Cybersecurity & Tech

The Biden Administration’s Implementation Plan for the National Cybersecurity Strategy

Eugenia Lostri, Stephanie Pell
Tuesday, September 19, 2023, 10:13 AM

The first installment of the implementation plan provides insight into how the Biden administration intends to achieve the National Cybersecurity Strategy’s goals.

(DataCorp Technology, https://www.flickr.com/photos/datacorpltd/23922032368; CC BY-NC 2.0, https://creativecommons.org/licenses/by-nc/2.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

The Biden administration released its National Cybersecurity Strategy (NCS) in March. The strategy outlined a broad plan for achieving two fundamental shifts intended to strengthen the cybersecurity posture of the United States over the long term. Specifically, the strategy seeks to ensure that the “biggest, most capable, and best-positioned entities” in both the public and private sectors “assume a greater share of the burden for mitigating cyber risk.” It also focuses on how to realign “incentives to favor long-term investments” to build “a future digital ecosystem that is more inherently defensible and resilient.” The path for realizing these outcomes manifests through five distinct but complementary pillars—defending critical infrastructure, disrupting and dismantling threat actors, shaping market forces to drive security and resilience, investing in a resilient future, and forging international partnerships to pursue shared goals.

As we’ve noted previously on Lawfare, the strategy lays out an ambitious plan for pushing the U.S. toward a more cyber-secure future, but many details were left to an implementation plan that was not released with the NCS. Those details are an important part of understanding and evaluating how the administration intends to achieve these shifts, which agencies will take the lead on various initiatives that align with the strategy’s five pillars, and where the administration believes that new legislation is needed to achieve the objectives of the five pillars.

The first installment of the implementation plan—which the administration refers to as a “living document” that it intends to update annually—was released on July 13. While implementation will happen at the agency level, the administration acknowledges in the plan’s introduction that the U.S. government will “succeed” in implementing the NCS only “through close collaboration with the private sector; civil society; state, local, Tribal, and territorial governments; international partners; and Congress.”

From an organizational perspective, the plan tracks the NCS’s five pillars and describes both near- and farther-term “next steps” through outlining 65 federal initiatives and assigning roles and responsibilities for these initiatives to various federal agencies. In what follows, we provide a non-exhaustive overview of the implementation plan that also tracks the NCS’s five pillars, with a particular focus on how the initiatives serve as building blocks for achieving the overarching goals of each pillar. We call out areas where the bold vision of the cybersecurity strategy is tempered by initiatives that suggest the process for achieving certain objectives is in its infancy, where more information is needed to assess the significance and import of certain initiatives, and where—without more meat on the bones—we see challenges in meeting pillar objectives.

Pillar I: Defend Critical Infrastructure

The first pillar of the NCS seeks to “distribute[] risk and responsibility” as part of a cyber defense model. In a significant departure from prior federal policy, this pillar calls for cybersecurity regulations that are “calibrated to meet the needs of national security and public safety.” Collaboration and innovation are additional and central aspects of this pillar, reflected in its five strategic objectives: establishing cybersecurity requirements to support national security and public safety, scaling public-private collaboration, integrating federal cybersecurity centers, updating federal incident response plans and processes, and modernizing federal defenses. Of the 16 initiatives in this first phase of the implementation plan, the Cybersecurity and Infrastructure Security Agency (CISA) is tasked with leading almost half.

As we mentioned in our review of the NCS, where sufficient authorities exist, the Biden administration has already been working on improving the defenses of critical infrastructure sectors. Where existing authorities are in place, they will be leveraged to “set necessary cybersecurity requirements in critical sectors.” The NCS states that the administration will work with Congress to address the needs of those departments and agencies with “gaps in statutory authorities.” In March, we predicted that the implementation plan would offer “better perspectives on actions to come,” since the NCS did not name the critical sectors that are current priorities for the administration.

Unfortunately, the implementation plan does not identify the sectors where existing authority is insufficient and where the administration will work with Congress to bridge gaps. In fact, there is only one mention of Congress in all of Pillar I—and it is only part of a reference the plan makes to the NCS, not language of an actual plan initiative.

Notwithstanding that it has been more than two years since the Colonial Pipeline hack, the three initiatives under the first strategic objective focus on identifying existing gaps. The plan directs the Office of the National Cyber Director (ONCD) to work with regulators “to identify opportunities to harmonize baseline cybersecurity requirements for critical infrastructure.” Nongovernmental stakeholders can comment on the opportunities and challenges of harmonization through a request for information. The process of identifying these opportunities is due to be completed by this December. Because the deadline for the request for information was extended recently from Sept. 15 to Oct. 31, it is unclear if the deadline for the initiative is also pushed back.

Something similar occurs with the next initiative, where the National Security Council (NSC), Sector Risk Management Agencies (SRMAs), and regulators are tasked with analyzing the cyber risk they face and considering how relevant agencies could use existing authorities to mitigate it, along with identifying where the gaps lie. Unlike the previous initiative, this one has a longer span, due to be completed in March 2025. While these initiatives serve the important goal of streamlining and preventing redundant regulation, it is unclear why the implementation plan remains limited to exploratory steps, instead of identifying the sectors affected by gaps in regulatory authority and laying out concrete plans to address them.

The third initiative centers on the National Institute of Standards and Technology’s (NIST’s) update to the Cybersecurity Framework (CSF), a voluntary framework intended to help organizations develop their cybersecurity efforts. NIST released a draft earlier this month, and CSF 2.0 is expected to be completed by December 2025.

While the NCS language seemed to condemn the current status quo forcefully, where the “marketplace insufficiently rewards—and often disadvantages—the owners and operators of critical infrastructure who invest in proactive measures to prevent or mitigate the effects of cyber incidents,” these initiatives seem to align more with voluntary approaches to critical infrastructure cybersecurity than with the stronger mandatory requirements the NCS shifts demand. The hope is that by involving multiple stakeholders, considering the specific needs of different sectors, and updating voluntary harmonized frameworks, the conversation around responsibility and security can begin to shift. But given the breadth of cyber initiatives that the administration has undertaken, it is surprising that these initiatives remain focused on identifying regulatory gaps and offering voluntary frameworks.

The five initiatives described under the next strategic objective (scale public-private collaboration) designate CISA as the lead agency. CISA already has a vested role as a convener, having developed solid relationships with other stakeholders in the past few years. The first initiative reveals that the administration also intends to shape the behavior of software manufacturers. In the next year, CISA hopes to scale its existing relationships to “drive development and adoption of secure-by-design and secure-by-default technology.” In June, CISA, the FBI, the NSA, and the cyber authorities of Australia, Canada, the United Kingdom, Germany, the Netherlands, and New Zealand issued a guidance with technical recommendations and principles “to guide software manufacturers in building software security into their design processes.”

The other four initiatives under this strategic objective focus on the relationship with SRMAs. Because so much of the cybersecurity work relies on information sharing across sectors, these initiatives entail evaluating the designation of critical infrastructure sectors’ SRMAs, exploring how to leverage reporting mechanisms, improving information sharing and collaboration, and establishing a support capability that would serve all SRMAs.

The focus on improving communication and collaboration continues under the third strategic objective (integrate federal cybersecurity centers). The sole initiative listed under this objective is an ONCD review of the gaps in capabilities of the centers by the end of the month.

The four initiatives under the strategic objective focus on updating federal incident response plans and processes demonstrate the need for constant vigilance and updates on cybersecurity matters. The first initiative tasks CISA with leading the update process for the National Cyber Incident Response Plan, originally published in December 2016. Another requires the ONCD to develop tabletop exercises “to refine delivering a whole-of-government response to a cyber incident.” And the fourth initiative asks the Department of Homeland Security to work with Congress to ensure that the Cyber Safety Review Board is codified and given the necessary authorities to continue its work—thus solidifying the board’s role and protecting it from changes in political priorities.

One of the initiatives outlines the implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Signed into law by President Biden in March 2022, the bill required CISA to “to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA.” By September 2025, CISA will issue the CIRCIA Notice of Proposed Rulemaking and Final Rule “and develop the processes to advance effective actioning of incident reports to include sharing of incident reports with appropriate agencies.”

Pillar II: Disrupt and Dismantle Threat Actors

The second pillar seeks to enable “more sustained and effective disruption of adversaries.” While a significant locus of this pillar is ransomware, its five identified objectives—integrate federal disruption activities; enhance public-private operational collaboration to disrupt adversaries; increase the speed and scale of intelligence sharing and victim notification; prevent abuse of U.S.-based infrastructure; and counter cybercrime, defeat ransomware—focus broadly on a threat environment encompassing a range of adversaries with sophisticated capabilities and diverse motives and goals. The implementation plan identifies specific initiatives (14 total) for these objectives, with the Justice Department or FBI assigned to take the lead on many of them.

With respect to the integration of federal disruption activities, some of the initiatives were already underway and specifically referenced in the NCS when it was released in March. As part of the publication of the implementation plan, for example, the administration announced that the Department of Defense cyber strategy (DoD cyber strategy) has already been completed and shared with Congress. (The DoD cyber strategy was actually released in March, so it’s unclear why the implementation plan, released in July, calls for the DoD cyber strategy to be completed by December.)

The unclassified summary of the 2023 DoD cyber strategy indicates that it supersedes the 2018 DoD cyber strategy and that it serves as an implementation document for three separate strategies: the 2022 National Security Strategy, the 2022 National Defense Strategy, and the NCS. Notably, the 2023 DoD cyber strategy is the first time that a DoD cyber strategy has been issued when two nations with significant cyber capabilities—Russia and Ukraine—have been at war. The updated strategy reflects lessons learned from the deployment of these capabilities during this armed conflict.

The 2023 strategy also continues “defend forward” activities—where the Department of Defense acts “to disrupt malicious cyber activity at its source, including activity that falls below the level of armed conflict”—first articulated in the 2018 DoD cyber strategy under the Trump administration. Defending forward is, among other things, about the department “getting into the space of our adversaries, so that we can better defend the United States and our allies as well as our interests.” As explained by Gen. Paul Nakasone, the dual-hatted commander of NSA and Cyber Command: “There was a huge inflection point in 2018 with the Defend Forward. I don’t see, necessarily, a huge change in the [2023] strategy coming out.”

While Cyber Command is the primary entity engaging in defend forward disruption activities, the 2023 DoD cyber strategy notes that “these operations will support the strategic approach outlined in the 2023 National Cybersecurity Strategy, in which the Department’s cyberspace operations may complement concurrent actions by the diplomatic, law enforcement, and intelligence communities, among others.” And although the unclassified summary of the 2023 DoD cyber strategy does not give specific details about how Department of Defense defend forward operations are integrated into the efforts of these federal agencies and intelligence communities, it does note that these activities support a “whole-of-Government effort to reduce the perceived and actual utility of malicious cyber activity and render cybercrime unprofitable.”

Efforts to expand capacity for integrated takedowns and disruption campaigns (think REvil and Hive disruptions), which include strengthening the National Cyber Investigative Joint Task Force’s coordination capacity and developing a menu of options for increasing the speed and scale of disruption operations, were also apparent in the NCS. The implementation plan now sets various deadlines for such capacity building, beginning in March 2024 and going through September 2025. It is, however, unclear how the relative success of these various initiatives will be evaluated in the context of the larger objective of enabling more sustained and effective disruption of adversaries.

The initiative involving a proposal for new legislation to disrupt cybercrime has a deadline of September. The Justice Department is tasked as the lead agency and is directed to work with interagency partners, including the Department of Homeland Security, the Treasury, CISA, the FBI, the Secret Service, and the ONCD. One reading of the language in the implementation plan that ties the initiative back to the cybersecurity strategy suggests that the legislative proposal is intended to be narrow in focus, specifically related to “technological and organizational platforms that enable continuous, coordinated operations.” Another reading of the initiative language, which directly anticipates a “targeted set of legislative proposals that ... will enhance the U.S. Government’s capacity to disrupt and deter cybercrime,” suggests that what is intended is broader than just the development of technological and organizational platforms. Because a legislative proposal is not mentioned in the NCS, the language in the implementation plan is confusing. In any event, it is likely that the Justice Department and other agencies already have a “wish list” that will, at least in part, be converted into a legislative proposal. But a proposal is not actual legislation that has been introduced, and it is difficult to evaluate the chances that such a proposal could pass in the abstract without actually reading it.

In addition to the integration of federal disruption efforts, the implementation plan tasks the ONCD with “identify[ing] mechanisms for increased adversarial disruption through public-private operational collaboration.” As the private sector already engages in adversarial disruption efforts, better operational collaboration between the public and private sectors may increase the value and impact of these operations and thus is an important building block toward the goal of disrupting and dismantling threat actors.

The single initiative tied to the objective of preventing abuse of U.S.-based infrastructure involves the Department of Commerce publishing a notice of proposed rulemaking by the end of the month for implementation of former President Trump’s Executive Order 13984, “which lays out requirements for IaaS [Infrastructure as a Service] providers and resellers as well as standards and procedures for determining what risk-based prevention approach is sufficient to qualify for an exemption.” These IaaS providers, like Amazon Web Services, IBM Cloud, or Microsoft Azure, offer compute, storage, and networking resources on demand, generally in a pay-as-you-go model. But some commentators have noted that the implementation of this executive order is extremely problematic and may not do much to prevent the abuse of IaaS.

The final objective of this pillar, “counter cybercrime, defeat ransomware,” has five separate initiatives with different agencies (State, FBI, Justice, CISA, and Treasury) taking the lead on each one. Unsurprisingly, the State Department is tasked as lead, “in coordination with the Joint Ransomware Task Force ... cochaired by the FBI and CISA,” to work with the Justice Department and “other stakeholders to develop an international engagement plan to discourage nations from acting as safe havens for ransomware criminals and strengthen international cooperation in countering transnational cybercrime.” The plan, due to be completed this month, presumably is well underway, but details on how it will change the current state of affairs with respect to certain countries acting as safe havens for ransomware criminals remain to be seen.

Other initiatives associated with this objective focus on ways in which the government can disrupt and investigate ransomware crimes, along with disrupting the ransomware ecosystem as a whole. Such activities include efforts against “virtual asset providers that enable laundering of ransomware proceeds and web fora offering initial asset credentials or other material support for ransomware activity.” It appears that some, if not all, of these initiatives are ongoing efforts that predated the release of the NCS.

One of the final initiatives associated with this objective, led by CISA, focuses on providing support—such as training, cybersecurity services, technical assessments, preattack planning, and incident response—to the private sector and state, local, and territorial entities, as well as other “high-risk targets of ransomware to reduce the likelihood of impact and the scale and duration of impacts when they occur.” While clearly an important initiative, the kind of support offered does matter, especially for those entities that may lack both knowledge and needed resources. As Katie Nichols, director of intelligence at Red Canary has explained, “cybersecurity and incident response will be far more useful to these small organizations than training and assessments will be.” Going forward, she would like to see “more consideration of substantial help with hands-on security monitoring.”

Pillar III: Shape Market Forces to Drive Security and Resilience

Pillar III of the NCS states that the U.S. “must shape market forces to place responsibility on those within our digital ecosystem that are best positioned to reduce risk.” And as we noted previously, senior cybersecurity officials were evangelizing this message for well over a year before the NCS’s release. Six objectives—holding the stewards of “our data” accountable, driving the development of secure Internet of Things (IoT) devices, shifting liability for insecure software products and services, using federal grants and other initiatives to build in security, and leveraging federal procurement to improve accountability and exploring a federal cyber insurance backstop—fall under this pillar, with a total of 11 initiatives outlined in the implementation plan. While arguably one of the most important pillars in the strategy, there are places where the implementation plan seems thin or lacking the kind of momentum originally created by the NCS.

The first objective under this pillar in the NCS—which is completely missing from this implementation plan—seeks to hold stewards of “our data” accountable. Here, the strategy is acknowledging a need for privacy-focused legislation incorporating standards and guidelines developed by NIST that impose “robust, clear limits on the ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data like geolocation and health information.” The presence of this objective in the NCS is a recognition of the important relationship between data privacy and cybersecurity. Thus, it is unclear why the implementation plan is silent on this objective. Perhaps the administration doesn’t see a path forward for the passage of comprehensive privacy legislation in the near term (which is probably accurate), but the failure of the plan even to acknowledge this objective is disappointing and raises questions about the existence of a viable plan to achieve this objective.

The second objective is to “drive the development of secure IoT devices.” The two corresponding initiatives focus on the implementation of federal acquisition requirements pursuant to the IoT Cybersecurity Improvement Act of 2020 and the initiation of a U.S. government IoT security labeling program.

One of these initiatives is an ongoing process that follows from Executive Order 14028, “Improving the Nation’s Cybersecurity,” and an event on IoT security hosted by the White House in October 2022. But the implementation plan, released on July 13, already appears outdated on this point. While it indicates that the NSC is the responsible agency for this initiative, the Federal Communications Commission (FCC), per a July 18 statement from the White House, is the lead on a “U.S. Cyber Trust Mark” program. Specifically, the FCC,

[a]cting under its authorities to regulate wireless communication devices ... is expected to seek public comment on rolling out the proposed voluntary cybersecurity labeling program [that] ... would leverage stakeholder-led efforts to certify and label products, based on specific cybersecurity criteria published by the National Institute of Standards and Technology (NIST) that, for example, requires unique and strong default passwords, data protection, software updates, and incident detection capabilities.

Per the White House announcement, the program is expected to be up and running in 2024. Although this is only the first installment of the implementation plan, there is an odd disconnect between the July 13 release of the plan and the July 18 release of the announcement.

The third strategic objective—shifting liability for insecure software products and services—is the most bold but also the most controversial element of the NCS: “Proposing liability for poorly written code or poorly implemented security measures has been the third rail of cybersecurity policy. Touch it and you die.” As we noted previously, “it reflects the administration’s belief that without the ability to impose legal consequences for failing to take reasonable steps to secure software and products, the cascading, harmful effects of insecure software and services may not be adequately abated over the long term.” It is also an objective that will need congressional action in the form of legislation to ensure implementation.

The first initiative supporting this objective, which isn’t set to be completed until March 2024, is a symposium hosted by the ONCD that will bring together stakeholders from academic and civil society “to explore different approaches to a software liability framework that draw from different areas of regulatory law and reflect inputs from computer scientists as to the extent that software liability may or may not be like these other regimes.” Given that the administration made such a strong, forceful move in committing to address software liability, this initiative feels like only the smallest of steps toward that goal.

Without the input and buy-in of key stakeholders, any proposed legislation would likely be dead on arrival. The administration is not wrong to engage with these and other groups throughout the process, but it appears that the outreach and exploration efforts are in their infancy (or have not started in earnest at all) and that a legislative proposal is a long way off. In that regard, the momentum generated by the original language of the cybersecurity strategy and the evangelism that led up to its release is somewhat undermined by the language in the implementation plan. But better to provide an accurate assessment than to suggest that the process is farther along than it is.

The second initiative associated with this objective focuses on advancing the software bill of materials (SBOM) and mitigating the risk of unsupported software. As described by CISA, the SBOM is essentially a “list of ingredients that make up software components,” which “has emerged as a key building block in software security and software supply chain risk management.” In this initiative, the SBOM is specifically linked with mitigating the risk of unsupported software—that is, software no longer supported by its manufacturer such that there will be no more updates or security patches available for it. As part of this initiative, CISA is tasked with exploring requirements “for a globally-accessible database for end-of-life/end-of-support software and conven[ing] an international staff-level working group on SBOM.” Work on these issues at both the national and international levels is surely needed, but nonresident senior fellow of the Cyber Statecraft Initiative Wendy Nather questions how the U.S. government will “keep this globally available end-of-support or EOL [end-of-life] database from becoming a ‘strike here’ resource for threat actors?”

The third initiative associated with this objective focuses on coordinated vulnerability disclosure. Software and software-based products have vulnerabilities that, left unaddressed, could be exploited by various threat actors. To protect vulnerable systems, these software vulnerabilities must be found and vulnerable code must be patched or system configurations must be modified. Before the vulnerable code can be patched, patches must be developed and distributed. Coordinated vulnerability disclosure is “a process intended to ensure that these steps occur in a way that minimizes the harm to society posed by vulnerable products.”

Coordinated vulnerability disclosure is not new, and this initiative tasks CISA with “build[ing] domestic and international support for an expectation of coordinated vulnerability disclosure among public and private entities, across all technology types and sectors, including through the creation of an international vulnerability coordinator community of practice.” Bringing public and private entities together in an environment where there is both shared understanding and commitment is an extremely worthwhile initiative. It also has the capacity to strengthen other elements of the cybersecurity strategy and implementation plan. For example, as Chris Wysopal, co-founder of Veracode, notes, coordinated vulnerability disclosure “should be made a requirement of the liability safe harbor [that will be part of any legislative effort to shift liability for insecure software products and services]. There should be work to make coordinated vulnerability disclosure a requirement everywhere.”

The fourth objective concerns the use of U.S. grants and other incentives to “build in” security. In addition to initiatives focused on improving critical infrastructure security and resilience, one initiative looks to prioritize investments in research that are focused on social, behavioral, and economic issues with the goal of “increasing understanding of individual and societal impacts on cybersecurity, and the impacts of cybersecurity on individuals and society.” An important question that this third initiative presumably covers is: Who or what groups are left out of the standard ways that cybersecurity is approached and delivered at the user level?

The fifth objective focuses on leveraging federal procurement to improve accountability. The “power of the purse” can be a very strong lever toward the adoption of more secure software. The first corresponding initiative involves a proposal for changes to the federal acquisition regulation under Executive Order 14028, which requires the U.S. government to purchase software that is developed securely. Draft rules will be released, followed by a notice and comment period. The Office of Management and Budget (OMB) is the responsible agency for this initiative and must present a proposal by this December.

The second initiative requires the Justice Department to “expand efforts to identify, pursue, and deter knowing failures to comply with cybersecurity requirements in Federal contracts and grants with the aim of building resilience, increasing vulnerability disclosures, reducing the competitive disadvantage for responsible vendors, and recovering damages for affected Federal programs and agencies.” This initiative is not entirely new. In October 2021, the Justice Department stood up a civil-cyber fraud initiative focused on using “civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards.” But the implementation plan sets a deadline for the department to expand such efforts in September 2025. It is not clear from the plan why such a significant amount of time is needed for full implementation of this initiative.

The sixth and final objective directs the Treasury Department to explore a federal cyber insurance backstop. The cybersecurity strategy notes that “[i]n the event of a catastrophic cyber incident, the Federal Government would be called upon to stabilize the economy and aid recovery” and that structuring that response ahead of time “could provide certainty to markets and make the nation more resilient.” Such a backstop would require the Treasury Department to accept responsibility for financial exposure risks that insurers and reinsurers face from future catastrophic cyber incidents affecting those that they insure. The single initiative associated with this objective is essentially a restatement of the objective, directing the Treasury Department’s federal insurance office, in coordination with CISA and the ONCD, to “assess the need for a Federal insurance response to catastrophic cyber events that would support the existing cyber insurance market.” The deadline for the assessment is December. After that assessment occurs, and assuming it is made public, more information about whether the government will choose to pursue such a backstop and ultimately make a legislative proposal should be available.

Pillar IV: Invest in a Resilient Future

Pillar IV focuses on the investments needed to “assure continued U.S. leadership in technology and innovation.” This pillar is structured around six strategic objectives: securing the technical foundation of the internet, reinvigorating federal research and development for cybersecurity, preparing for a post-quantum future, securing a clean energy future, supporting the development of a digital identity ecosystem, and developing a national cyber workforce strategy. This first installment of the implementation plan advances these objectives through 13 initiatives.

The purpose of the first strategic objective is to mitigate the risk that stems from the internet’s inherent vulnerability. To secure the technical foundation of the internet, the NCS focuses on three “pervasive concerns”—Border Gateway Protocol vulnerabilities, unencrypted Domain Name System requests, and the slow adoption of Internet Protocol Version 6. These vulnerabilities are tackled through a blend of multi-stakeholder collaboration efforts and the adoption of international standards, all of which must be strengthened or developed.

In the next objective, the NCS articulated a role for the federal government to reinvigorate cybersecurity research and development (R&D). The strategy listed projects that “advance cybersecurity and resilience in areas such as artificial intelligence, operational technologies and industrial control systems, cloud infrastructure, telecommunications, encryption, system transparency, and data analytics used in critical infrastructure.” The implementation plan, however, narrows the focus of these efforts, tasking the Office of Science and Technology Policy to leverage the Federal Cybersecurity R&D Strategic Plan to prioritize investments that focus on memory safe programming languages.

In May 2022, the Biden administration issued National Security Memorandum-10 (NSM-10), focused on balancing the promotion of U.S. leadership in quantum computing while considering the risks this technology could present to vulnerable cryptographic systems. The third strategic objective tasks OMB and CISA with implementing NSM-10 for public networks and systems and National Security Systems, respectively. Under the third initiative, NIST will also conclude its process to “solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms.” Recently, NIST released draft standards for three algorithms, and a fourth is expected in about a year. All three initiatives are expected to be completed by June 2025.

The three initiatives under the fourth strategic objective tackle the need for cybersecurity considerations to be taken into account as the administration’s work on clean energy progresses. The Department of Energy will play a role in supporting the development of projects that include secure-by-design systems, demonstrating that the administration’s diverse priorities are interwoven and reinforce each other.

The final strategic objective under this pillar requires the publication and implementation of a separate strategy—the National Cyber Workforce and Education Strategy. The strategy was published on July 31. Per the implementation plan, the ONCD will oversee its implementation and continue to report on its initial stages.

Pillar V: Forge International Partnerships to Pursue Shared Goals

Pillar V focuses on the ways in which the U.S. seeks to bring about “a world where responsible state behavior in cyberspace is expected and rewarded and where irresponsible behavior is isolating and costly.” Achieving this vision relies on five strategic objectives: building coalitions to counter threats to the digital ecosystem; strengthening international partners’ capacity; expanding the U.S. ability to assist allies and partners; building coalitions to reinforce global norms of responsible state behavior; and securing global supply chains for information, communications, and operational technology products and services.

There are 12 initiatives in the implementation plan, most of them led by the State Department. As is the case with many of the initiatives found in this first installment of the implementation plan, most of the activities described match preexisting efforts laid out in the NCS. The initiatives in this pillar serve two intertwined purposes: increase some form of capacity, and attempt to build consensus with other states.

The four initiatives under the first strategic objective seek to facilitate the activities and coordination between the U.S. and its partners. Whether it is by ensuring that staff are trained adequately so that digital policy is represented in regional teams, streamlining or developing the necessary mechanisms to increase law enforcement collaboration, or looking into best practices to develop regional cyber hubs, the administration is looking at different ways in which cooperation can take place. By December, the State Department will publish an International Cyberspace and Digital Policy Strategy. Though not much about the scope of this other strategy is yet known, the implementation plan says it will incorporate “bilateral and multilateral activities.”

While the initiatives under this first objective combine elements of these two purposes, the second and third strategic objectives focus more explicitly on capacity building efforts. Some of the initiatives continue existing efforts. The second objective requires the Interagency Cyber Capacity Building Working Group to assess current trends and prioritize “future international capacity building assistance” to ensure the advancement of U.S. cyber goals. Those goals should include the six lines of effort already articulated in the cybersecurity strategy, which are “secure critical infrastructure networks, build effective incident detection and response capabilities, share cyber threat information, pursue diplomatic collaboration, build law enforcement capacity[,] … and support our shared interests in cyberspace by adhering to international law and reinforcing norms of responsible state behavior.” In addition, another initiative focuses on the Justice Department’s increased operational collaboration aimed at disruption efforts through law enforcement collaboration. For now, such collaboration appears to be limited to “international peer and near-peer” partners.

Another initiative offers a glimpse into a potentially new area of work: cyber aid. While the U.S. has been providing different sorts of assistance to countries affected by significant cybersecurity incidents, the establishment of a new aid mechanism would be a departure from the mostly ad hoc manner in which this support has been offered so far. The NCS already pointed out that the administration would “establish policies” to support this objective, and several statements from Ambassador Nathaniel Fick addressed the need to set up this mechanism. The implementation plan offers a deadline of December 2023 for the assessment.

While the first three objectives focus more on capability building, the fourth objective centers on building a shared vision of cyberspace and security. There is only one initiative under this objective, which reaffirms the work done through the UN Open-Ended Working Group and the commitment to the framework of responsible state behavior in cyberspace.

The last strategic objective focuses on how the U.S. can mitigate the risks associated with a “dependency on critical foreign products and services from untrusted suppliers.” The question of trust is key for this objective. Which vendors can be trusted, and how can the U.S. promote the standards and best practices that pose less risk to it? The NCS already recognized the need for the U.S. to work with allies and partners that share the American vision for the internet as the most fruitful path forward. It also described some of the forums in which this work would be undertaken—like the Quad working group, or the U.S.-EU Trade and Technology Council, for example—and initial lines of effort, like identifying ways to persuade countries to favor the U.S. vision for cybersecurity.

The implementation plan offers four initiatives to tackle this objective. The first two task the State Department with using the International Technology Security and Innovation Fund to “advance international adoption of policies and regulatory frameworks for secure ICT [information and communication technology] ecosystems” and “promote the development and deployment of open and interoperable network architectures.” Both of these initiatives are set to be completed by March 2024.

Under the third initiative, the National Telecommunications and Information Administration (NTIA) is tasked with the administration of the Public Wireless Supply Chain Innovation Fund. The NTIA awarded the first phase of funding in August, focused on “develop[ing] testing and evaluation procedures for next-generation cellular wireless systems in the upper mid-band.” The final initiative tasks NIST with promulgating the Cybersecurity Supply Chain Risk Management best practices by March 2025. These have the intention of improving the transparency, security, resilience, and trustworthiness of global supply chains by increasing trust in foreign suppliers.

Conclusion

The implementation of the National Cybersecurity Strategy is an iterative, ongoing process. This first installment of the plan illustrates that progression on implementation of the various pillars varies. Some of the pillars—which are the broader objectives by which the administration seeks to achieve the strategy’s two fundamental shifts—started with programs that were underway at the time the cybersecurity strategy was originally published and are now continuing as initiatives in the implementation plan. But other pillars and their corresponding strategic objectives appear to be on a much slower implementation trajectory. As noted previously, the production of a legislative proposal for new software liability standards appears to be a long way off. Indeed, it is reasonable to consider whether fundamental questions have been asked and answered and key concepts defined that are foundational to such a proposal.

But it should not be assumed that just because the implementation of certain pillars appears farther along than others means that significant, demonstrable progress toward achieving the broader objectives of those pillars has occurred. Such assessments should not be viewed or conducted as compliance-like checklists. Evaluations should be made only in the context of reliable mechanisms and processes for measuring effectiveness. The very last part of the implementation plan therefore introduces three initiatives focused on assessing the effectiveness of the NCS. They involve the ONCD issuing a report on the effectiveness of implementing the strategy, identifying and applying lessons learned from “cyber incidents” to the implementation of the strategy, and aligning budgetary guidance with cybersecurity strategy implementation. And like other strategic objectives and initiatives discussed in the plan, these initiatives appear to require additional planning and metrics for assessment.

It must also be acknowledged that implementation of the NCS does not continue on its own. In the absence of a Biden administration and outside of legislation passed by Congress, agency- or commission-driven efforts may be affirmatively discontinued or simply fall by the wayside. The more progress the Biden administration can make on implementation, to include looking at how to build in processes for the continuation of efforts, the more progress and opportunity for achieving the NCS’s two fundamental shifts.


Eugenia Lostri is Lawfare's Fellow in Technology Policy and Law. Prior to joining Lawfare, she was an Associate Fellow at the Center for Strategic and International Studies (CSIS). She also worked for the Argentinian Secretariat for Strategic Affairs, and the City of Buenos Aires’ Undersecretary for International and Institutional Relations. She holds a law degree from the Universidad Católica Argentina, and an LLM in International Law from The Fletcher School of Law and Diplomacy.
Stephanie Pell is a Fellow in Governance Studies at the Brookings Institution and a Senior Editor at Lawfare. Prior to joining Brookings, she was an Associate Professor and Cyber Ethics Fellow at West Point’s Army Cyber Institute, with a joint appointment to the Department of English and Philosophy. Prior to joining West Point’s faculty, Stephanie served as a Majority Counsel to the House Judiciary Committee. She was also a federal prosecutor for over fourteen years, working as a Senior Counsel to the Deputy Attorney General, as a Counsel to the Assistant Attorney General of the National Security Division, and as an Assistant U.S. Attorney in the U.S. Attorney’s Office for the Southern District of Florida.

Subscribe to Lawfare