White House National Security Strategy Heavy on Partnerships, Action
After releasing a National Cybersecurity Strategy that it promised would protect this country’s digital assets and infrastructure and also pave the way for a digital future for all, the White House unveiled a multi-pillar plan for implementing that strategy.
The White House “is taking the novel step of publishing the National Cybersecurity Strategy Implementation Plan (NCSIP) to ensure transparency and a continued path for coordination,” according to a release. “This plan details more than 65 high-impact federal initiatives, from protecting American jobs by combatting cybercrimes to building a skilled cyber workforce equipped to excel in our increasingly digital economy.”
Sunil Muralidhar, vice president, growth and strategic initiatives at ColorTokens, called the national cybersecurity strategy “forward-thinking for the present and future in its plan of action—focusing on our cybersecurity defense, offense and resiliency.”
Indeed, each of the NCSIP initiatives “is assigned to a responsible agency and has a timeline for completion,” the White House said. “Some initiatives, such as the issuance of the Administration’s Cybersecurity Priorities for the Fiscal Year 2025 Budget, have been completed ahead of schedule.”
For instance, the first pillar, Defending Critical Infrastructure, has the Cybersecurity and Infrastructure Security Agency (CISA) leading an effort “to update the National Cyber Incident Response Plan to more fully realize the policy that ‘a call to one is a call to all,’” the White House said. “The update will also include clear guidance to external partners on the roles and capabilities of federal agencies in incident response and recovery.”
“Regulatory harmonization as the first item on the implementation plan is a great sign that the White House is hearing the industry’s concerns,” said Sounil Yu, CISO at JupiterOne. “Without harmonized regulations, we must comply with a multitude of different standards, many of which are redundant and sometimes even conflicting,” Yu said. “Harmonization will help make the already difficult job of cybersecurity a bit easier and more streamlined.”
Pillar two aims at disrupting and dismantling threat actors and lays responsibility for combating ransomware to the Joint Ransomware Task Force co-chaired by CISA and the FBI. The latter will join forces with federal, international and private sector partners “to carry out disruption operations against the ransomware ecosystem, including virtual asset providers that enable laundering of ransomware proceeds and web [forums] offering initial access credentials or other material support for ransomware activities,” the White House said, while “a complementary initiative, led by CISA, will include offering resources such as training, cybersecurity services, technical assessments, pre-attack planning and incident response to high-risk targets of ransomware, like hospitals and schools, to make them less likely to be affected and to reduce the scale and duration of impacts if they are attacked.”
Shaping market forces and driving security and resilience constitute pillar three of the implementation plan. CISA will continue to increase transparency through the software bill of materials (SBOM). The agency will work “with key stakeholders to identify and reduce gaps in software bill of materials (SBOM) scale and implementation,” the release explained. “CISA will also explore requirements for a globally-accessible database for end-of-life/end-of-support software and convene an international staff-level working group on SBOM.”
The fourth pillar outlines how the U.S. will invest in a resilient future. Under the White House plan, “the National Institute of Standards and Technology (NIST) will convene the Interagency International Cybersecurity Standardization Working Group to coordinate major issues in international cybersecurity standardization and enhance U.S. federal agency participation in the process,” the release said. “NIST will also finish standardization of one or more quantum-resistant public key cryptographic algorithms.”
The fifth pillar focuses on forging international partnerships to pursue shared goals, led by the State Department. Calling cyberspace “inherently global,” the White House said “policy solutions must reflect close collaboration with our partners and allies,” and added that the State Department will “publish an International Cyberspace and Digital Policy Strategy that incorporates bilateral and multilateral activities.”
The agency will “also work to catalyze the development of staff knowledge and skills related to cyberspace and digital policy that can be used to establish and strengthen country and regional interagency cyber teams to facilitate coordination with partner nations,” the release noted.
“The plan’s commitment to investing in a resilient future and forging international partnerships to pursue shared goals is a testament to the long-term vision of the strategy,” said Andrea Hervier, global head of partnerships at CrowdSec. “Cybersecurity is not a problem that can be solved overnight; it is a global issue that requires international cooperation.”
Hervier, who was part of the French cybersecurity delegation that met with CISA teams at the White House in the lead-up to the release of the strategy earlier this year, noted that “the fifth pillar of the National Cybersecurity Strategy Implementation Plan demonstrates a commitment to international collaboration and recognizes that building coalitions, strengthening international partner capacity, and securing global supply chains is the only way to respond to cybersecurity threats.”
The Biden administration and security pros have long pushed for collaborative efforts to bolster cybersecurity. Proactive defense requires “a real-time map of cybercriminal activity across the internet,” Hervier said. “Organizations and countries are more than ready to form coalitions with their trusted allies to create a secure and thriving digital landscape.”
Muralidhar pointed to “the fourth and fifth points, which focus on our future—it is integral to maintain upkeep in the chosen defense strategies and preserve alliances with international partners to combat the various countries that continue to facilitate malicious threat actors.”
The strategy “warned against the threatening cyberattack acts of other countries,” he said. “The hope to forge international partnerships displays the growing evolution of cybersecurity and the need for innovative defenses such as a zero-trust framework.”
Just how the implementation plan will be met by practitioners depends on a number of factors. “There are three views CISOs are likely to take. Does this affect me in terms of my responsibilities to deliver components of the five pillars to the ecosystems? Do I adopt the recommendations internally? And how does this impact who I will work with?” said Garetht Lindahl-Wise, CISO at Ontinue.
“The answers to these questions will obviously depend on what the organization does,” he said. “The strategy makes it plain there is an expectation for larger organizations, critical infrastructure providers and ‘foundational’ providers for the digital marketplace.”
Going forward, “it will be interesting to see if some of the intent of the strategy makes its way into the realm of CSR—will demonstrable adoption of this strategy be a differentiator in selecting products and services?” said Lindahl-Wise. “If this takes hold, markets forces could supercharge adoption. This means as a buyer, I will give a clear preference to those organizations clearly executing their responsibilities to implement the strategy. It might ‘only’ have a national focus, but clearly national governments need to incentivize private industry.”
Image Source: Lucas Sankey (Unsplash license) https://unsplash.com/photos/gdQ_az6CSPo
