The implementation of the US cybersecurity plan may not be as smooth sailing as anticipated, experts warn. The recently released National Cybersecurity Strategy Implementation Plan consists of 65 federal initiatives, which are expected to be completed by 18 different government agencies. While the plan aims to streamline and harmonize cybersecurity regulations in the country, some experts have raised concerns about potential challenges.
One key highlight of the plan is the emphasis on “secure-by-design” tech development and strengthening protections for critical infrastructure. Chief Information Security Officers (CISOs) are hopeful that this plan will address the fragmented and conflicting cybersecurity regulations currently in place. Sounil Yu, CISO at JupiterOne, stated that “regulatory harmonization as the first item on the implementation plan is a great sign that the White House is hearing industry’s concerns.” However, without harmonized regulations, compliance with various standards becomes a burdensome and sometimes contradictory task.
The timing of the plan’s release coincided with a statement from the Government Accountability Office (GAO), which called for urgent action to bring the strategy to fruition. The GAO emphasized the need for timely issuance of the plan’s details so that agencies can begin planning and allocating resources for its execution. However, the absence of a national cyber director, a role that has been vacant for the past five months since Chris Inglis left, could hinder the plan’s implementation. The GAO highlighted the importance of sustained leadership in this position to ensure strategy execution and accountability.
Despite the optimistic outlook, some experts have identified critical gaps in the implementation plan. Robert DuPree, from security solutions firm Telos, pointed out financial challenges as a potential hurdle, citing a recent congressional appropriations bill that significantly reduced funding for the Technology Modernization Fund. Funding limitations can hinder the acceleration of technology modernization, making it difficult to implement the plan effectively. Joel Kroowswky, federal chief technology officer for GitLab, also expressed concerns about the lack of detailed instructions in the plan, which he described as more of a “plan to plan” rather than a plan for implementation. Clear and tangible directions are necessary for an iterative implementation process, according to Kroowswky.
Other potential obstacles include the shortage of cybersecurity professionals and the divided nature of Congress. These challenges could potentially impede the progress of the implementation plan, requiring additional measures to overcome them.
In the US legislature, concerns about government surveillance practices have gained bipartisan attention. Lawmakers from both the Democrat and Republican parties have expressed their worries regarding federal intelligence surveillance practices. Representative Zoe Lofgren, a Democrat from California, raised concerns about the FBI’s purchase of commercial data on US citizens in order to bypass search warrants. Republican committee chair Jim Jordan and Representative Matt Gaetz echoed these concerns. The unity among lawmakers highlights the importance of investigating warrantless surveillance practices and ensuring accountability.
Lawmakers also questioned the FBI’s involvement in planting a bomb outside a Democratic Party building during the 2021 insurrection. The declassification of a report revealing the intelligence community’s purchase of Americans’ personal information and an FBI request for “gun purchase records” further fueled the discussions and concerns.
Meanwhile, Washington County in Maryland is making efforts to recover from a cyberattack that occurred last November. The attack caused significant disruption in government operations, prompting experts to question whether the county has taken sufficient measures to prevent future incidents. Markus Rauschecker, cybersecurity program director at the University of Maryland’s Center for Health and Homeland Security, emphasized the importance of having a well-defined plan outlining the roles and responsibilities of each entity involved in cyber incident response. While Washington County claims to prioritize information privacy and security, spokesperson Danielle Weaver declined to provide specific details about their cybersecurity safeguards.
The state of Maryland has faced multiple cyber incidents in recent years, prompting local governments to seek assistance from different levels of government. The US Congress has implemented a $1 billion State and Local Cybersecurity Grant Program aimed at improving defenses, and Maryland is working on a state cybersecurity plan to request federal funding from the Department of Homeland Security. Washington County recently approved the implementation of a cyber intrusion detection and monitoring system, demonstrating their commitment to enhancing cybersecurity measures.
Despite efforts to recover and prevent future cyberattacks, the implementation of comprehensive cybersecurity plans at federal, state, and local levels faces various challenges. Financial constraints, leadership vacancies, and the need for harmonized regulations and detailed instructions are among the obstacles that need to be overcome. However, bipartisan concerns about surveillance practices demonstrate the importance of addressing these issues and ensuring accountability. As cybersecurity continues to be a pressing concern, it remains to be seen how the US government will navigate these challenges and protect critical infrastructure and citizens from cyber threats.