White House unveils ‘roadmap’ for national cyber strategy goals

The Office of the National Cyber Director unveiled the implementation plan for its sweeping national cybersecurity strategy Thursday, setting deadlines for 18 different government agencies to put in motion changes designed to make cybersecurity regulation more robust and streamlined while increasing corporate responsibility for protecting critical infrastructure from cyberattacks.

The 57-page implementation plan should be considered a “roadmap” for how to achieve the objections outlined in the precedent-setting strategy, acting National Cyber Director Kemba Walden told reporters ahead of the document’s release. The Biden administration described the plan as most focused on two primary objectives: ensuring that the “biggest, most capable, and best-positioned entities” in the public and private sectors take on more responsibility for lowering cyber risk and boosting incentives to fuel investment in cybersecurity in the long term.

The plan is unusually specific and prescriptive, assigning responsibility and near-term deadlines for 69 initiatives to individual agencies responsible for carrying out reform.

“The implementation plan does not capture all of the cybersecurity activities in the federal government nor does it intend to,” Walden said. “What it does do is capture key initiatives that we must get done in the near term.”

She added that the plan reflects the administration’s belief that cybersecurity only will be bolstered by “a whole of society approach.”

Among the initiatives the plan tackles are how to better combat cybercrime, build a far larger skilled cyber workforce and streamline regulatory directives to make clearer which agencies are in charge of individual cybersecurity goals.

Under the plan, ONCD will coordinate implementation across the government, working closely with the Office of Management and Budget to determine needed funding to support the plan’s initiatives.

The plan assigns the Cybersecurity and Infrastructure Security Agency to lead efforts to update the National Cyber Incident Response Plan “to more fully realize the policy that ‘a call to one is a call to all’” while making it clearer to non-government partners the “roles and capabilities” of various federal agencies participating in incident response and recovery.

On the administration’s closely watched software bill of materials initiative, the plan charges CISA with improving software transparency to allow companies to better grapple with supply chain risk and directs the agency to research requirements for a database that could be accessed worldwide to track “end of life” software.

Assigning the National Institute of Standards and Technology (NIST) to create an interagency and global body to hone technical and cybersecurity standardization, the plan also charges NIST with standardizing one or more “quantum-resistant public-key cryptographic algorithms.”

The plan also highlights the need for legislative proposals to disrupt cybercrime, assigning the Department of Justice to lead an interagency effort to suggest legislation which would enhance the government’s ability to detect and disrupt such campaigns.

Walden said several plan initiatives have already been completed, including the delivery of proposed legislation to “codify” the Cyber Safety Review Board with additional authorities. Other work is already underway, she said, highlighting the fact that her office is close to releasing a national cyber workforce and education strategy.

Describing the plan as a “living document,” Walden said that it will evolve as the threat landscape changes and as completed initiatives give rise to newly needed actions. For example, OMB-led requirements for modernizing executive branch agencies which surface as the plan is implemented will be incorporated into next year’s version of the plan, she said.

Walden emphasized how the plan will improve government response to incidents such as Wednesday’s news of Chinese hackers’ exploitation of a bug in Microsoft’s cloud email service, allowing them to gain access to the accounts of U.S. and European government workers. She praised how CISA worked with Microsoft to mitigate the problem and quickly produced an advisory with the FBI to alert the public.

“That is exactly what is at the heart of the strategy and frankly at the heart of the implementation plan,” Walden said. “Collaboration between the public sector and the private sector to make sure that downtimes are swift and that the impact is not catastrophic.”

One area where some experts felt the plan should have been more robust relates to cloud computing security, which has been in the news recently with the Chinese hack and a just-released Atlantic Council report calling for action to better protect cloud infrastructure.

While calling the implementation plan an “excellent effort to turn the rhetoric of the strategy into effective, measurable policy objectives,” former Cyberspace Solarium Executive Director Mark Montgomery said he would have liked to see a “more full-throated approach to security in cloud computing with either regulation or collective standard setting objectives.”

A senior administration official, speaking to reporters ahead of the plan’s rollout, defended its provisions for cloud security saying it helps set forward best practices that “one could point to and say for a service provider, these are configurations that we would want to see as a best practice.”