation plan is broken down into five pillars, which form the overarching strategy. These include:
Pillar One – Defending Critical Infrastructure: some of the initiatives to support this pillar include establishing cybersecurity requirements to support national security and public safety; scaling public-private collaboration; integrating federal cybersecurity centers; and updating federal incident plans and processes.
Pillar Two – Disrupt and Dismantle Threat Actors: initiatives for this include integrating federal disruption activities; enhancing public-private operational collaboration; increasing the speed and scale of intelligence sharing’ and preventing abuse of US-based infrastructure.
Pillar Three – Shape Market Forces to Drive Security and Resilience: this includes driving the development of IoT devices; shifting liability to insecure software products and services; using federal grants and other incentives to build in security; and leveraging federal procurement to improve accountability.
Pillar Four – Invest in a Resilient Future: agencies will be tasked with securing the technical foundation of the Internet; reinvigorating federal research and development for cybersecurity; preparing for a post-quantum future; and developing a national strategy to strengthen the US’ cyber workforce.
Pillar Five – Forge International Partnership to Pursue Shared Goals: initiatives include building coalitions to counter threatens to the US’ digital ecosystem; strengthening international partner capacity; expanding the US’ ability to assist allies and partners; and building coalitions to reinforce global norms of ‘responsible state behavior’
Plans are necessary, but success is measured in execution and outcomes. Leadership is also important – and whilst some of that comes from the White House itself, this is a nationwide challenge that will require skills distributed far and wide. But a solid foundation has been laid out from which to work, in what is an increasingly complex and high-risk digital environment.