At a glance.
- Comments on the US National Cybersecurity Strategy Implementation Plan.
- Acting National Cyber Director will not be offered permanent role.
Implementing the National Cybersecurity Strategy.
As we noted yesterday, the White House has issued its National Cybersecurity Strategy Implementation Plan, the roadmap for completing the initiatives laid out in the the Biden administration’s National Cybersecurity Strategy. Think tank the R Street Institute offers an overview of the initiatives covered, and notes some of the hurdles that must be overcome. For instance, the strategy’s whole-of-society approach has been applauded, but given that for some topics, like incident reporting, there are already several conflicting federally issued mandates, it could be difficult to find harmony. The Wall Street Journal seconds this sentiment.
To address this concern, the Office of the National Cyber Director (ONCD) announced yesterday it will be issuing a request for information (RFI) on “cybersecurity regulatory harmonization.” MeriTalk explains that the focus will be on critical infrastructure, and the RFI will be published once complete. Nicholas Leiserson, the assistant NCD for cyber policy and programs, explained, “We’re looking to do a request for information to hear from industry about where there are areas that are overlapping regulation, that are duplicative, that are conflicting, or – hopefully not, but sometimes – contradictory.” He also noted that finding reciprocity, not just harmony, across regulations will be key, and it could be a years-long process. ONCD’s Acting National Cyber Director Kemba Walden stated, “We will continue to update the plan. In practice, that means ONCD will take what we learn from the request for information on regulatory harmonization that we are developing and turn into actionable steps to help us live in a world where we are providing that you met baseline requirements to one regulator will suffice for all of them.”
Nextgov.com notes that some stakeholders are shocked by the plan’s lack of initiatives focused on digital identity, despite the fact that the strategy lists “[supporting] development of a digital identity ecosystem” as an objective. Linda Miller, former deputy executive director of the government’s Pandemic Response Accountability Committee, said, “I think it was a huge oversight…Identity theft is a primary threat vector for government fraud at the federal, state and local levels of government. We saw historic levels of identity theft-based fraud in unemployment assistance during the pandemic, and nation state actors used stolen identities to defraud many other pandemic programs as well.” When asked about the omission, a White House official stated. “You've heard… the administration several times talk about work on digital identity actions in the context of identity fraud and combating that, and that is fundamentally what is holding that space right now. The administration is committed to action in that space, and that is still pre-decisional activity, but we would expect that follow-on actions from the identity fraud work would come into future iterations of the implementation plan.”
Nick Lines, Security Evangelist at Panaseer, approves of the sense of urgency on display in the White House guidance.
"The rapid publication of the Implementation Plan for the National Cybersecurity Strategy shows real urgency from the US Government and lays out responsibilities and timelines. Given some of the catastrophic and costly attacks we’ve seen in recent years, the very first point of the plan, which has an aggressive timeline of Q1 ‘24, is welcomed in ambition and in scope through inclusion of private sector consultation on the harmonization of baseline cyber regulations.
"It’s also hugely positive that the plan recognizes the need to increase the adoption of security frameworks. Because while guidance and frameworks are crucial to better managing security posture, it is notoriously difficult for organizations to understand how best to implement them, and it’s an ongoing challenge for teams to measure what ‘good’ looks like when they do. In fact, a senior NIST spokesperson previously stated “cybersecurity measurement is probably one of the hardest things that [they’ve] ever tackled.
"Security leaders ultimately need to be able to align their security posture with regulatory requirements and best practice frameworks. This is made far easier if their teams embrace automation to continuously monitor the status of their security controls. By collating all this data in a unified trusted way, metrics and measures can be applied, compared against frameworks and risk posture to get a trustworthy understanding of potential exposure that they can also then report to auditors."
(Added, 4:00 PM, ET, July 14th, 2023. Ilona Cohen Chief Legal and Policy Officer at HackerOne, looked at the history of the strategy and sees a place for the ethical hacking community in meeting the workforce needs implicit in its implementation. "In June, the OMB Director and the Acting National Cyber Director issued a joint memo to agencies requiring that FY25 budget submissions be consistent with the pillars of the National Cybersecurity Strategy. That kind of coordination among the White House and agencies will be vital to ensuring that there is full funding for the implementation of the Cyber Strategy Plan," Cohen wrote. "The Administration will also need to work with Congress to ensure full adoption of its Plan. With a divided Congress and narrow majorities, the legislative process will be difficult, but not impossible given that cybersecurity is one of the few areas where bipartisan cooperation is still possible. This will help address key funding challenges for implementation. In addition to help implementation, cybersecurity organizations can recruit new candidates amid the ongoing talent shortage by shifting hiring expectations for entry-level positions. Security researchers or ethical hackers can help close the cybersecurity talent gap by enlisting a pool of experts who are already dedicated to strengthening the security of organizations and governments. Coupling ethical hackers with bug bounty programs can create a rapidly scalable and affordable way of getting experts to assist in testing and improving cybersecurity. Oftentimes, these security experts have a diversity of highly specialized skills that weren’t taught in the classroom environment, but that offer creative and technically sound solutions to cybersecurity’s greatest challenges."
Duncan Greatwood, CEO of Xage Security, also sees the implementation plan as a large and ambitious step forward. “It’s promising to see critical infrastructure as the top pillar in the National Cybersecurity Strategy Implementation Plan. With living-off-the-land attacks across our 16 critical infrastructure sectors - from manufacturing and energy to IT - it’s good that steps are being taken to improve our nation’s cybersecurity posture. It’s also encouraging to see the plan include specific milestones with completion timeframes and annual follow up," Greatwood wrote. "While the Transportation Security Administration (TSA) previously paved the critical infrastructure security path by issuing regulations for the energy and transportation sectors, many of the other 15 sectors have been slow to follow. Consequently, our current cybersecurity is no match for today’s cyber attacks. Although some initiatives in the plan are more built out than others, overall the plan suggests strong progress in ensuring the adoption of modern cybersecurity technologies, such as preventative zero trust techniques, that have the power to protect us against cyber attacks. It’s time to modernize America and the cybersecurity of our most critical infrastructure, and these steps will help get us there.”)
Acting National Cyber Director will not be offered permanent role.
Speaking of Kemba Walden, sources say the current acting National Cyber Director was told she will not be nominated to take on the position permanently. The Record notes that this could damage the office’s reputation and efficacy, as Walden was involved with the ONCD since its inception and was seen as the frontrunner to replace Chris Inglis, who left the positon five months ago. Furthermore, several lawmakers including Senator Angus King, Representative Mike Gallagher, and Suzanne Spaulding, a former DHS undersecretary for cyber and infrastructure, were very vocal about their support for Walden assuming the role.
The reason for Walden being passed over is unclear, but one source (who chose to remain anonymous) colorfully described the decision as “bullshit.” When asked for comment, ONCD director for public affairs Michael Morris stated, “We don’t comment on personnel matters.” The news is likely to be disappointing to government officials, who have been urging the administration to fill the position as soon as possible. Earlier this week five industry groups submitted a letter to the White House calling on the administration to name a nominee by the end of the month, stating that a delay “could impede the great work accomplished under Director Inglis and Acting Director Walden, hinder the implementation of the National Cyber Strategy, and jeopardize the effectiveness of ONCD.”