The Biden Administration’s National Cybersecurity Strategy Implementation Plan (NCSIP) has been lauded by security professionals as an important step forward in the fight against cyber threats. The 57-page document outlines more than 65 initiatives that federal agencies will undertake in the coming years to strengthen US critical infrastructure, establish enforceable liability for software products, and disrupt threat-actor operations.
The NCSIP has been praised for its aggressive deadlines, which convey a sense of urgency to stakeholders. However, concerns have been raised about the plan’s ability to succeed without adequate funding and bipartisan support in Congress. Robert DuPree, manager of government affairs at Telos, pointed out that funding for the Technology Modernization Fund (TMF), which is crucial for eliminating legacy systems, has not been forthcoming. The proposed budget for FY 2024 requested a mere $200 million for the TMF, and even that funding has been zeroed out in the House appropriations bill. DuPree emphasized the need for new funding or an alternative way forward.
The NCSIP, described as a “living document,” will be updated annually to reflect the evolving cyber landscape. President Biden has stressed the importance of the strategy in encouraging all stakeholders to actively participate in cyber threat protection. The objectives of the strategy are grouped under five pillars: Defend Critical Infrastructure, Disrupt and Dismantle Threat Actors, Shape Market Forces, Invest in a Resilient Future, and Forge International Partnerships.
The plan outlines high-level initiatives for achieving these objectives. For critical infrastructure defense, it includes establishing new cybersecurity requirements, scaling public-private partnerships, integrating federal cybersecurity centers, and updating incident response plans. Dismantling threat actors involves integrating federal disruption activities, increasing threat intelligence sharing, and preventing the abuse of US infrastructure for attacks.
The third pillar, considered one of the most consequential, focuses on developing a long-term software liability framework and advancing secure software development initiatives. However, experts have raised concerns about the lack of a coherent enforcement path and the current political climate, which makes it difficult to create the necessary legal and regulatory framework. Additionally, the set timeline for creating software liability frameworks may be overly ambitious, given the complexity of the task.
Despite these challenges, the NCSIP has been credited with pushing critical infrastructure security forward. It aims to broaden the national cyber incident response plan beyond the critical infrastructure sector, encompassing all sectors and business sizes. Furthermore, the plan includes enlisting practitioners from the private sector as national-level responders in the event of significant infrastructure disruption, potentially addressing issues of credentialing and indemnification.
Notably, the implementation plan assigns a role to the Cybersecurity and Infrastructure Security Agency (CISA) in providing cybersecurity training and incident response for the healthcare sector, a frequent target of ransomware attacks. This move, along with the prospect of federal agency involvement in incident response, may deter ransomware operators from targeting hospitals.
Overall, the NCSIP represents a comprehensive roadmap for bolstering cybersecurity efforts in the US. While challenges such as funding and enforcement remain, the plan provides a framework for addressing critical vulnerabilities, protecting infrastructure, and disrupting cyber threats. As the cyber landscape continues to evolve, the plan’s iterative nature ensures it remains relevant and adaptable to emerging challenges.