The Atlantic Council released a detailed commentary on the White House’s new “Implementation Plan for the 2023 US National Cybersecurity Strategy.” Lots of interesting bits.
So far, at least three trends emerge:
First, the plan contains a (somewhat) more concrete list of actions than its parent strategy, with useful delineation of lead and supporting agencies, as well as timelines aplenty. By assigning each action a designated lead and timeline, and by including a new nominal section (6) focused entirely on assessing effectiveness and continued iteration, the ONCD suggests that this is not so much a standalone text as the framework for an annual, crucially iterative policy process. That many of the milestones are still hazy might be less important than the commitment. the administration has made to revisit this plan annually, allowing the ONCD team to leverage their unique combination of topical depth and budgetary review authority.
Second, there are clear wins. Open-source software (OSS) and support for energy-sector cybersecurity receive considerable focus, and there is a greater budgetary push on both technology modernization and cybersecurity research. But there are missed opportunities as well. Many of the strategy’s most difficult and revolutionary goals—holding data stewards accountable through privacy legislation, finally implementing a working digital identity solution, patching gaps in regulatory frameworks for cloud risk, and implementing a regime for software cybersecurity liability—have been pared down or omitted entirely. There is an unnerving absence of “incentive-shifting-focused” actions, one of the most significant overarching objectives from the initial strategy. This backpedaling may be the result of a new appreciation for a deadlocked Congress and the precarious present for the administrative state, but it falls short of the original strategy’s vision and risks making no progress against its most ambitious goals.
Third, many of the implementation plan’s goals have timelines stretching into 2025. The disruption of a transition, be it to a second term for the current administration or the first term of another, will be difficult to manage under the best of circumstances. This leaves still more of the boldest ideas in this plan in jeopardy and raises questions about how best to prioritize, or accelerate, among those listed here.
More Stories
Smashing Security podcast #412: Signalgate sucks, and the quandary of quishing
QR codes are being weaponised by scammers — so maybe think twice before scanning that parking meter. And in a...
WK Kellogg Confirms Data Breach Tied to Cleo Software Exploit
WK Kellogg breach exposed employee data after attackers exploited flaws in Cleo software Read More
Precision-Validated Phishing Elevates Credential Theft Risks
New phishing method targets high-value accounts using real-time email validation Read More
Ransomware Attacks Hit All-Time High as Payoffs Dwindle
While ransomware attack claims are at an all-time high, financial losses from actual attacks may be reducing Read More
How to Leak to a Journalist
Neiman Lab has some good advice on how to leak a story to a journalist. Read More
Three-Quarters of IT Leaders Fear Nation-State AI Cyber Threats
73% of respondents in an Armis survey said they worried about nation-state actors using AI for cyber-attacks Read More