By Gregory Hale
No one can deny the federal government’s desire and need to stay ahead of the growing global threat of cybersecurity attackers, and when President Biden’s National Cybersecurity Strategy Implementation Plan released last week, the issue is it seems to be all talk and the potential for more regulation.

As it is right now, the strategy calls for two fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace:

  1. Ensure the biggest, most capable, and best-positioned entities – in the public and private sectors – assume a greater share of the burden for mitigating cyber risk
  2. Increase incentives to favor long-term investments into cybersecurity

This plan details 69 high-impact federal initiatives with each assigned to a responsible agency and has a timeline for completion. Eighteen agencies are leading initiatives in this whole-of-government plan with the Office of the National Cyber Director (ONCD) coordinating the activities.

18 Government Agencies
Not to be cynical, but it is difficult enough for one or two government agencies to coordinate a plan, with 18 agencies taking part in the initiatives, the mind glazes over in wonderment.

Schneider Bold

“Although ambitious in scope, the National Cybersecurity Strategy Implementation Plan falls short in specifics,” said Dwan Chowdhury, chief executive at cybersecurity provider malcrawler. “High-level strategies are laid out in the document for safeguarding crucial infrastructure, neutralizing threat actors, directing market forces toward security, making investments in a resilient future, and forming global alliances.

“The difficulty with the implementation plan is that it applies specifically to government agencies with a trickle-down effect (eventually) to industry verticals,” said Ron Fabela, field chief technology officer at Xona Systems. “This is especially true for those verticals that haven’t seen broad stroke regulation. The National Cybersecurity Strategy and its Implementation Plan for defending critical infrastructure, clearly outlines the milestones for government to introduce more and more regulation via existing legislative channels. The issue at hand is whether the industrial community will derive any additional benefits from it.”

Within the National Cybersecurity Strategy there are five pillars that lay out initiatives to follow. The following are examples from each pillar:

Pillar One, Defending Critical Infrastructure. Update the National Cyber Incident Response Plan: During a cyber incident, it is critical the government acts in a coordinated manner and that private sector and SLTT partners know how to get help. The Cybersecurity and Infrastructure Security Agency (CISA) will lead a process to update the National Cyber Incident Response Plan to more fully realize the policy that “a call to one is a call to all.” The update will also include clear guidance to external partners on the roles and capabilities of Federal agencies in incident response and recovery.

Pillar Two, Disrupting and Dismantling Threat Actors. Combat Ransomware: Through the Joint Ransomware Task Force, the Administration will continue its campaign to combat ransomware and other cybercrime. The FBI will work with federal, international, and private sector partners to carry out disruption operations against the ransomware ecosystem, including virtual asset providers that enable laundering of ransomware proceeds and web fora offering initial access credentials or other material support for ransomware activities.

Pillar Three, Shaping Market Forces and Driving Security and Resilience. Software Bill of Materials: Increasing software transparency allows market actors to better understand their supply chain risk and to hold their vendors accountable for secure development practices. CISA continues to lead work with key stakeholders to identify and reduce gaps in software bill of materials (SBOM) scale and implementation. CISA will also explore requirements for a globally accessible database for end of life/end of support software and convene an international staff-level working group on SBOM.

Pillar Four, Investing in a Resilient Future. Drive Key Cybersecurity Standards: Technical standards are foundational to the Internet, and U.S. leadership in this area is essential to the vibrancy and security of cyberspace. Consistent with the National Standards Strategy, the National Institute of Standards and Technology (NIST) will convene the Interagency International Cybersecurity Standardization Working Group to coordinate major issues in international cybersecurity standardization and enhance U.S. federal agency participation in the process. NIST will also finish standardization of one or more quantum-resistant public key cryptographic algorithms.

Pillar Five, Forging International Partnerships to Pursue Shared Goals. International Cyberspace and Digital Policy Strategy: Cybersecurity is inherently global, and policy solutions must reflect close collaboration with our partners and allies. The Department of State will publish an International Cyberspace and Digital Policy Strategy that incorporates bilateral and multilateral activities. State will also work to catalyze the development of staff knowledge and skills related to cyberspace and digital policy that can be used to establish and strengthen country and regional interagency cyber teams to facilitate coordination with partner nations.

With the plan, there are already thoughts of political gamesmanship.

Politics in Play
“The plan’s release coincides with upcoming elections, making its announcement’s timing particularly noteworthy,” Chowdhury said. “The plan has already faced resistance from the GOP, with Reps. Mark E. Green, R-TN, and Andrew Garbarino, R-NY, stating, ‘We remain steadfast in our belief that the Biden administration must streamline existing regulations while working with the private sector to identify new opportunities for partnership rather than punishment.’”

Part of the plan also talks about the government and private sector working together, something the public sector has been talking about at length for quite some time.

“The plan’s emphasis on greater intelligence sharing, as stated in Strategic Objective 2.3, is a significant cause for concern,” Chowdhury said. “The federal government’s post-September 11 push for increased cooperation within the intelligence community is echoed by this objective. But even 20 years later, this is still a significant obstacle, raising doubts about whether the current plan can accomplish this goal.

“Initiative 4.4.3 charges the U.S. Department of Energy to create a plan to design, construct, and manage secure operational technology (OT) solutions. Although the Department of Energy has a long history of involvement in securing OT/SCADA, most of its experience is with the pipeline and power utility industries. This raises questions about the department’s ability to apply its knowledge to other crucial industries like manufacturing and water, which also demand high levels of security,” Chowdhury said.

In viewing the plan, Fabela feels regulation appears inevitable.

“This plan is a detailed and milestone driven follow-up to the Nation Strategy released earlier this year,” Fabela said. “Pillar 1 outlines the goals for defending critical infrastructure with the implementation plan detailing action items that fall into common themes: Regulatory harmonization, public-private partnerships, and finalization/codification of key plans and review boards. Overall, the plan assigns 69 initiatives to 18 different agencies to action the executive branches strategy. Reviewing the plan and listening to ONCD Acting Director Kemba Walden’s remarks at the ITI hosted press conference, there is a clear flow to the Pillar 1 implementation vision.

Underpin Future Regulation
“First actions include harmonizing requirements with the eventual release of a NIST Cybersecurity Framework 2.0 that would underpin future regulation. The implementation plan for defending critical infrastructure specifically uses ‘requirements’ while also stating ‘use existing authorities to set necessary cybersecurity requirements in critical sectors.’ The challenge for the implementation plan is that critical sectors, or what CISA defines as ‘Sector Risk Management Agencies (SRMAs),’ may have federal agency oversight but is comprised of private industry with few sectors forced to meet cyber regulations. As an example, while some of the nation’s electric grid is regulated by NERC most of this critical sector is privately owned, from large investor-owned utilities to my local municipality and has no overall regulation for secure operations. This challenge is repeated across all 16 SRMAs with this implementation plan looking to setup the foundation for new regulation while bolstering ‘public-private’ partnerships.

“Acting Directory Walden closed her remarks at the ITI conference with: ‘Please use this document, we wrote it to guide to federal government actions, but we published it for you’ emphasizing the goal of collaboration. While collaboration efforts have increased in the past decade for critical infrastructure sectors this implementation plan lays out the roadmap for how standards become requirements and then regulation,” Fabela said. “It shows a path for how information sharing becomes federal reporting. The National Cybersecurity Strategy and its implementation plan makes it clear to private critical sectors: Regulation is coming, get involved now.

Chowdhury feels there is a vision, but not enough details for the OT environment to move forward.

Specifics Needed
“The high-level approach of the plan presents difficulties for industry participants, particularly those working in the OT sector,” Chowdhury said. “These operators need clear implementation strategies and detailed guidelines to understand how the project will affect their operations or how they can use it to strengthen their security posture.

“Despite providing a comprehensive vision for enhancing the country’s cybersecurity, the National Cybersecurity Strategy Implementation Plan’s high-level approach is hard to analyze because it is too early for specific implementation strategies,” Chowdhury said. “To address these issues and ensure the plan is successfully implemented, it will be essential for the Biden administration or the next President to interact with industry stakeholders and political opponents alike as the plan moves forward, but the next President can cancel this strategy altogether if they like.”


Pin It on Pinterest

Share This