Officials from top private sector cybersecurity are looking ahead to key catalysts that will help advance the aims of the Biden administration’s National Cybersecurity Strategy implementation plan (NCSIP) released last week, including the promise of greater collaboration between the government and the private sector, and the degree to which Congress provides funding for government agencies to carry out the lengthy tasking list that the plan provides.
The implementation plan follows through with a list of nearly 70 tasks to put into action the National Cybersecurity Strategy (NCS) that the Office of the National Cyber Director (ONCD) published in March. On the Federal agency front, the implementation plan enlists the additional efforts of several agencies that already are doing some of the heavy lifting on many aspects of cybersecurity work and policy.
Key issues that will get major attention include some that are already well-known in policy circles – including creation of software bills of material, fighting ransomware and other cybercrime, improving incident response work, and pushing harder for international cybersecurity standards. One big item with outsized potential to emerge from the plan is a request for information that ONCD is preparing on “cybersecurity regulatory harmonization” for critical infrastructure.
“While the development of the NCSIP is an essential step, we need to work closely with Congress and the Administration to ensure we fully fund these important actions and requirements that will drive cybersecurity and zero trust across the federal government,” Stephen Kovac, vice president and chief compliance officer at Zscaler, told MeriTalk.
“Simultaneously we must remain vigilant and look for ways to continuously improve efficiency, foster innovation and improve our cyber posture with a whole-of-society mindset,” Kovac said.
“This plan reflects the urgency of today’s cyber threats, and also demonstrates an understanding of the resource and fiscal challenges agencies face in overcoming these dangers,” said Gary Barlet, Federal Field CTO at Illumio.
“While the NCSIP doesn’t include direct funding, it does align with the administration’s cyber budget priorities to better position agencies to achieve their objectives and combat cyberattacks,” Barlet said. “If agencies can align their budgetary responsibilities and resources with these initiatives, then they will be well equipped to bolster their cyber resilience today and tomorrow.”
The implementation plan, Barlet continued, “gives much-needed guidance for agencies on improving cyber resilience. It assigns timebound goals and initiatives to each agency – giving them direction on how to reach the strategy’s clear objectives. These goals and initiatives also display a sense of urgency, which is important, as the pace of technology makes it impossible to imagine the impact it will have on security in three, five, or ten years. It focuses on building cyber resilience now as well as down the road.”
Kynan Carver, DoD cybersecurity lead at Maximus, said the NCSIP “demonstrates a commendable and strategic approach to safeguarding our digital landscape. By addressing crucial elements such as reciprocity, cyber insurance, secure-by-default, information sharing, and international collaboration, this interconnected plan displays a comprehensive understanding of the multifaceted challenges posed by cyber threats.”
“Moreover, the clear mention of specific deadlines and potential funding through OPM’s M-23-18 Administration Cybersecurity Priorities for FY 2025 speaks to the government’s commitment to prioritize and allocate resources effectively,” Carver said. “This level of clarity and financial support should empower agencies to execute the plan efficiently and reinforce our collective resilience against cyber incidents.”
Critical Infrastructure Focus
Josh Lospinoso, co-founder and CEO at Shift5, said the plan “represents progress as our nation continues to combat dynamic cyber threats from increasingly sophisticated adversaries. The plan sets forth some important initiatives, including: implementation of software reforms, issuance of grants for R&D, prosecution of false claims, and sharper deterrence of ransomware/cybercrime.”
He also pointed to the pressing need for better security in key critical infrastructure sectors.
“As agencies now begin the process of creating and updating their own cybersecurity strategies, we’re hopeful they will do more to address critical components of our nation’s operational technology (OT) security,” Lospinoso said. “We are less safe as a nation without proper cyber safeguards for critical transportation assets, military fleets, and weapon systems. This plan leaves no doubt that that keeping our country secure against tomorrow’s cyber threats will require seamless coordination from all levels of government and private industry partners — both big and small.
Egon Rinderer, CTO at Shift5, added, “we are encouraged that the focus on insecure products and services that was highlighted in strategic objective 3.3 of the March 2023 release of the NCS carries through with initiative 3.3.2 of the recently released implementation plan, ‘advance software bill of materials (SBOM) and mitigate the risk of unsupported software.’ There’s a gap in capacity for conducting SBOMs on operational technology (OT) today, and it’s critically important that the security of platform OT is considered holistically.”
“Both industry and government need to think about the problem less in terms of starting from scratch and more in terms of how to extend the security technologies we rely on in enterprise IT into platform OT,” Rinderer said. “Step one is unlocking those black boxes and instrumenting them. By accessing the data we can start leveraging those same enterprise methods like active monitoring, real-time alerting, SBOM, and more on platform OT to bring them up to the level of sophistication that’s required in today’s cyber environment.”
Value of Collaboration
Zscaler’s Kovac also stressed the importance of increased collaboration between the government and the private sector to turn the implementation plan’s goals into realities.
“An underlying theme of the NCSIP is collaboration – pulling together government agencies, international partners, and the private sector,” he said. “Our participation in CISA’s Joint Cyber Defense Collaborative, for example, demonstrates the success of these public-private partnerships – expanding such programs will only make us stronger against our adversaries.
“However, this cooperative practice will only be effective if the administration actively engages with industry, going beyond just requesting information for items such as cybersecurity regulatory harmonization, to actually apply the recommendations solicited in future iterations of the implementation plan,” Kovac said.
“Additionally, we’ve seen how quickly bad actors are evolving their tactics to inflict maximum damage. This is borne out by our recent research showing an almost 40% surge in ransomware attacks over the past year,” the Zscaler official said. “The implementation plan’s multi-pronged approach to winning this battle shows a sophisticated understanding of the international and local impacts of ransomware and the speed in which we need to improve our resiliency and cyber defenses.