How Will the New National Cybersecurity Strategy Be Implemented?

The Biden-Harris Administration’s National Cybersecurity Strategy, released back in March, calls for large, well-resourced entities to step up their roles reducing cyber risk and for incentives to drive long-term investment in cybersecurity. In July, the administration has followed up with an implementation plan that details how this new vision for cybersecurity will be achieved.

The implementation plan is a living document that will be updated on an annual basis. What will executing its various initiatives look like, and what challenges could stand in the way?

Key Stakeholders

The National Cybersecurity Strategy Implementation Plan (NCSIP) includes more than 65 initiatives that the federal government will undertake. A total of 18 government agencies will be responsible for leading these initiatives, and each initiative will be assigned to a responsible agency, according to the implementation plan fact sheet.

The Office of the National Cyber Director (ONCD) will take a leading role in coordinating the activities outlined in the plan. It will also give Congress annual updates on the progress of implementation. The ONCD will also work with the Office of Management and Budget to align funding proposals with the plan’s initiatives.

While federal agencies will be vital in the implementation process, the National Cybersecurity Strategy also requires participation from the private sector.

“If the overall plan is implemented effectively, there will be several ways the private sector can participate and partner with the government more, including helping ensure the plan does not fall behind,” says Daron Hartvigsen, managing director at global advisory firm StoneTurn.

Implementation Timeline

Each of the initiatives outlined in the implementation plan has a timeline for completion. Some milestones have already been completed. For example, the Department of Justice created a new National Security Cyber Section, which will play a role in the disruption and prosecution of nation state threat actors.

Some initiatives have targeted completion dates that go beyond the current administration. “I’m concerned that those actions may be at risk, as many of those responsible [for executing] those tasks may no longer be in government service by the estimated completion date,” says Greg Touhill, the former CISO of the federal government and current director of the CERT division of the Carnegie Mellon University Software Engineering Institute, a federally funded research and development center.

Five Cybersecurity Pillars

The National Cybersecurity Strategy is buttressed by five pillars. The first focuses on defending critical infrastructure. Increasing public-private collaboration is a big part of this strategic pillar.

Joshua Corman, vice president of cyber safety strategy at Claroty and former CISA chief strategist, notes that this push is being met with pushback in some cases. “After a decade plus of largely voluntary practices, like the NIST CSF [National Institute of Standards and Technology Cybersecurity Framework], some sectors are unhappy with the … more muscular rebalancing of public good and increased use of regulation,” he explains.

Yet, the value of collaboration among federal agencies, the private sector, and international partners is clear. “This can lead to information sharing, knowledge exchange, and coordinated efforts to combat cyber threats effectively,” says Nicole Montgomery, cyber operations lead at IT service management company Accenture Federal Services.

Jeff Williams, co-founder and CTO of Contrast Security, points out that this implementation plan represents a more proactive approach to cybersecurity.

“For many years, the federal approach to cybersecurity was to chase and threaten attackers -- throwing stones while our own house was (and is) dangerously insecure. Fortunately, the majority of this NCSIP is focused on strengthening our own house,” he says. “Even the one reactive pillar, ‘Disrupting and Dismantling Threat Actors,’ is less focused on identifying and blocking attacks and more focused on proactively disrupting their capabilities.”

The third pillar addresses market forces that can drive security and resilience. One of the key strategic objectives here is to shift the liability for insecure software. Private sector companies are being asked to take on more responsibility for cybersecurity. Under the plan, the Administration, Congress, and the private sector will “develop legislation establishing a liability regime for software products and services,” according to the implementation plan document.

“The initiative to scale up public-private partnerships regarding secure by design and secure by default technology for critical infrastructure is a soft way to say we expect better from our suppliers,” Hartvigsen shares.

The fourth pillar focuses on building a resilient future. More federal cybersecurity research and development is a key initiative outlined this pillar. The Office of Science and Technology Policy will work with other agencies and federal partners on “the maturity, adoption, and security of memory safe programming languages in applications, operating systems, and critical infrastructure,” according to the plan document.

While more research is vital, Touhill points out a few key areas that were not addressed in the plan. “I … expected to see much greater emphasis on investments in cybersecurity research and development programs across all departments and agencies, especially those affecting emerging fields such as artificial intelligence and machine learning,” he explains.

The fifth pillar is dedicated to forging international partnerships, which hinges on digital policy and law enforcement in collaboration with international partners. Various federal agencies will lead up the initiatives to strengthen international partnerships and leverage those relationships to work toward global cybersecurity goals.

A Living Document

Challenges will inevitably arise during the implementation process.

“Balancing the need for cybersecurity without impeding innovation, privacy concerns, or stifling digital economic growth can … be a challenge,” says Montgomery. “Overcoming these challenges requires a multi-faceted approach, collaboration across sectors, continued adaption to new threats, and a commitment of resources and expertise to ensure effective implementation of the national cybersecurity strategy.”

So many moving parts can mean slow progress. Budget requests will still need to make their way through Congress. Williams worries that the focus on liability will lead organizations to limit transparency. “I think a liability regime will inevitably lead to lawsuits, difficult arguments about “safe harbor,” and malpractice insurance for developers,” he says.

The implementation plan addresses harmonization of regulatory requirements, a common frustration in the private sector, but the number of agencies involved can mean slow progress there as well.

Kayne McGladrey, senior member of the Institute of Electrical and Electronics Engineers and field CISO at Hyperproof, hopes that a future version of the plan will get more granular. “Industry-specific guidance is missing, as hospitals, banks, and SaaS startups all have different cybersecurity needs and available resources,” he says.

Plus, the broader cybersecurity landscape will not wait. “Cybersecurity moves faster than bureaucracy. Threat actors will likely adapt to actual implementations and outcomes,” says Corman.

The National Cybersecurity Strategy Implementation Plan will evolve as stakeholders work through these challenges and threats evolve. It is a living document, just the first iteration of many.

“I expect you’ll be hearing a lot more from the federal government as we tick off milestones on our way to completion of initiatives,” Kemba Walden, acting national cyber director in the Office of the National Cyber Director,said during an Information Technology Industry Council event.

What to Read Next:

What Does the National Cybersecurity Strategy Mean for Public and Private Stakeholders?

Special Report: Privacy in the Data-Driven Enterprise

Report Calls Out ‘Inadequate’ Approach to Protecting US Infrastructure