From cyber strategy to Implementation: what CEOs and boards need to Know

Matt Gorham is a Managing Director and Shawn Lonergan is a Partner at PricewaterhouseCoopers LLP. This post is based on their PwC memorandum.

The federal government on July 13 launched the implementation plan for its National Cybersecurity Strategy, just four months after releasing the strategy document — an unheard-of pace.

The swift, decisive follow-up indicates that the administration recognizes how serious the cyber threat is to national security and critical infrastructures. There’s been an onslaught of cybersecurity incidents in the US, including the exploitation of several zero-day vulnerabilities and ransomware perpetrated by nation-state actors and cybercriminals.

The 57-page National Cybersecurity Strategy Implementation Plan (NCSIP) calls for immediate action in some cases. It enlists 18 federal agencies in a coordinated effort to put in place controls, promulgate regulations and even take offensive action against attackers, all under the leadership of the Office of the National Cyber Director (ONCD).

The strategy’s vision is for government agencies to work together and with private enterprise toward a common objective — strong and resilient economic, geopolitical and personal security.

What CEOs and boards need to know

Bringing the vision to life is not likely to be quick or easy. In our analysis, we called out three shifts to watch.

  • The strategy intends to hold software companies liable for cybersecurity failures.
  • It proposes regulations to protect critical infrastructure.
  • It advances a “defend-forward” approach coupled with law enforcement actions to disrupt malicious actors.

Among the 65+ initiatives in the plan, here are the ones that are most important to realizing these shifts. Be prepared to engage and share information in consultations and working groups, learn about and take advantage of new or increased government resources, and anticipate new compliance obligations.

Note that the numbering system below — for example, 3.2.2 — uses the reference numbers in the implementation plan.

Holding software companies liable for cybersecurity failures

The White House frames this shift as making the biggest, most capable and better-positioned entities — in both the public and private sectors — assume a greater share of the burden for mitigating cyber risk.

Initiate a security label program (3.2.2) A first step is the White House announcement on July 18 of a cybersecurity certification and labeling program to help Americans choose smart devices that are less vulnerable to cyberattacks. The “US Cyber Trust Mark” would be affixed to products that meet defined cybersecurity criteria. Already, major electronics, appliance and consumer product manufacturers as well as retailers and trade associations have made voluntary commitments to the program, which is expected to be up and running in 2024.

Explore approaches to develop a software liability framework (3.3.1) The cyber strategy recognizes the need to shield from liability those companies that securely develop and maintain their products and services. By spring 2024, the implementation plan calls for the ONCD to host a legal symposium to draw from regulatory law and computer science to come up with a framework.

Advance software bill of materials (SBOM) and mitigate the risk of unsupported software (3.3.2) The importance of securing the software ecosystem was recently underscored by the Cyber Safety Review Board’s report on Log4j. Log4j is incorporated into thousands of software components globally, and many of the nation’s critical infrastructure and government systems rely on it.

Under the implementation plan, the Cybersecurity and Infrastructure Security Agency (CISA) is to continue to work with key stakeholders to identify and reduce gaps in SBOM scale and implementation. CISA will also explore requirements for a globally-accessible database for end-of-life/end-of-support software and convene an international staff-level working group on SBOM. This needs to be completed by the spring of 2025.

Takeaway: Confirm that you have a team that’s keeping up with evolving frameworks and future compliance requirements.

Regulations to protect critical infrastructure

Establish an initiative for cyber regulatory harmonization (1.1.1) You have an opportunity to communicate your existing challenges with regulatory overlap as the ONCD and the OMB identify opportunities to harmonize baseline cyber requirements for critical infrastructure. This fact-finding is to be completed by the end of 2023, in view of setting the requirements by the spring of 2025.

Update the National Incident Response Plan (1.4.1) “A call to one is a call to all” is the desired future operating state of an updated national incident response plan. The CISA and ONCD are to strengthen policies, procedures and systems in an updated plan by the end of calendar year 2024.

Draft legislation to codify the Cyber Safety Review Board (CSRB) (1.4.4) The 15-person CSRB is patterned after the highly effective lessons-learned model in other industries such as the National Transportation Safety Board. The Department of Homeland Security is working with the White House and Congress on a draft bill to codify the authority of the CSRB to conduct comprehensive reviews of significant incidents.

Accelerate development, standardization and adoption of foundational internet infrastructure capabilities and technologies (4.1.3, 4.3.3) CISA is to lead the Interagency International Cybersecurity Standardization Working Group to coordinate major issues in international cybersecurity standardization. The NIST is tasked with finishing standardization of one or more quantum-resistant public-key cryptographic algorithms.

Takeaway: Prepare to participate and share information on fact-finding consultations.

Advancing a “defend-forward” approach coupled with law enforcement actions to disrupt malicious actors

Counter cybercrime, defeat ransomware (2.5) A five-pronged action plan names agencies that will be responsible for various aspects, working in concert within the Joint Ransomware Task Force or other groups.

FBI to carry out disruption operations against actors in the ransomware system, including virtual asset providers that enable laundering of proceeds.

DOJ to investigate ransomware crimes and disrupt the ecosystem.

CISA to mitigate ransomware risk for high-risk targets like hospitals and schools, and offer resources like training.

State Department and Justice Department to disincentivize safe havens for ransomware criminals.

Treasury Department to develop global anti-money laundering standards for virtual asset providers.

Takeaway: Know your allies. Share information to participate constructively in the coordinated response to cyber incidents.

The question of resources, capacity and capabilities for implementation

A lot is riding on resources behind the major implementers of the plan. The ONCD will coordinate activities, including an annual report to the president and Congress on the status of implementation. Partnering with the Office of Management and Budget (OMB), the ONCD will confirm that funding proposals in the president’s budget request are aligned with NCSIP initiatives.

The CISA is the responsible agency for implementing 10 significant actions of the 65+ initiatives in the implementation plan — raising questions about its current capacity to take these on. In addition to the responsibilities outlined above, it’s charged with scaling public-private partnership (1.2), updating the National Incident Response Plan (1.4.1), issuing the final ruling on the Cybersecurity Incident Reporting for Critical Infrastructure Act (1.4.2) and building domestic and international support for coordinated vulnerability disclosure (3.3.3).

Sector risk management agencies (SRMA) are important contributors to the setting of cyber requirements, frameworks and standards across critical infrastructure sectors. They’re tasked with helping develop secure-by-design, secure-by-default principles and standards. Uneven capabilities across the SRMAs will need to be addressed for consistent implementation.

Legislation. Aside from the draft bill on authorities for CSRB, two agencies are tasked with working with Congress on developing legislative proposals — the ONCD on establishing a liability regime for software products and services and the Justice Department on increasing the government’s capacity to disrupt and deter cybercrime. These critical initiatives may be subject to uncertainty given current congressional priorities.

Timeline: the first steps towards the major shifts in strategy

More than half (37) of the initiatives need to be completed by June 2024. They’re organized along five pillars.

  1. Defending critical infrastructure.
  2. Disrupting and dismantling threat actors.
  3. Shaping market forces and driving security and resilience.
  4. Investing in a resilient future.
  5. Forging international partnerships to pursue shared goals.

Note that the numbering system below uses the reference numbers in the implementation plan.

January-March 2023

The Department of Homeland Security has been working with the White House and Congress on a draft bill to formally authorize the board’s funding and grant it subpoena power to compel victims to provide information.

1.4.4: Draft legislation to codify the Cyber Safety Review Board with the required authorities.

July-September 2023

In an active summer of 2023, the plan calls for advancing the strategy on several  fronts, including capacity-building, new legislation proposal, rulemaking and a security labeling program.

1.2.5: Assess and improve Federal Cybersecurity Centers’ and related cyber centers’ capabilities and plans necessary for collaboration at speed and scale.

2.1.4: Propose legislation to disrupt and deter cybercrime and cyber-enabled crime.

2.4.1: Publish a Notice of Proposed Rulemaking on requirements, standards and procedures for infrastructure-as-a-service providers and resellers.

2.5.1: Disincentivize safe havens for ransomware criminals.

3.2.1: Implement Federal Acquisition Regulation requirements per the Internet of Things Cybersecurity Improvement Act of 2020.

3.2.2: Initiate a national IOT security labeling program.

3.4.1: Leverage federal grants to improve infrastructure cybersecurity.

3.4.2: Prioritize funding for cybersecurity research.

October-December 2023

By the end of 2023, look for groundwork to be laid in regulatory harmonization and standard-setting for a safer Internet.

1.1.1: Establish an initiative on cyber-regulatory harmonization.

1.2.2: Provide recommendations for the designation of critical infrastructure sectors and Sector Risk Management Agencies.

1.4.3: Develop exercise scenarios to improve cyber incident response.

2.1.1: Publish an updated Department of Defense cyber strategy.

2.5.2: Disrupt ransomware crimes.

4.1.2: Promote open-source software security and the adoption of memory-safe programming languages.

4.1.3: Accelerate development, standardization and adoption of foundational internet infrastructure capabilities and technologies.

4.2.1: Accelerate maturity, adoption and security of memory-safe programming languages.

4.4.1: Drive adoption of cyber secure-by-design principles by incorporating them into federal projects.

5.1.2: Publish an international Cyberspace and Digital Policy Strategy.

5.2.1: Strengthen international partners’ cyber capacity.

5.3.1: Establish flexible foreign assistance mechanisms to provide cyber incident response support quickly.

January-March 2024

Early in 2024, look out for specific recommendations to counter cybercrime and disrupt operations of adversaries.

1.5.1: Secure unclassified Federal Civilian Executive Branch systems.

2.1.5: Increase speed and scale of disruption operations.

2.2.1: Identify mechanisms for increased adversarial disruption through public-private operational collaboration.

2.5.3: Investigate ransomware crimes and disrupt the ransomware ecosystem.

3.5.1: Implement Federal Acquisition Regulation changes required under EO 14028 (Executive Order on Improving the Nation’s Cybersecurity).

3.6.1: Assess the need for a federal insurance response to a catastrophic cybersecurity event.

4.1.1: Lead the adoption of network security best practices.

4.4.2: Develop a plan to confirm the digital ecosystem can support and deliver the US government’s decarbonization goals.

4.6.1: Publish a National Cyber Workforce and Education Strategy and track its implementation.

5.5.1: Promote the development of secure and trustworthy information and communication technology networks and services.

5.5.2: Promote a more diverse and resilient supply chain of trustworthy information and communication technology vendors.

6.1.2: Apply lessons learned to the National Cybersecurity Strategy implementation.

April-June 2024

In this quarter, look to groundwork being laid for streamlined reporting of cyber-threat intel and data — important for stronger collective cyber defense.

1.2.3: Evaluate how the CISA can leverage existing reporting mechanisms or the potential creation of a single portal to integrate and operationalize Sector Risk Management Agencies’ sector-specific systems and processes.

2.3.2: Remove barriers to delivering cyber threat intelligence and data to critical infrastructure owners and operators.

4.1.5: Collaborate with key stakeholders to drive secure internet routing.

6.1.1: Report progress and effectiveness on implementing the National Cybersecurity Strategy.

What you need to do now

Keep refining your organization’s defense-in-depth and cyber resilience. Both the offensive and defensive sides are continually sharpening their teams, processes and techniques, as the PwC’s Cyber Threats 2022: Year in Retrospect recounts. Defense in depth plus real-time threat intelligence — it’s what consumers, employees and investors count on. Societal trust relies on it.

Strengthen your collaboration with the government and sector information-sharing centers. The implementation plan places a premium on public-private cybersecurity collaboration. A good start is joining your Information Sharing and Analysis Center (ISAC), the Cyber Collaboration Center (CCC), the Joint Cyber Defense Collaborative (JCDC) or the National Cyber-Forensics and Training Alliance (NCFTA).

If your enterprise is part of critical infrastructure, renew or nurture contacts at your SRMA and the local FBI field office. Capitalize on the integrated effort by the government to disrupt threat actor groups, be they nation-state actors or criminal groups.

Engage with regulators now. Stay abreast of new developments. Talk to regulators and engage in rulemaking or legislative processes to help your enterprise avoid being blindsided by regulations. Take an active interest if you’d like to shape the rules that could affect your company or sector.

Both comments and trackbacks are currently closed.