Table of Contents
On July 13, 2023, the Biden administration issued the first iteration of its National Cybersecurity Strategy Implementation Plan. Some experts see this as a significant step toward enhancing the nation’s digital security landscape. This plan builds upon the National Cybersecurity Strategy released earlier this year and outlines a roadmap for strengthening cybersecurity across various sectors.
With an emphasis on countering cybercrime, improving critical infrastructure security, and defending against evolving threats, it also reflects the administration’s efforts to “increase investments” in long-term resilience. So, buckle up as we delve into the highlights of the Biden administration’s cybersecurity implementation plan, and reveal its potential obstacles.
A Holistic Approach
The implementation plan encompasses over 65 initiatives led by 18 federal agencies, strategically targeting the most pressing cybersecurity challenges. Notably, the plan addresses the rising concern of ransomware attacks and aims to fortify security standards for high-risk industries such as critical infrastructure.
Think of it as a multi-agency symphony, akin to assembling a cybersecurity Avengers team, only with fewer capes and more firewalls. By coordinating efforts across these agencies, the plan seeks to promote collaboration and collective defense against emerging cyber threats. We’ve yet to see how well-tuned their instruments really are and whether they can play skillfully as a unit at a concert in real time.
Rsponsive and Evolving Strategy
While the National Cybersecurity Strategy sets the long-term vision, the recent implementation plan provides a more agile and adaptable framework. Kemba Walden, the acting national cyber director, is assuring the cybersecurity community that it is built to endure the digital battlefield that’s continually being reshaped.
Judging from the details released, the implementation plan itself is a shape-shifter, adapting to changing threat landscapes and evolving initiatives. It’s like a cyber chameleon, camouflaging itself to stay one step ahead of the bad actors. This dynamic is meant to ensure that the administration remains proactive and flexible in the face of evolving cyber threats.
Upgrading Cybersecurity Standards
Recognizing the need to keep pace with rapidly evolving threats, the implementation plan outlines a complete overhaul of the cybersecurity best practices developed by the National Institute of Standards and Technology.
The NIST Cybersecurity Framework, renowned for its comprehensive guidelines, will be updated to address the emerging challenges faced by organizations. These updated standards should assist cybersecurity professionals in evaluating compliance obligations and adopting a new set of security best practices. The question of robust implementation lingers in the air, however.
Remember, the plan puts 18 agencies in charge of leading at least one initiative each. An enduring strategy with efficient implementation of its goals will require vigorous interagency coordination. Not only that but the balance between accountability for security best practices and not over-regulating private sector entities remains tricky.
Timing is Everything
This plan was released just as the federal government was in the midst of another widespread hacking incident that hit federal agencies. The Chinese-linked operation gained access to the emails of at least two dozen organizations worldwide including multiple U.S. federal entities.
Asked how the plan will help in situations like the Chinese campaign, Kimba Walden said that “the strategy has two pivotal pieces to it: one is to make sure that we are more defensible and that we are more resilient.”
She continued: “So what does that mean? That we know cyberattacks are going to happen but that the downtime is going to be quick, and that the impact won’t be catastrophic. So, we need to figure out what investments we need to make.” We hope that clears things up, but it seems a little vague to us.
Obstacles to Success?
The strategy’s whole-of-society approach has been applauded. Yet the fact is that there are already several conflicting federally issued mandates, and that could make it difficult to find harmony when implementing the new strategy.
Karen Walsh, head of cybersecurity compliance at Allegro Solutions, says one problem with the implementation plan is that it lacks any path to coordinated, standardized enforcement. It also leaves individual sector agencies in control. (It seems the nature of bureaucratic battles never alters.)
“Creating the legal and regulatory framework for enforcement requires working with Congress, which seems unlikely in our currently divisive political climate,” she says.
Finally, the administration has been pushing for the renewal of ‘Section 702.’ This contentious provision aims to bolster security by allowing warrantless surveillance. This will certainly ignite a lively debate about the delicate balance between privacy and safety. While not currently part of the plan unveiled last week, we can imagine it making an unexpected “encore,” leaving the audience divided between applause and raised eyebrows.
The Biden administration’s cybersecurity implementation plan represents a significant stride toward safeguarding the nation’s digital landscape. By focusing on key areas such as countering cybercrime, securing critical infrastructure, and adapting to emerging threats, the plan showcases a comprehensive and forward-thinking approach.
The strategy in our view is a good first step, but it’s missing some core details. Cyber threat intelligence needs to be at the center for all enterprises because we know that 95 percent of all breaches had available threat intelligence – and therefore could have been prevented but were not.
The fact is this: we have a substantial national problem with the nation’s cyber defense. As the implementation plan progresses and evolves it needs to not only keep pace with the ever-shifting threat landscape but ensure there is proper enforcement of effective initiatives.
The United States must remain resilient in the face of evolving cyber threats. We should make certain that the most capable and best-positioned entities – in both the private and public sectors – assume a greater share of the burden for mitigating cyber risk, fortifying the nation’s cybersecurity defenses for the decisive decade ahead.