US says National Cybersecurity Strategy will focus on market resilience and private partnerships

The White House has published the first implementation plan for its National Cybersecurity Strategy, which aims to improve the strength of the software supply chain and increase public-private collaboration.

Improving the resilience of the market is a key focus, with efforts to establish a long-term software liability framework and reduce gaps in software bills of materials (SBOMs) to ensure unsupported software is not used for critical infrastructure.

The Cybersecurity and Infrastructure Security Agency (CISA) will work with the private sector, non-profits, the open-source community, and academia to establish secure-by-design software and hardware.

In a fact sheet, the White House stated the plan ensures “the biggest, most capable, and best-positioned entities – in the public and private sectors – assume a greater share of the burden for mitigating cyber risk”.

Private sector firms will fall under further requirements laid out by CISA in an effort improve the speed and cohesiveness of reporting following cyber incidents. 

Vendors that knowingly provide deficient cyber security products or services will also be pursued more heavily under the False Claims Act.

A Federal Cyber Insurance Backstop, which would see the government provide assistance in the event of a catastrophic incident, is also under consideration. The plan notes that such a scheme could support an uncertain cyber insurance market.

This initiative is expected to reach completion by Q1 2024, though the plan could be revised at a later date depending on the outcome of the talks.

By the end of 2023, the Office of Management and Budget will lay out stricter Federal Acquisition Regulation (FAR) requirements for the procurement and labeling of Internet of Things (IoT) devices.

For future resilience, the government will invest heavily in the research and development of memory-safe programming languages as well as quantum-resistant cryptographic algorithms which will be necessary to protect encryption in the near future.

The plan is structured around five ‘pillars’, under which lie more than 65 initiatives for improving the federal, public, and private cyber security landscape. 

• Defending Critical Infrastructure
• Disrupting and Dismantling Threat Actors
• Shaping Market Forces and Driving Security and Resilience
• Investing in a Resilient Future
• Forging International Partnerships to Pursue Shared Goals

The White House described the plan as a “living document”, which will be updated annually in line with evolving needs and ambitions for US cyber defense.

On threat actors, the Office of the National Cyber Director is set to work with federal partners as well as those in the private sector to find ways in which existing systems can be used to disrupt cyber criminals.

The document also assigns the Department of State and the Joint Ransomware Task Force (JRTF) to “defeat ransomware” by disrupting the worldwide threat ecosystem.

Ransomware gangs such as LockBit have been in the crosshairs of international law enforcement in recent months. The Department of Justice (DoJ) has ramped up arrests against alleged members of the group, and put out a $10 million bounty for another in May.

CISA, along with JRTF, will also provide training, analysis, planning, and incident response services to private and public sector organizations that oversee critical national infrastructure.

“The National Cybersecurity Strategy Implementation Plan (NCSIP) gives much-needed guidance for agencies on improving cyber resilience,” said Gary Barlet, Federal CTO at Illumio.

“It assigns timebound goals and initiatives to each agency – giving them direction on how to reach the strategy’s clear objectives. These goals and initiatives also display a sense of urgency, which is important, as the pace of technology makes it impossible to imagine the impact it will have on security in three, five, or ten years. It focuses on building cyber resilience now as well as down the road. 

“This plan reflects the urgency of today’s cyber threats, and also demonstrates an understanding of the resource and fiscal challenges agencies face in overcoming these dangers. While the NCSIP doesn’t include direct funding, it does align with the administration’s cyber budget priorities to better position agencies to achieve their objectives and combat cyber attacks. 

“If agencies can align their budgetary responsibilities and resources with these initiatives, then they will be well equipped to bolster their cyber resilience today and tomorrow.”