U.S. President Biden’s administration this week released the first iteration of the National Cybersecurity Strategy Implementation Plan, which was announced in March 2023. The plan aims to boost public and private cybersecurity resilience, take the fight to threat actors, beef up the defense of infrastructure and draw a clear national roadmap of cybersecurity responsibilities.
What are the pillars of this cybersecurity plan?
Each initiative in the plan aligns with one of the five essential pillars:
- Defend critical infrastructure.
- Disrupt and dismantle threat actors.
- Shape market forces to drive security and resilience.
- Invest in a resilient future.
- Forge international partnerships to pursue shared goals.
There are more than 65 federal initiatives under the banner of a National Cybersecurity Strategy Implementation Plan. According to a White House document about the plan, it looks at two critical areas: the need for more “capable actors” in cyberspace to shoulder more cybersecurity responsibilities and the need to incentivize and invest in long-term resilience.
Eighteen agencies will lead the whole-of-government plan, which consists of a variety of activities, including updating the National Cyber Incident Response Plan and combating ransomware via the Joint Ransomware Task Force.
SEE: The White House is also eyeing AI (TechRepublic)
Wanted: National cyber director
Drew Bagley, CrowdStrike’s vice president, Counsel of Privacy and Cyber Policy, who the company said had an early look at the White House’s plan, commented on the federal government’s order of operations running through fiscal 2026.
He said, “This is especially important because many items in the Strategy include multiple dependencies. While the Implementation Plan covers a lot of ground, it’s clear that the authors applied significant focus on the broad application of Secure-by-Design/Secure-by-Default principles.”
Referring to the first pillar, which is focused on securing infrastructure with a concentration on private/public partnerships, Bagley said the Plan not only dedicates attention to clarifying the roles of risk management agencies but also places important responsibilities in the hands of the Office of Management and Budget.
The Plan’s release comes a day after the Cybersecurity Coalition — with four other security and software industry groups cosigning — sent a letter to the White House urging the Biden administration to nominate a new National Cyber Director before the end of the month.
Bagley pointed out that the Office of the National Cyber Director will also lead certain key initiatives, including driving regulatory harmonization, running exercise scenarios and establishing cells to increase adversary disruption efforts.
Software supply chain is a new focus
The third pillar of the Implementation Plan focuses on securing the software supply chain, focused on software design resilience. VMware’s principal cybersecurity strategist Rick McElroy lauded this plan; he said securing cloud software — software as a service — needs special focus.
“The current NCSIP shows this administration’s commitment to cybersecurity, building on executive orders and funds dedicated to transforming and modernizing the federal government’s cybersecurity posture, which is long overdue,” McElroy said. “One consideration for this, however, is a Software Bill of Materials for Cloud software. What is a Cloud SBOM? What does that look like? Conversely, how can SBOMs be applied to practical cybersecurity defense to take advantage of that data to cut down noise?”
He added that the current working group being led by the Cybersecurity and Infrastructure Security Administration is working to address this. “But there remains a gap in SBOM discussions. SaaSBOM is a must in a cloud-first world,” McElroy emphasized.
Plan includes taking the fight to cybercriminals
The second pillar of the Plan involves the Department “Increasing the volume and speed of disruption campaigns against cybercriminals, nation-state adversaries, and associated enablers (e.g., money launderers) by expanding its organizational platforms dedicated to such threats and increasing the number of qualified attorneys dedicated to cyber work,” the Plan document states.
The fifth pillar focuses on developing international collaboration; the administration’s document said the federal government must develop coordinated operations.
“To proactively defend ourselves, we also need a real-time map of cybercriminal activity across the internet. Organizations and countries are more than ready to form coalitions with their trusted allies to create a secure and thriving digital landscape,” said Andrea Hervier, global head of partnerships at CrowdSec. Hervier was part of the French cybersecurity delegation that met with the CISA and teams at The White House in the leadup to the release of the strategy earlier this year.
Balancing security regulation and best practices
Programs such as the CISA’s effort to improve platforms for exchanging information will make it easier for organizations with fewer resources to understand, prioritize and respond to threats, according to Ron Nixon, federal chief technology officer at Cohesity and a former Army Cyber Command adviser. However, he worries about the stifling influence of over-regulation.
“The balance between accountability for security best practices and not over-regulating remains tricky. I’d like to see more clarity around how different agencies will lay down industry-specific guidance, as groups like hospitals, banks and SaaS startups will all have different assets, talent and capabilities,” Nixon said. “My hope is that once the National Security Council clarifies this, and private-sector organizations are clear on best practices and nuances for their specific industry, they can then bring their entire organization up to par, holding their leadership — from cyber to IT, risk, legal and HR — accountable for fulfilling their end of the bargain.”
The private sector must keep the focus on cyber resiliency
John Hernandez, president and general manager at Quest Software and a former senior executive at Salesforce and IBM, said the federal government has been focused on cloud-first initiatives since 2016. He cited the government’s work to fully implement cyber incident reporting requirements through the Cyber Incident Reporting for Critical Infrastructure Act of 2022, as well as holding infrastructure-as-a-service providers and software makers to secure-by-design standards.
“However, while the strategy can take away much of the burden of setting cybersecurity standards and helping organizations with limited resources, private-sector leaders still need to hold themselves accountable and create a proactive, long-term resilience strategy,” Hernandez said. “My recommendation is for enterprises with legacy infrastructure to invest in resilience from the inside-out, from both a technology and culture perspective, and ensure everyone has a stake in adapting to the latest ups and downs in the security ecosystem.”