The White House has recently released its National Cybersecurity Strategy Implementation Plan, which outlines the roadmap for fulfilling the objectives set out in the Biden administration’s National Cybersecurity Strategy. The plan has received both praise and criticism from experts and stakeholders in the cybersecurity community.
One area of concern is the potential difficulties in achieving harmony and consistency in the strategy’s whole-of-society approach. For instance, there are already conflicting mandates on incident reporting issued by different federal entities. To address this issue, the Office of the National Cyber Director (ONCD) has announced that it will be issuing a request for information (RFI) on “cybersecurity regulatory harmonization.” The focus of the RFI will be on critical infrastructure, and the goal is to identify areas of overlapping, duplicative, conflicting, or contradictory regulations. The process of finding reciprocity across regulations is expected to be a long one.
Another point of contention is the plan’s lack of initiatives focused on digital identity, despite listing the support for the development of a digital identity ecosystem as an objective. Some stakeholders argue that identity theft is a significant threat vector for government fraud, and more attention should be given to addressing this issue. However, a White House official stated that work on digital identity actions is still in progress and is expected to be included in future iterations of the implementation plan.
The rapid publication of the plan has been commended for its sense of urgency and its inclusion of private sector consultation on the harmonization of baseline cyber regulations. The plan also recognizes the need to increase the adoption of security frameworks, which can help organizations better manage their security posture. However, implementing these frameworks can be challenging, as organizations need to understand how best to implement them and measure their effectiveness. Automation and continuous monitoring can assist in aligning security controls with regulatory requirements and best practices.
The plan’s implementation will require coordination between the White House and various government agencies, as well as support from Congress. The legislative process may prove difficult, considering the divided Congress and narrow majorities, but cybersecurity is an area where bipartisan cooperation is still possible. Cybersecurity organizations can also play a role in meeting the workforce needs of the implementation plan by shifting hiring expectations and recruiting ethical hackers or security researchers. Bug bounty programs can provide a scalable and affordable way to engage experts in strengthening cybersecurity measures.
In a surprising development, the current acting National Cyber Director, Kemba Walden, has been informed that she will not be nominated for the permanent role. This decision has raised concerns about the office’s reputation and effectiveness, as Walden was seen as a strong candidate to lead the ONCD. Lawmakers and experts, including Senator Angus King and Representative Mike Gallagher, had voiced their support for Walden. The reasons for her being passed over are unknown, and the ONCD declined to comment on personnel matters. The delay in appointing a permanent director could impact the progress of the implementation plan, and industry groups have called on the administration to name a nominee by the end of the month.
Overall, the National Cybersecurity Strategy Implementation Plan has received mixed reactions from experts and stakeholders. While there is appreciation for its ambition and scope, there are concerns about potential hurdles in achieving harmonization and the omission of initiatives related to digital identity. The plan’s timely implementation and coordination between government agencies and Congress will be crucial for its success. Additionally, the cybersecurity community and ethical hacking organizations can contribute to meeting the plan’s workforce needs and strengthening cybersecurity measures. With the right support and collaboration, the plan has the potential to improve the nation’s cybersecurity posture and protect critical infrastructure.