It's a fact that ransomware and breaches have become an everyday occurrence in today’s complex cybersecurity landscape.
In March 2023, the Biden Administration released its highly anticipated National Cybersecurity Strategy. While offering a strong vision for strengthening the nation’s cyber resilience, I wrote for The Hill about how deeply underwhelmed I was by the plan’s lack of immediate impact and accountability, especially its 10-year outlook. The federal government must step on the gas to move faster against ransomware and breaches.
Recognizing the importance of providing practical cybersecurity strategies for government agencies, President Biden recently unveiled the new National Cybersecurity Strategy Implementation Plan (NCSIP). The plan offers agencies a roadmap to make changes to how they allocate roles, responsibilities, and resources for cybersecurity.
Here’s what you need to know about the new plan.
The NCSIP’s 5 strategic pillars
The plan is organized into 5 pillars, each including specific cybersecurity initiatives. I’ve outlined and summarized these pillars and their initiatives below.
Pillar one: Defend critical infrastructure – This pillar aims to establish cybersecurity requirements that uphold national security and public safety, emphasizing the importance of scaling up collaboration between the public and private sectors. It seeks to integrate federal cybersecurity centers to improve coordination and information sharing. Additionally, it aims to update federal incident response plans and processes while modernizing federal cybersecurity defenses to stay ahead of evolving threats.
Pillar two: Disrupt and dismantle threat actors – This pillar seeks to integrate federal efforts to disrupt cybercriminal activities and enhance collaboration between the public and private sectors to hinder adversaries. The pillar emphasizes the importance of swift and extensive sharing of intelligence and notifying victims of cyberattacks. It also aims to prevent the misuse of U.S.-based infrastructure and combat cybercrime, particularly targeting ransomware attacks.
Pillar three: Shape market forces to drive security and resilience – This pillar aims to drive the development of secure Internet of Things (IoT) devices, emphasizing the need to shift liability for insecure software products and services to encourage accountability among manufacturers and providers. It proposes using federal grants and incentives to prioritize security measures. Additionally, it suggests leveraging federal procurement to improve accountability and promote cybersecurity practices. Exploring the possibility of a federal cyber insurance backstop is also mentioned, which would provide support in the event of a major cyber incident.
Pillar four: Invest in a resilient future – This pillar includes efforts to strengthen the foundational elements of the internet, starting with an emphasis on revitalizing federal research and development in cybersecurity. It also highlights the importance of preparing for the challenges of a post-quantum future and ensuring the security of the clean energy sector. Additionally, it emphasizes the development of a national strategy to bolster the cybersecurity workforce, recognizing its significance in addressing future threats.
Pillar five: Forge international partnerships to pursue shared goals – This pillar involves building international coalitions to address threats to our digital ecosystem. This focuses on strengthening the capacity of international partners and expanding the United States' ability to support allies and partners. It also aims to establish coalitions that reinforce global norms of responsible state behavior in cyberspace. Additionally, the pillar highlights the need to secure global supply chains for information, communications, and operational technology products and services.
My key takeaways from the plan as a federal CTO
The most important takeaway from the NCSIP is that it gives much-needed guidance for agencies on improving cyber resilience now as well as down the road. This acknowledges that traditional prevention and detection tools aren’t enough to combat today’s complex and ever-evolving cyberthreats.
Breaches are inevitable. Organizations must prioritize proactive breach containment strategies with technologies like Zero Trust Segmentation (ZTS) to stop and contain the spread of breaches when – not if – they happen, ensuring that operations can continue unimpeded. In fact, organizations leveraging Illumio ZTS saw a 66 percent reduction in the impact (or blast radius) of a breach and saved $3.8 million due to fewer outages and downtime.
The plan also assigns time-bound goals and initiatives to each agency, giving them direction on how to reach the strategy’s clear objectives. These goals and initiatives also display a sense of urgency which is important as the pace of technology makes it impossible to imagine the impact it will have on security in three, five, or ten years.
This plan demonstrates an understanding of the resource and fiscal challenges agencies face in overcoming these dangers. While the NCSIP doesn’t include direct funding, it does align with the administration’s cyber budget priorities to better position agencies to achieve their objectives and combat cyberattacks. If agencies can align their budgetary responsibilities and resources with these initiatives, then they will be well equipped to bolster their cyber resilience today and tomorrow.
In particular, initiatives 3.5.1 and 3.5.2, which leverage federal procurement to improve accountability, are big steps forward for the regulatory cybersecurity functions. By leveraging the power of the dollar, the government is able to compel companies into compliance. This enables the federal government to implement its new strategy quickly and without the need for new legislation.
What’s missing? Accountability mechanisms and bold initiatives
Like many other government plans, the major piece that’s not included is an accountability mechanism. These plans need to have a way to measure and hold agencies accountable to be successful. Agencies need to know the consequences of not meeting these objectives.
And we’re still missing some of the big, bold ideas that would really change the game in the fight against ransomware. This could look like banning ransomware payments to stop cybercriminals from profiting off these attacks. The government could also mandate that private and government organizations publicly notify customers within 72 hours of a breach. These kinds of moonshot initiatives would have an immediate impact on stopping ransomware and address the urgency of the problem now, not in a few years or a decade’s time.
The new NCSIP marks a significant milestone in the federal government’s collective efforts to strengthen cyber resilience and combat evolving threats. The plan demonstrates for the most part a clear direction for government agencies. By embracing proactive breach containment approaches and aligning with the NCSIP's initiatives, both public and private sector organizations can navigate today's complex cybersecurity landscape and safeguard their critical assets effectively. Together, we can build a more resilient and secure digital future.