Earlier this month, the White House added details to its National Cybersecurity Strategy (NCS). The 57-page implementation plan lays out sixty-five federal initiatives for implementing the plan over the next several years. These include strengthening U.S. critical infrastructure against cyber threats, disrupting ransomware threat actors and enforcing liability for software products and services.
These efforts also include developing a long-term software liability framework, advancements on software bill of materials initiatives as well as headway on open-source software security. Many of these efforts have implementation deadlines of 2025 and some are already underway.
The objectives laid out by the White House are grouped under five pillars:
Defend Critical Infrastructure
Disrupt and Dismantle Threat Actors
Shape Market Forces to Drive Security and Resilience
Invest in a Resilient Future
Forge International Partnerships
It’s worth noting that resilience is highlighted in two of the five pillars, as well as in the latest proposed cyber guidelines from the Securities & Exchange Commission. “This emphasizes that it is not a matter of if, but when cyber-attacks will be successful, and all organizations in our country need to balance their focus from just prevention, which is impossible, to being better prepared to respond to that cyber-attack that will succeed, in order to continue operations,” says Michael Coden, CISSP, Associate Director of MIT’s cybersecurity research consortium, Cybersecurity at MIT Sloan (cams.mit.edu) and a frequent speaker at HMG Strategy events.
Plans for strengthening critical infrastructure defense include fostering partnerships between the private and public sectors, which have been gaining traction.
“While bridging the public and private sectors requires work, extensive progress has been made especially through the efforts of the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the U.S. Secret Service (USSS) and other government entities,” says Rocco Grillo, Managing Director, Global Cyber Risk & Incident Response Investigations at Alvarez & Marsal. “Equally important are the critical infrastructure Information Sharing Analysis Centers (ISACs) and other industry organizations that promote industry collaboration and threat intelligence sharing around nation-state and other criminal threat actors,” adds Grillo, who is also a frequent speaker on cybersecurity topics at HMG Strategy’s CIO & CISO Executive Leadership Summits.
The new framework also calls for increasing the speed and scale of threat intelligence sharing. Historically, this has been a sticking point between private and public sector organizations, including a willingness to freely share threat intelligence.
Meanwhile, the implementation plan for creating software liability guardrails by 2025 appears to be a challenging deadline to meet. “The most complex part of the NCS is adjusting the balance of responsibility between the publishers of software and the users,” says Coden. “This will be the most difficult area to sort out, and at the very least will serve to make users much more aware of their responsibility in the use of software. That, in my opinion, will have a material effect on reducing the impact of cyber-crime and cyber-espionage.”
One of the top challenges that has been dogging organizations with their cybersecurity strategies is the lack of available cyber talent. For his part, Coden is pleased that the NCS “also recognizes the 700,000 job vacancies in cybersecurity and puts government influence behind educating more cybersecurity personnel to fill that gap.”
It’s also worth noting that the federal implementation plan will evolve over time. The plan that was released last week will be updated next year to a 2.0 version as other aspects of the plan will be updated as they’re completed or as the emergence of new cyberthreats require some fine-tuning.
“As noted, the NCS is a living, breathing document that will be updated annually to address the evolving cyber threat landscape,” says Grillo. “This threat landscape underscores the need for cyber strategy to continue to evolve as new threats and risks are identified. The ‘Five Pillars’ provide an excellent foundation to address the cyber risks that have perpetually plagued the U.S., as well as other countries, over the years.”
Michael Coden and Rocco Grillo will be speaking at HMG Strategy’s 2023 Global CISO Executive Leadership Summit on December 12 at The Harvard Club of New York. To learn more about additional speakers and topics to be addressed at the summit and to register for the event,click here.
