Editor's note: Cybersecurity Dive broke the 69 initiatives out of the Office of the National Cyber Director's implementation plan into a table, which you can find and explore at the bottom of the article.
Crafting a strategy to improve the nation’s cybersecurity required a significant yearslong effort from cyber authorities. Now, the hard work of bringing those goals to fruition hinges on the White House’s ability to delegate cyber initiatives to a broad set of government offices and agencies.
The implementation plan for the national cybersecurity strategy divides the strategy’s 27 objectives into 69 initiatives. One agency is assigned to take point on each initiative, and many are, at times, assigned to work with a cast of contributing government entities.
The Office of the National Cyber Director and the Cybersecurity and Infrastructure Security Agency are the most prevalent lead agencies, responsible for 14 and 10 initiatives each, respectively.
“For these 69 [initiatives] to really make a difference, the ONCD, Office of Management and Budget and the lead agencies will need to create alignment with private industry and establish better collaboration across federal agencies, which takes time, effort and consistency of purpose,” Katell Thielemann, VP analyst at Gartner, said via email.
While cyber experts and analysts applaud the desired outcomes of the strategy, the specific tasks and responsibilities now assigned to agencies underscore the challenges that lie ahead.
“The biggest challenge is the amount of coordination required between government agencies, internationally, and the private sector,” Allie Mellen, senior analyst at Forrester, said via email. "Every piece of this implementation plan requires active collaboration, which takes time to do thoughtfully.”
Covering the spread
The spread of responsibilities accentuates how the government expects most of the work to occur within agencies best suited to achieve specific goals — even those agencies that haven’t traditionally been at the forefront of cybersecurity policy.
While OMB is responsible for overseeing the performance of federal agencies and administering the federal budget, the ONCD is tasking it to also take the lead on 6 cyber-related initiatives, including modernizing federal civilian executive branch technology and leading the adoption of network security best practices.
Allan Liska, threat intelligence analyst and solutions architect at Recorded Future, said he was particularly pleased to see the State Department take the lead on multiple initiatives (eight, to be exact). The Department of State plays a critical role in achieving cooperation with other countries, he said.
Requiring greater investment and improvements in critical infrastructure security is core to the Biden administration’s efforts, but so too is the need to disrupt criminal activity in the U.S. and abroad.
The State Department is taking the lead on efforts to strengthen international partners’ cyber capacity and promote the development of secure IT and communications networks and services.
“You can’t just keep piling money into defense if the attacks are going to continue to grow and get more sophisticated,” Liska said.
“If the U.S. became super secure it wouldn’t matter at all if the rest of the world was constantly under attack,” Liska said. “Our data is everywhere, our partnerships, our connectivity is everywhere, and so a cyberattack in other countries does impact us.”
Ambitious timelines
There’s also the matter of timing – the government is slating more than two-thirds of the initiatives — 47 of the 69 — for completion by the end of fiscal year 2024, 14 months from now. All but two are designated to be done by the end of fiscal year 2025.
The initiatives are not equal in effort. One initiative calls for the government to study regional cyber hubs and others are aimed at disrupting ransomware crimes and the broader ransomware ecosystem.
The aggressive timeframes suggest developing assessments and plans will be viewed as success, Thielemann said. “Whether that will move the needle with regard to reducing cyber risk and enhancing the nation’s resilience to cyberattacks is debatable."
The deadlines are largely viewed as aspirational, and as such, ambitious, considering the undertaking and crisis at hand.
“I don’t think it’s going to be implemented anywhere close to the timeframe that they’ve got outlined here, but that’s OK,” Liska said. “I’d rather set big goals and miss on some of those big goals than not do anything at all.”
Potential roadblocks
Legal challenges could be a key sticking point, as the national cybersecurity strategy imposes costs on organizations and state and local governments.
A group of state attorneys general in April asked a federal court to block an Environment Protection Agency rule that would require public water systems to strengthen cybersecurity, The Washington Post reported.
The 8th U.S. Circuit Court of Appeals temporarily blocked the order earlier this month, signaling a setback for the Biden administration’s cybersecurity goals, The Washington Post reported.
The EPA is one of several sector-risk management agencies, which are a commonly cited and critical part of the national cybersecurity strategy implementation plan. SRMAs are tasked to contribute to 11 of the initiatives, many of which include efforts to improve public-private collaboration, integrate sector-specific processes and establish SRMA support capability.
CISA has designated an SRMA to each of the 16 critical infrastructure sectors federal authorities have identified as “so vital to the U.S. that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety.”
SRMAs include the EPA, General Services Administration and Departments of Agriculture, Defense, Energy, Homeland Security, Transportation, Treasury, and Health and Human Services. The authority of some SRMAs on cybersecurity matters is untested and for others, such as the EPA, those tests are playing out as they take action.
Cybersecurity and the need to bolster defenses has been a relatively non-partisan issue for years, but partisanship is creeping into the cybersecurity realm, according to Liska.
It also reflects the reality that security costs money.
While almost everyone agrees that water plants need to be more secure, establishing a minimum baseline of security is the only way to achieve that, Liska said.
“Trying to implement secure by design is going to get a lot of industry pushback and there will be a lot of lawsuits challenging this concept of secure by design,” Liska said.
The implementation plan for the national cybersecurity strategy is extensive, running 57 pages long, but it’s not comprehensive.
Despite any exclusions, aggressive timelines and all the challenges, assumed and unforeseen, the plan reflects a cohesive strategy across multiple parts of the government.
“Broadly I think this is a great start,” Liska said, “and I hope we get the chance to build on it and not just get mired in lawsuits forever.”