First, there was a strategy. Now, there’s a plan. The Biden Administration recently released its plan for implementing the highly anticipated national cybersecurity strategy published in March.
The new National Cybersecurity Strategy Implementation Plan (NCSIP) lays out specific deadlines and responsibilities for the White House’s vision for cybersecurity. The plan is being managed by the White House’s Office of the National Cyber Director (ONCD).
Cybersecurity experts have applauded the Administration’s plan as well as the new implementation calendar. For example, Jeff Moss, the founder of the Black Hat and DEFCON conferences, posted, “This is the first time I can remember seeing a document this high-level documenting initiatives, who is responsible for it and expected completion dates. Great job, ONCD!”
The National Cybersecurity Strategy outlined two main areas of emphasis for the nation’s cybersecurity. First is the need for more capable actors to bear more responsibility for cybersecurity. Second is the need to increase incentives to invest in long-term resilience.
Now, the NCSIP aims to ensure transparency and coordination among U.S. federal government agencies to bring the strategy to life. This will be a groundbreaking shift in how the government allocates roles, responsibilities and resources in cyberspace, along with incentives for long-term investments into cybersecurity.
The NCSIP outlines over 65 “high-impact” federal initiatives to carry out the National Cybersecurity Strategy. Each initiative is designated to a specific agency along with a completion deadline date. The initiatives include targeted tasks, such as proposing new legislation or updating technology systems. Overall, 18 federal agencies have been assigned different responsibilities within the plan.
The National Cybersecurity Strategy Implementation Plan is based on five core pillars:
Under the first pillar of the plan (Defending critical infrastructure), CISA will lead public-private partnerships with tech companies, educators, nonprofits, academia and the open-source community to drive the development and adoption of software and hardware that is secure-by-design and secure-by-default.
Secure-by-design principles should be implemented during the design phase of a product’s development lifecycle. The goal is to significantly reduce the number of exploitable flaws before products are introduced to the market.
Secure-by-default means products are secure to use out of the box, with little to no configuration changes, and are available at no additional cost. Examples of tools include multi-factor authentication (MFA), gathering and logging evidence of potential intrusions and controlling access to sensitive information.
Under pillar two (Disrupting and dismantling threat actors), the NSC will lead a policymaking process to establish an approach for Sector Risk Management Agencies (SRMAs) to identify sector-specific intelligence needs and priorities.
Additionally, the Office of the Director of National Intelligence, in coordination with DOJ and DHS, will review policies and procedures for sharing cyber threat intelligence with critical infrastructure owners and operators. The need for expanding clearances and intelligence access will also be evaluated.
Given the rapid proliferation of connected devices, IoT represents a huge security challenge. The perimeter in enterprise computing has never been larger or more liquid. IoT devices, both inside and outside corporate offices, share the same potential security risks. Meanwhile, consumer devices are far less likely to offer security features, such as regular security-enhancing firmware updates.
As per the plan, the White House will continue to work towards improved IoT cybersecurity through federal R&D, procurement and risk management efforts. And the NSC will be tasked with identifying the “broad contours” of a U.S. Government Internet of Things (IoT) security labeling program.
The plan also mentions something many organizations worry about – how to pay for modernization to meet new security standards. To address the economic need, the Administration will seek to leverage federal grants to improve infrastructure cybersecurity. The ONCD will develop materials to clarify, facilitate and encourage the incorporation of cybersecurity equities into federal grant projects.
Along similar lines, the plan will also assess the need for a federal cyber insurance response to catastrophic events. The response would be in support of the existing cyber insurance market.
While there is certainly a lot of work to be done, having a clear plan makes a big difference. The National Cybersecurity Strategy Implementation Plan is a major step in the right direction to address the growing cyber threat.
3 min read – Early to a meeting, an employee decides to check direct messages on their favorite social network. Uh, oh. A message from the social network’s security team says their account has been hacked. They’ll need to click on the link to…
3 min read – Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved…
4 min read – If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable…
5 min read – In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…
4 min read – The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…
4 min read – The dual-hat arrangement, where one person leads both the National Security Agency (NSA) and U.S. Cyber Command (Cybercom), has been in place since Cybercom’s creation in 2010. What was once touted as temporary 13 years ago now seems established. Will the dual-hat arrangement continue? Should it? Experts have discussed the pros and cons of both viewpoints for years. It remains in place for now, but is that likely to change in the future? That remains to be seen, and points…
8 min read – IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.