White House Charts the Course for the National Cybersecurity Strategy Implementation
The National Cybersecurity Strategy Implementation Plan document includes 65 initiatives, each assigned to respective agencies to oversee the progress.
- The National Cybersecurity Strategy Implementation Plan document outlines how the White House envisions companies enforcing cybersecurity going forward.
- The plan document includes 65 initiatives, each assigned to respective agencies to oversee the progress.
- The White House noted that this “living document” would be updated annually.
Last week, the White House released a roadmap for organizations across various sectors to reinforce cybersecurity. The National Cybersecurity Strategy Implementation Plan represents the Biden administration’s efforts to shore up cyber defenses in an increasingly cyber-pervasive world.
The 57-page document outlines how the White House envisions cybersecurity, i.e., by infusing more cybersecurity professionals and incentivizing investments into the domain. The plan document includes 65 initiatives, each assigned to respective agencies to oversee the progress.
The White House noted that this “living document” would be updated annually. Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, told Spiceworks, “Where do I start? This is a landmark good! There are so many great pearls of wise strategy that I hardly know where to start. It is easily the best piece of cybersecurity guidance to come out of the federal government.”
“CISA and Jen Easterly’s fingerprints are all over this document, and she knows better than anyone else what it is going to take to pull off federal-scale cybersecurity solutions. I’m in love with all the agility they are putting into the plan, putting a priority on speed. I’m in love with the idea of proactively taking away cybercriminal safe-havens. I’m in love with the idea of an annual assessment and taking the lessons learned to update the next plan.”
The plan stands on five pillars, which are:
|
Pillar |
Constituents | Activity in Focus |
|---|---|---|
| Defend Critical Infrastructure | •Establish Cybersecurity Requirements to Support National Security and Public Safety
• Scale Public-Private Collaboration • Integrate Federal Cybersecurity Centers • Update Federal Incident Response Plans and Processes • Modernize Federal Defenses |
Update the National Cyber Incident Response Plan |
|
Disrupt and Dismant Threat Actors |
• Integrate Federal Disruption Activities
• Enhance Public-Private Operational Collaboration to Disrupt Adversaries • Increase the Speed and Scale of Intelligence • Sharing and Victim Notification • Prevent Abuse of U.S.-Based Infrastructure • Counter Cybercrime, Defeat Ransomware |
Deter ransomware |
| Shaping Market Forces and Driving Security and Resilience | • Drive the Development of Secure IoT Devices
• Shift Liability for Insecure Software Products and Services • Use Federal Grants and Other Incentives to Build in Security • Leverage Federal Procurement to Improve Accountability • Explore a Federal Cyber Insurance Backstop |
Identify and reduce gaps in software bill of materials (SBOM) |
|
Invest in a Resilient Future |
• Secure the Technical Foundation of the Internet
• Reinvigorate Federal Research and Development for Cybersecurity • Prepare for Our Post-Quantum Future • Secure Our Clean Energy Future • Develop a National Strategy to Strengthen Our Cyber Workforce |
Cybersecurity standardization and enhanced U.S. federal agency participation |
| Forging International Partnerships to Pursue Shared Goals | • Build Coalitions to Counter Threats to Our Digital Ecosystem
• Strengthen International Partner Capacity • Expand U.S. Ability to Assist Allies and Partners • Build Coalitions to Reinforce Global Norms of Responsible State Behavior • Secure Global Supply Chains for Information, Communications, and Operational Technology Products and Services |
Bilateral and multilateral collaboration to create an International Cyberspace and Digital Policy StrategyInternational Cyberspace and Digital Policy Strategy |
See More: Hundreds of FCEB Devices Are Violating CISA’s Latest Directive
“With the release of the National Cybersecurity Strategy Implementation Plan, the Biden-Harris Administration took a critical step most organizations fail to take after creating a strategy,” Avishai Avivi, CISO at SafeBreach, told Spiceworks.
“As a lifelong leader, I am truly impressed with the level of detail and specificity that The Administration set forth in this document. It provides quite a bit more clarity as to how it intends to convert strategy into action. In the next week, I will do a deep dive to unpack this plan along the same lines I unpacked The Administration’s cybersecurity strategy.
Most of the initiatives laid out by the White House are scheduled for completion by the end of 2024 and early 2025, except for two initiatives, with a completion date set for 2026. The ownership of each initiative is assigned to an agency, while the Office of the National Cyber Director (ONCD) is tasked with coordinating the activities.
The White House’s National Cybersecurity Strategy Implementation Plan also incorporates assessing the effectiveness of said initiatives.
Paul Bischoff, Consumer Privacy Advocate at Comparitech, explained to Spiceworks how the new undertaking would help cyber defense. “A few parts of this plan stick out to me for going further than previous efforts to shore up national cybersecurity. The first is a National Cyber Incident Response Plan. This will allow the government and its partners to respond in unison against a threat, rather than each organization going it alone.”
“This will improve transparency and awareness of the threat landscape and hopefully prevent multiple orgs from falling victim to the same attack. Increasing transparency by promoting software bills of materials,” Bischoff continued.
“A bill of materials is like a recipe listing all the ingredients used to create software. Most software contains a mix of open-source and proprietary third-party components. If any of those ingredients are compromised, all developers who incorporate them into their software can be alerted and take action. This will help prevent widespread software supply chain attacks like Solarwinds in 2020.”
Bischoff added that standardizing a quantum-resistant public key cryptography algorithm would also future-proof encryption standards.
However, experts also cautioned against the new initiative, specifically in vulnerability management.
“It appears that the initiative may require software and operating system vendors to automatically update their software and OS with little to no effort on the user’s part. While this would help protect against future cyberattacks, it could also cause trouble for corporate IT departments,” Chris Hauk, consumer privacy champion at Pixel Privacy, told Spiceworks.
“As a former IT worker, I know that the companies I have worked for first run any patches or updates on test machines to ensure that the updates do not break other software or cause issues with hardware. If automatic updates and patches are a part of the future, users should have the opportunity to delay such updates so that they may be tested.”
“Hauk further opined, “One of the three biggest lies is ‘I’m from the government, and I’m here to help.’ So I am admittedly suspicious of any regulations or agreements any government puts into place. Relying on the government or big tech to protect users’ privacy or to protect against cyber attacks is a fool’s errand.”
Did the government miss anything from the National Cybersecurity Strategy Implementation Plan? Let us know on LinkedIn, Twitter, or Facebook. We’d love to hear from you!
Image source: Shutterstock
MORE ON CYBERSECURITY
