The White House has released details about how it plans to implement the National Cybersecurity Strategy, its ambitious framework released in March that aims to both increase defenses against cybercriminals and incentivize organizations to design security into their products from the start.
The strategy is a massive undertaking and the roadmap released Thursday includes 65 federal initiatives for implementing the plan across five overarching goals, which include defending critical infrastructure, disrupting ransomware threat actors and creating incentives for organizations to invest in secure development practices. The plan’s implementation involves 18 different agencies across the government, including the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security (DHS) and the Treasury Department, among others.
Kemba Walden, acting National Cyber Director for the Office of the National Cyber Director (ONCD), which is in charge of coordinating these initiatives, called the strategy “our North Star.” However, the implementation of the plan is not an end goal in itself, she said, but rather a flexible set of goals that will change as the threat landscape continues to evolve and as initiatives are completed.
“The implementation plan is a living document and it is iterative in nature,” said Walden on Thursday during an Information Technology Industry Council event. “It will be fundamental to the success. The strategy is meant to be enduring and is crafted to guide policy across the decade in which we find ourselves. The implementation plan, on the other hand… we will continue to update.”
The National Cybersecurity Strategy, like other recent government measures, aims to create market incentives that would create a secure-by-design model, and it marks one of the bolder plans put out by the White House in shifting the onus in security toward manufacturers. While "secure-by-design" may seem like a simple concept, it will be an assiduous undertaking from both government agencies and from private sector organizations; manufacturers have not historically implemented practices to develop products securely from the beginning, due to a number of reasons, including added costs, time-to-market constraints or lack of education.
To get a better sense of the extent to which manufacturers should be responsible for the security of their products, the ONCD is being tasked with developing a software liability framework through working with Congress, the private sector, academic researchers and others. This will be spearheaded through a legal symposium that will explore different ideas for the framework by the second quarter of 2024. The ONCD will also develop materials to encourage the use of federal grants in aiding manufacturers to build in various security measures.
Internet of Things (IoT) devices, known to be insecure, are another top focus, and the plan includes initiatives for changing Federal Acquisition Regulation requirements for connected devices and for creating a U.S. government IoT security labeling program. Other initiatives pertain to coordinated vulnerability disclosure, federal cyber insurance and funding for security research.
“The principles of secure-by-design really reflect the shift in the strategy toward asking… the biggest and most capable players to do more to drive security in the ecosystem, rather than asking all the small players to meet the security demands themselves,” said Tom McDermott, deputy assistant secretary for Cyber, Infrastructure, Risk and Resilience Policy at the DHS.
Critical Infrastructure Security
Another top priority outlined in the White House’s strategy revolves around hardening security defenses for critical infrastructure entities, something that has been a top concern for the government and private sector alike particularly since the Colonial Pipeline ransomware attack.
The implementation plan highlights an undertaking by the ONCD to identify and set various security requirements for critical infrastructure entities, as well as a CISA initiative to scale public and private sector collaboration efforts in adopting secure-by-design technology in the critical infrastructure landscape. As CISA has previously touted, this public-private sector relationship is an important piece of securing critical infrastructure and another initiative will look at new information-sharing opportunities and collaboration platforms and processes between these two parties.
“I think that the [implementation] document is a great example [of how], although we see that we do need for requirements and regulations where necessary, public-private partnership really remains a core element and theme of our approach to cybersecurity,” said McDermott.
Another initiative in the implementation plan looks at modernizing and securing unclassified federal systems, a noteworthy push particularly after it was revealed this week that several U.S. government agencies were part of a cyberattack by a China-based threat group that accessed unclassified email data; the cyberattack was discovered by a federal agency after observing an anomaly in its Microsoft 365 cloud environment via the audit logs.
The CISO Takeaway
Other strategy initiatives circulate around the disruption and dismantling of threat actors, the development of international partnerships and the implementation of key cybersecurity standards to better enhance Internet security measures. As part of this latter goal, the ONCD will create an open-source software security to help organizations better adopt memory safe programming languages, in an aim to tackle issues stemming from open-source security as highlighted by the Log4j flaw.
Many of these initiatives aim to tackle tough security challenges - like ransomware attacks - and that will help businesses in the long run. Sounil Yu, CISO at JupiterOne, said the “harmonization” of the National Cybersecurity Strategy “will help make the already difficult job of cybersecurity a bit easier and more streamlined.”
“Regulatory harmonization as the first item on the implementation plan is a great sign that the White House is hearing industry's concerns,” said Yu. “Without harmonized regulations, we must comply with a multitude of different standards, much of which are redundant and sometimes even conflicting.”
Rick Holland, CISO at ReliaQuest, said that the types of incentives that will be offered up as part of the government’s vision of private and public sector collaboration will be a critical piece of the strategy.
“The National Cybersecurity Strategy focuses on private sector partnership in many areas with comments like ‘robust collaboration’ and ‘a call to one is a call to all,’” said Holland. “Private sector organizations must have strong incentives to pick up this partnership mantle. Defending critical infrastructure costs money, and without funding approved by Congress, it could be a challenge to make significant progress on implementing this strategy.”