Striving Towards Implementing the National Cybersecurity Strategy (NCS)
A look at the recently published National Cybersecurity Strategy Implementation Plan (NCSIP)
For those who have been following along at home, The White House in recent months published a long-awaited National Cybersecurity Strategy (NCS). The first update since the previous administration and one that emphasized a shift in tone towards key activities such as accountability, safety and shifting market forces to those best positioned to mitigate systemic cybersecurity risks.
Now, in July 2023, The White House has published the accompanying NCS Implementation Plan, which we will dive into here. We previously covered the NCS in-depth in an article, which I recommend checking out here, if you haven’t read it already.
As a reminder, the NCS was oriented around five pillars, and two fundamental shifts in how the U.S. handles cyberspace.
The Fundamental Shifts:
Ensuring that the biggest, most capable, and best-positioned entities – in the public and private sectors – assume a greater share of the burden for mitigating cyber risk
Increasing incentives to favor long-term investments into cybersecurity
The Pillars:
Defending Critical Infrastructure
Disrupting and Dismantling Threat Actors
Shaping Market Forces and Driving Security and Resilience
Investing in a Resilient Future
Forging International Partnerships to Pursue Shared Goals
The NCS Implementation Plan picks up where the NCS itself left off, laying out 65 high-impact initiatives that require executive visibility and interagency coordination which will be led by various Federal agencies/entities.
Each of the initiatives is assigned to a specific agency who will be responsible for it, along with a defined timeline for its completion. This is refreshing to see because it makes the initiatives for implementation both actionable and time-boxed while ensuring someone is ultimately accountable for them.
The NCS Implementation Plan also emphasizes that it is a working copy, meaning it will be iterative and prone to updates as implementation rolls on. This is also refreshing because there will also be unknowns, hurdles and pivots, and policy shouldn’t be immutable to those realities, but instead should flex to adjust.
In addition to tasking specific agencies as being responsible for the various initiatives, the NCS Implementation Plan stresses the importance of collaborative with the private sector and SLTT entities to ensure success of the NCS.
All of the NCS activities will be coordinated out of the Office of the National Cyber Director (OCND), which has a vacant lead role at the time of this writing, despite broad urging from industry and leaders to fill the vacant role since previous OCND Director Chris Inglis’ departure. The OCND will report progress of implementation to the President and Congress.
As it is said:
“Without a strategy, execution is aimless. Without execution, strategy is useless.” — Morris Chang.”
Execution is where the “rubber meets the road”, so let’s dig into the NCS Implementation Plan (NCSIP) below!
Pillar One: Defend Critical Infrastructure
As stated in the NCS, this pillar focuses on the critical infrastructure (CI) that is vital to our security, public safety, and economic prosperity.
Let’s take a look at each of the specific Strategic Objectives and their corresponding initiatives.
SO 1.1 - Establish Cybersecurity Requirements to Support National Security and Public Safety.
This SO involves establishing cybersecurity regulations to secure CI, harmonizing and streamlining new/existing regulations and enabling regulated entities to afford security.
The specific initiatives under this SO include establishing an initiative on cyber regulatory harmonization, setting cybersecurity requirements across critical infrastructure sectors, and increasing agency use of frameworks and international standards to inform regulatory alignment.
The overarching theme here is bringing harmony to the bespoke, duplicative and often cumbersome overlapping regulatory requirements CI’s and their associated entities have to deal with as well as accounting for sector-specific needs and any gaps in authorities that may help close them.
Anyone who has worked in cyber for any amount of time knows the challenges of duplicative frameworks, juggling their various requirements and the burden associated with doing so. This SO looks to reconcile some of those challenges for CI sectors.
SO 1.2: Scale Public-Private Collaboration
The second SO is focused on improving collaboration between the public and private sectors. This is especially pertinent in CI because the majority of CI systems and environments are privately-owned and operated. Meaning the government doesn’t own or operate much of the critical infrastructure that we as American citizens rely on in our daily lives, from utilities, technology, medical and more.
CISA of course functionals as the national coordinator for critical infrastructure security and resilient, including coordinating with Sector Risk Management Agencies (SRMA)’s, which recently were discussed in a report by the Cyberspace Solarium Commission who made recommendations for updating and improving the way the U.S. designates and governs critical infrastructure sectors.
The specific initiatives under this SO include:
Scaling public-private partnerships to drive development and adoption of secure-by-design and secure-by-default technology
Provide recommendations for the designation of critical infrastructure sectors and SRMA’s
Evaluate how CISA can leverage existing reporting mechanisms or the potential creation of a single portal to integrate and operationalize SRMA’s sector-specific systems and processes
Investigate opportunities for new and improved information sharing and collaboration platforms, processes, and mechanisms
Establish a SRMA support capability
While these initiatives under this SO have various completion dates and contributing entities, all of them list CISA as the responsible agency. This SO and its associated initiative of course emphasizes the concepts of Secure-by-Design/Default, which have been a key mantra of CISA and leaders such as Jen Easterly, in their Secure-by-Design/Default publication that was recently released, as well as in frequent public speaking events.
We previously covered Secure-by-Design/Default in an article here.
The initiatives also seek to understand existing cyber capabilities of CI entities and SRMA’s, as well as efforts to improve reporting and information sharing across sub-sectors. It even mentions the always elusive “single portal” (often called the “single pane of glass” in industry by vendors”). It also seeks to improve the representation of SRMA’s in outlets such as Information Sharing and Analysis Centers (ISAC)’s and Information Sharing and Analysis Organizations (ISAO’s).
Lastly, it ensures CISA establishes a central point of contact in the form of a Support Office Capability for supporting all of the SRMA’s.
SO 1.3: Integrate Federal Cybersecurity Centers
For those unfamiliar, Federal Cybersecurity Centers serve as collaborative nodes that fuse together whole-of-government capabilities across the homeland defense, law enforcement, intelligence, diplomatic, economic and military missions. Currently, the most prominent aspect of this concept is the establishment of the Joint Cyber Defense Collaborative (JCDC) at CISA which helps integrate cyber defense planning and operations across the Federal Government and with the private sector and international partners.
Initiatives under this SO include:
Assess and improve Federal Cybersecurity Centers’ and related cyber centers’ capabilities and plans necessary for collaboration at speed and scale
This SO includes a single initiative, which will be led by the Office of the National Cyber Director (OCND) and seek to identify gaps in existing Federal Cybersecurity Centers and capabilities. It is listed as having a completion date at the end of Fiscal Year (FY) 2023.
SO 1.4: Update Federal Incident Response Plans and Processes
This SO speaks to incident response plans, processes and reporting requirements, a topic that has gotten a lot of attention lately, including in the Cybersecurity Executive Order (EO) itself.
The initiatives under this SO include:
Update the National Cyber Incident Response Plan (NCIRP)
Issue final Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)
Draft legislation to codify the Cyber Safety Review Board (CSRB) with the required authorities
Obviously all of these are tied to incident response plans, processes and reporting. It seeks to clarify the roles and capabilities of Federal agencies in incident response and recovery, improve the sharing of incident reports with appropriate agencies and also facilitate cross-agency/entity table-top exercises to bolster incident response capabilities bringing a “whole-of-government” response to a cyber incident when required.
Lastly, it seeks to codify the role of the Cyber Safety Review Board (CSRB), who functions similar to the National Transformation Safety Board (NTSB), which provides details about accidents, analysis of factual data, conclusions and probable causes of accidents. In the CSRB’s case, they conducted their first review of the Log4j incident, producing an excellent report laying out the origins of the incident, its downstream impact and recommendations for avoiding future incidents, in a report which can be found here.
SO 1.5: Modernize Federal Defenses
Federal IT systems across Federal Civilian Executive Branch (FCEB), Department of Defense (DoD) and the Intelligence Community (IC) are absolutely critical to various aspects of our society, from civil services, such as Medicare and Medicaid, or Social Security and Veterans Affairs, to more Defense/IC oriented systems dealing with warfighters and geopolitics and international diplomacy.
This SO deals with modernizing Federal cybersecurity defenses, including implementing Zero Trust principles, building on momentum from the Cyber EO and Federal Zero Trust Strategy.
Initiatives under this SO include:
Securing unclassified FCEB systems
Modernizing FCEB technology
Securing National Security Systems (NSS) at FCEB agencies
These activities will be led by the Office of Management and Budget (OMB) along with the National Security Agency (NSA) and range from shared security services, licensing, software supply chain security and modernizing legacy systems.
Pillar Two: Disrupt and Dismantle Threat Actors
Shifting from the first pillar, the second focuses on the U.S. using all instruments of national power to disrupt and dismantle threat actors who threat U.S. national interests. For those wondering if this includes methods beyond diplomacy, such as kinetic and cyber actions, it does, and explicitly lists those in the NCS.
Let’s take a look at the specific SO’s and initiatives under this pillar.
SO 2.1: Integrate Federal Disruption Activities
This SO deals with rendering criminal cyber activity unprofitable and disrupting foreign government actors engaging in malicious cyber activity, and leveraging the power of the Department of Justice (DOJ) and other Federal law enforcement agencies to do so.
Initiatives include:
Publishing an updated DoD Cyber Strategy
Strengthening the National Cyber Investigative Joint Task Force (NCIJTF) capacity
Expanding organizational platforms dedicated to disruption campaigns
Proposing legislation to disrupt and deter cybercrime and cyber-enabled crime
Increase speed and scale of disruption operations
These initiatives will be led by entities such as the DoD, DOJ and FBI and all orient around aligning DoD’s Cyber Strategy with the new NCS, as well as leveraging entities like the DOJ and FBI to disrupt cybercriminals and malicious cyber state actors.
SO 2.2: Enhance Public-Private Operational Collaboration to Disrupt Adversaries
Much like the previous pillar around critical infrastructure, there’s an acknowledgement that the private sector plays a key role in securing the digital landscape of the U.S. This includes visibility into adversarial activity and often leading the charge around innovation, tooling and capabilities.
Public-private partnerships aim to cross-pollinate the goodness from both entities to secure U.S. national security and economic interests, which most certainly includes the private sector, even if some corporations refuse to acknowledge that national security is tightly coupled to economic prosperity.
Initiatives under this SO include:
Identify mechanisms for increased adversarial disruption through public-private operational collaboration
The government foresees this disruption occurring under the ONCD in coordination with requires agencies and private sector entities and using virtual collaboration platforms to spin up cells aimed at disrupting specific threat actors and campaigns.
SO 2.3: Increase the Speed and Scale of Intelligence Sharing and Victim Notification
As part of efforts to disrupt malicious activities and threat actors, this SO aims to expedite intelligence sharing between Federal and non-Federal Partners.
Initiatives include:
Identify and operationalize sector-specific intelligence needs and priorities
Remove barriers to delivering cyber threat intelligence and data to critical infrastructure owners and operators
This SO is heavily focused on improving cyber threat intelligence sharing with critical infrastructure owners and operators.
SO 2.4: Prevent Abuse of U.S.-based Infrastructure
This SO focused on preventing the above and misuse of U.S. based infrastructure by malicious actors. This includes things such as cloud infrastructure, domain registrars, hosting and email providers.
This is an acknowledgement that malicious actors are increasingly making use of cloud infrastructure to launch malicious campaigns against U.S. and international targets. It helps fly under the radar of broad geo-IP based defenses and also provides anonymity for malicious actors by obscuring their true origins.
Initiatives include:
Publish a Notice of Proposed Rulemaking on requirements, standards, and procedures for IaaS providers and resellers
This SO will fall on the Department of Commerce, in coordination with DHS, DOJ, ODNI and FBI to address known methods of malicious activity on IaaS providers and platforms and require providers to take a risk-based prevention approach to address the misuse.
SO 2.5: Counter Cybercrime, Defeat Ransomware
If you’ve been in the IT/Cyber industry anywhere over the last several years you’ve inevitably heard of Ransomware and its wide impact across countless industries and organizations. The NCS states that Ransomware is a threat to national security, public safety and economic prosperity, pointing out that it has impacted everything from hospitals, schools, pipelines and government services and critical infrastructure.
This SO includes initiatives such as:
Disincentivizing safe havens for ransomware criminals
Disrupting ransomware crimes
Investigating ransomware crimes and disrupting the ransomware ecosystem
Supporting private sector and state, local, Tribal and Territorial (SLTT) efforts to mitigate ransomware risk
Supporting other countries efforts to adopt and implement the global anti-money laundering/counterfeiting the financing of terrorism (AML/CFT) standards for virtual asset service providers
As you can see, this SO and its associated initiatives all rally around disrupting criminal ransomware activities, including the broader ransomware ecosystem and disrupting their financial transactions underpinned by cryptocurrencies.
Pillar Three: Shape Market Forces to Drive Security and Resilience
“To build the secure and resilient future we want, we must shape market forces to place responsibility on those within the digital ecosystem that are best positioned to reduce risk”
This section of the NCS arguably in my opinion got the most attention when it was published because it discusses the thing industry actually cares the most about - the market. Financial incentives, regulatory consequences, revenue implications and more are far more likely to get industry attention than broad discussions around critical infrastructure or private/public sector collaboration.
It emphasizes the concept of the economic term “least-cost avoider” which means liability and obligations should be placed on the party best positioned to fix a problem while incurring the least cost. Many, such as Jen Easterly of CISA and Kemba Walden of ONCD have argued that in the software and technology space, that is software suppliers and technology companies.
Despite being best positioned to address vulnerabilities and flawed systems, those costs are historically externalized, passed on to downstream consumers in the enterprise context or citizens, in our increasingly digital world where insecure software and products can have tangible impacts on the safety and security of our society.
Obviously additional requirements, responsibilities and rigor means increased costs, accountability and liability. For this reason, industry will always do the bare minimum to avoid incurring additional expenses beyond anything absolutely required, since their desire is to maximize profits at all costs.
As I have discussed in the article “Cybersecurity First Principles and Shouting into the Void”, until the “should” do recommendations become “must do” requirements, nothing is likely to change in this status quo.
Nonetheless, let’s take a look at the SO’s and initiatives in this pillar.
SO 3.2: Drive the Development of Secure IoT Devices
It’s no secret that we’re seeing a massive explosion of connected devices. From the civilian space where everything is increasingly connected and digital, to the defense space, where they’re pursuing programs such as Joint All Domain Command and Control (JADC2). “Joint All-Domain Command and Control or JADC2 is the concept that the Department of Defense has developed to connect sensors from all branches of the armed forces into a unified network powered by artificial intelligence.”
Initiatives in this SO include:
Implement Federal Acquisition Regulation (FAR) requirements per the Internet of Things (IoT) Cybersecurity Improvement Act of 2020
Initiate an IoT cybersecurity labeling program
Here we see the government looking to use their purchasing power to drive more secure IoT devices as well as provide labeling to help consumers make high-level risk informed decisions around their consumption and purchase of products in the market.
There’s a broad acknowledgement that consumers simply don’t have the cybersecurity expertise to make risk-informed decisions around technology and software, and labeling can help alleviate that. We seem similar examples when we look at grading on meat or food products, or energy efficiency ratings in consumer goods.
This of course means there needs to be some established guidelines around what criteria leads to what rating and the need for a third-party to review and rate all products and software, which is no small feat.
SO 3.3: Shift Liability for Insecure Software and Products
This SO, like several others in the NCS and NCSIP are well underway, with the Cyber EO leading NIST to update their Secure Software Development Framework (SSDF), OMB to issue two memos 22-18 and 23-16 (which we have covered here and here) requiring Federal agencies to require self-attestation from ALL software/technology suppliers selling to Federal agencies that they’re adhering to the defined practices, which currently reside in the CISA Secure Software Self-Attestation Form (which we have covered here).
This SO includes initiatives such as:
Explore approaches to develop a long-term, flexible and enduring software liability framework
Advance Software Bill of Materials (SBOM) and mitigate the risk of unsupported software
Coordinated vulnerability disclosure
These initiatives fall on ONCD and CISA and focus on looking at other industries to draw parallels from compliance and legal frameworks for the concept of software liability, measuring suppliers against uniform requirements and holding those accountable who fail to meet established expectations.
It also looks to bolster ongoing SBOM efforts which originated under the NTIA and now CISA and look to bring transparency to longstanding information asymmetries between software suppliers and consumers as well as help organizations identify out-dated and vulnerable software components that currently lay rampant across nearly every digitally-driven environment and system, especially due to the expansive adoption of OSS.
Lastly, it looks to establish an International coordinator for vulnerability disclosure and build support around expectations as they relate to vulnerability disclosure, to help better inform downstream software and technology consumers to the vulnerabilities in software and products they may be using.
SO 3.4: Use Federal Grants and Other Incentives to Build in Security
This section of the NCS points out the once-in-a-lifetime investments the nation is making, using examples such as Bipartisan Infrastructure Law, Inflation Reduction Act, CHIPS and Science Act among others. The Government sees these investments as looking to bolster systemic resilience in the U.S.
Initiatives include:
Leverage Federal grants to improve infrastructure security
Prioritize funding for cybersecurity research
Prioritize cybersecurity research, development and demonstration on social, behavioral and economic research on cybersecurity
This SO has an obvious focus on driving cybersecurity focus and resilience through Federal grants as well as leveraging entities such as the National Science Foundation (NCS) to examine the impacts on cybersecurity for both society as well as individuals and explore areas such as cyber economics and human factors in cybersecurity - an area that hasn’t gotten nearly enough attention, despite the critical roles of human factors when it comes to our digital resilience.
SO 3.5: Leverage Federal Procurement to Improve Accountability
This SO looks to again use the purchasing power of the Federal government to drive a more secure and resilient ecosystem. The government will draft release rules in various areas such as cybersecurity incident reporting, standardizing cybersecurity contract requirements and secure software development and consumption, all of which tie to the Cyber EO 14028 in some shape or form.
Initiatives here include:
Implement FAR changes required under 14028
Leverage the false claims act to improve vendor cybersecurity
While looking to close gaps on FAR changes tied to the Cyber EO, this SO also looks to leverage the DOJ to potentially pursue vendors for failing to adhere to Federal cybersecurity requirements. The NCSIP cited the False Claims act as something that can be leveraged to pursue Federal grantees and contractors who are failing to adhere to the codified FAR requirements for cybersecurity. This should cause for pause for those selling to the Federal government and ensure they understand the implications of anything they’re required to meet from a cybersecurity perspective and anything they’re self-attesting to (e.g. in the CISA Secure Software Self-Attestation form we discussed above).
SO 3.6: Explore a Federal Cyber Insurance Backdrop
This SO continues an ongoing conversation where some in the industry have been advocating for a Federal Cyber Insurance Backstop. This looks to bolster and accompany the existing commercial cyber insurance market and help protect the ecosystem from catastrophic cybersecurity events.
This section has a single initiative which is:
Assess the need for a federal cyber insurance response to a catastrophic cyber event
The argument is that the Federal government could step in to help protect companies, insurers and the economy from a catastrophic cyber event. For example, most cyber insurers include exclusions for war, and increasingly we’re seeing cybersecurity be a key pillar (or Fifth Domain, as defined in this excellent book) when it comes to modern warfare and nation state conflicts.
These events could easily drown existing cybersecurity insurers and organizations and cause widespread economic havoc. A potential Federal cybersecurity insurance scheme could play a part in mitigating the impact, as private entities increasingly find themselves in the crosshairs of this modern digital battlefield, as captured in another excellent book titled “Battlefield Cyber” by Michael Mclaughlin and Bill Holstein, which I recommend checking out.
Pillar Four: Invest in a Resilient Future
“A resilient and flourishing digital future begins with investments made today”
This section of the NCS focuses on building a more resilient and thriving future for the nation and making key investments in emerging technologies such as quantum computing and AI. It strives to ensure continues U.S. leadership in technology and innovation through R&D and Science and to mitigate the increasingly successful efforts by our adversaries to weaponize our digital infrastructure against us.
SO 4.1: Secure the Technical Foundation of the Internet
This SO recognizes that many of the fundamental aspects of the Internet and our digital infrastructure retain the insecure and inherently vulnerable aspects of their design. Despite broad use of the Internet and associated technologies and calls for “Secure-by-Default/Design”, the Internet was never designed with security in mind and the threat landscape has changed tremendously since its inception.
This SO includes initiatives such as:
Lead the adoption of network security best practices
Promote the adoption of open-source software security and memory safe programming languages
Accelerate development, standardization and adoption of foundational Internet infrastructure capabilities and technologies
Collaborate with key stakeholders to drive secure Internet routing
This is a broad SO including entities across CISA, ONCD, and OMB and touching on a myriad of efforts such as Secure DNS adoption, Zero Trust Strategy execution and the secure consumption and use of OSS. It also looks to help drive the adoption of memory safe programming languages, which is something that has been emphasized by leaders from CISA and is explained in a great paper from the NSA.
SO 4.2: Reinvigorate Federal Research and Development for Cybersecurity
This SO looks to build on efforts such as the Federal Cybersecurity Research and Development Strategic Plan. It looks to have agencies direct R&D efforts in critical areas such as industrial control systems, cloud infrastructure, encryption, system transparency and more, all oriented around cybersecurity.
The initiatives here include:
Accelerate maturity, adoption and security of memory safe programming languages
Again, we see an emphasis on memory safe programming languages and looking to drive Secure-by-Design/Default systems and resilience through directing R&D into critical cybersecurity areas and emerging technologies.
SO 4.3: Prepare for. Post-Quantum Future
This SO emphasizes the role of quantum resistant encryption and the advances in computing power that necessitate moving to systems that aren’t vulnerable to these advances when it comes to compromising encryption.
Initiatives include:
Implement National Security Memorandum (NSM) 10
Implement NSM 10 for National Security Systems (NSS)
Standardize and support transition to post-quantum cryptographic algorithms
The activities here involve OMB, NIST and the NSA as they work collaboratively to bolster Federal defenses against future technology advances that could undermine secure cryptography of data across both Federal Civilian agencies and National Security Systems.
SO 4.4: Secure our Clean Energy Future
With the advances of smart grid technologies and clean energy alternatives, all of which are underpinned by the use of software, this SO seeks to build in cybersecurity from the onset, through the use of sources such as the National-Cyber Informed Engineering Strategy and the Clean Energy Cybersecurity Accelerator (CECA)
Initiatives here include:
Drive adoption of cyber Secure-by-Design principles by incorporating them into Federal projects
Develop a plan to ensure the digital ecosystem can support and deliver the U.S. Government’s decarbonization goals
Build and refine training, tools, and support for engineers and technicians using cyber-informed engineering principles
SO 4.6: Develop a National Strategy to Strengthen our Cyber Workforce
Few topics have gotten as much attention when it comes to cybersecurity shortfalls we face both in Government and as a nation than the cybersecurity workforce. Some have claimed that we closed 2022 with an estimated 600k vacant cybersecurity positions in the U.S., while others such as ISC2 have projected that there is a cybersecurity workforce shortage of 3.5 million individuals globally.
Numbers aside, one thing is clear and that we have work force challenges. Organizations struggle to attract and retain technical talent, especially in Government/public sector and the problem is only getting worse as the demand grows due to ongoing digital modernization efforts across nearly every facet of society.
This SO has a single initiative which is:
Publish a national cyber workforce strategy and track its implementation
This is a topic that acting National Cyber Director Kemba Walden is incredibly passionate about and emphasized in a talk hosted by ITI which I will share at the end of this article.
The goal is to expand the national cyber workforce and increase access to cyber educational training and pathways to cybersecurity careers for our diverse society. It will build on and leverage efforts such as the National Initiative for Cybersecurity Education (NICE) and National Centers for Academic Excellence in Cybersecurity program.
Pillar Five: Forge International Partnerships to Pursue Shared Goals
“The United States seeks a world where responsible state behavior in cyberspace is expected and rewarded and where irresponsible behavior is isolating and costly”
This pillar marks a clear indication of the U.S. looking to ensure a stable and resilient global digital ecosystem while also using their power and influence to help drive national interests on the global digital stage. It also represents an acknowledgement that the U.S. cannot implement the broad and daunting National Cybersecurity Strategy (NCS) alone and it will require international support and allies.
SO 5.1: Build Coalitions to Counter Threats to our Digital Ecosystem
This SO picks right up on that note, citing efforts such as the Declaration for the Future of the Internet (DFI), which includes 60 countries and broad coalition of partners. It also cites other efforts such as the Freedom Online Coalition.
Initiatives include:
Create interagency teams for regional cybersecurity collaboration and coordination
Publish an International Cyberspace and Digital Policy Strategy
Strengthen Federal Law Enforcement collaboration mechanisms with allies and partners
Regional cyber hubs study
This again looks to bolster International cybersecurity through collaboration, information sharing and coalitions of nations with shared cybersecurity interests. It also looks to work with international partners to drive those mutual interests in our digital cyberspace that transcends borders.
SO 5.2: Strengthen International Partner Capacity
It’s often quipped that the future is already here, it just isn’t distributed evenly and this SO speaks to that reality. It emphasizes the role of the U.S. in working with international partners to help them meet fundamental cybersecurity activities such as securing critical infrastructure and implementing effective monitoring and detection of malicious cyber activity.
Initiatives include:
Strengthen international cyber partners capacity
Expand international partners cyber capacity through operational law enforcement collaboration
So not only is it looking to bolster the capabilities of international allies and partners but also foster collaboration between our respective law enforcement agencies to share information and taking us back to earlier aspects of the NCS, disrupt malicious actors, regardless of where they’re operating in our increasingly borderless digital world.
SO 5.3: Expand U.S. Ability to Assist Allies and Partners
Continuing on the themes of collaboration and partnership, this SO focuses on expanding the U.S.’ ability to provide assistance in the cyber realm to our international partners and allies. The NCS points out examples of cyberattacks impacting nations such as Costa Rica, Albania and Montenegro where national may seek U.S. assistance with cyber incidents.
Initiatives include:
Establish flexible foreign assistance mechanisms to provide cyber incident response support quickly
This initiative looks to remove barriers that may impede the U.S. from providing financial and cyber assistance to international allies as they increasingly find themselves impacted on the cyber battlefield.
SO 5.4: Build Coalitions to Reinforce Global Norms of Responsible State Behavior
This SO is focused on establishing (and re-establishing in some cases) global norms of peacetime behaviors which have long been bucked by some nations in the digital realm, as the line of warfare is often flirted with through nefarious cyber activities and attacks that pose the risk of inciting kinetic conflict between nation states.
Initiatives include:
Hold irresponsible states accountable when they fail to uphold their commitments
While this one is admittedly a bit opaque, the statement is that the U.S. will work with partners and allies to pair statements of condemnation with the imposition of “meaningful” consequences.
Where this one gets interesting is that the nations often flirting with the line of cyber attacks below armed conflict don’t have much interest in fearing condemnation and they often leverage the anonymity of the Internet and digital world coupled with blaming organized crime, and denying state involvement.
What these meaningful consequences are remains to be seen and also how we intend to facilitate accurate attribution to properly determine the source of attacks and tie it to specific state actors definitively - recall how we previously discussed disrupting threat actors, including their use of U.S. based infrastructure, such as U.S. Cloud Service Providers (CSP)’s.
SO 5.5: Supply Global Supply Chains for Information, Communications and Operational Technology Products and Services
This SO deals with a topic near and dear for me, which is supply chain risk management. It emphasizes the need to produce they key technologies and materials domestically, or near, within nations who share the same values and interests as the U.S., which many will admit is a reverse of our previous decades of embracing globalization and complex international supply chains, often forming critical dependencies on nations who do not share the same values and interests as the U.S. but were able to provide cheap products driven by consumer demand with a lack of concern of security, and we are now reaping the rotten seeds we’ve sowed, seeing technologies and software integrated into various aspects of our society from suspicious origins and with clear indicators of compromise to our national security and economic prosperity.
Initiatives include:
Promote the development of secure trustworthy information and communication technology (ICT) networks and services
Promote a more diverse and resilient supply chain of ICT vendors
Begin Administering the Public Wireless Supply Chain Innovation Fund (PWSCIF)
Promulgate and amplify Cybersecurity Supply Chain Risk Management (C-SCRM) key practices across and within critical infrastructure sectors
To summarize from the NCS itself:
“This dependency on critical foreign products and services from untrusted suppliers introduces multiple sources of systemic risk to our digital ecosystem”
Implementation-wide Initiatives
Lastly, moving outside of the 5 pillars are implementation-wide initiatives, oriented around assessing effectiveness, implementing lessons learned and making the appropriate investments.
Initiatives here include:
Report progress and effectiveness on implementing the NCS
Apply lessons learned to the NCS implementation
Align budgetary guidance with the NCS implementation
This area will largely be led by ONCD and involve a first annual report on the progress to the President, Congress and other strategic stakeholders on the progress and headwinds of implementing the NCS. This executive level visibility will be crucial to ensure the NCS continues to move forward and the appropriate investments and budgetary adjustments can be made as well.
Closing Thoughts
It would be an understatement to say that the NCS is an incredibly ambitious endeavor that will be a significant shift with how the U.S. handles cybersecurity on a variety of fronts from critical infrastructure, the workforce, software supply chain and R&D and investments just to name a few.
Critics have already begun to raise concerns, such as the Implementation Plan missing an associated initiative around Digital Identity, despite it being featured in the NCS itself, along with the longstanding workforce challenges we’ve discussed above.
That said, it is clear to anyone with expertise in this field that failing to move out effectively on the NCS adds further risks to the U.S.’ position as a world leader in software, technology and our increasingly digital world and has downstream implications for our children and their children as well.
Software touches nearly every aspect of modern society and if we fail to see through many of these key activities outlined in the NCS, the implications will be devastating for the U.S. and its citizens.
-
For a deep dive on the various pillars and to hear from leaders, the industry group ITI hosted a session with leaders from the ONCD including Kemba Walden along with others from Department of State, NIST and Department of Justice to name a few.
I found the panels and discussions very insightful with how leadership is thinking about the NCSIP and I suspect many others will as well.
ITI National Cybersecurity Strategy Implementation Plan Discussion
.