Private Sector Coordination Critical to New National Cybersecurity Strategy Implementation Plan
Ensuring our nation’s cybersecurity requires a unified effort, and the National Cybersecurity Strategy Implementation Plan (NCSIP) is a good-faith step in that direction. It provides implementation details of the administration’s whole-of-society approach as described in its National Cybersecurity Strategy, released in March 2023. We are encouraged to see these additional details, including completion goal dates and information about entities responsible for each initiative.
While we also support the idea of a “living document,” in which the NCSIP would be updated at least annually to add new and relevant initiatives and remove completed ones, we are wary of scope and mission creep as a result. Close coordination between the White House, Congress, civil society and the private sector is crucial to keeping our focus on aligning strategy and implementation.
The stage is set to make full implementation a reality, but there is a lot of work ahead. There will need to be continued efforts to harmonize cybersecurity regulation (Initiative 1.1.1) to help avoid multiple—and sometimes conflicting—cybersecurity standards. Consider incident and breach reporting, for example. Numerous federally issued requirements already exist, which could result in a compliance nightmare and even limit the goal of improving our cyber posture.
We are heartened to see that the National Institute of Standards and Technology will be updating its Cybersecurity Framework and that it will work with regulators on aligning standards across the board. We trust that existing authorities for critical infrastructure are sufficient (1.1.2), but should a gap arise, we urge the administration and regulatory agencies to work with Congress, the private sector and civil society stakeholders to find appropriate solutions.
Adversaries and criminals don’t follow rules in cyberspace, and they can take advantage of disconcerted cyber defense and remediation efforts. Timely information sharing and coordinated operational cyber defense between the public and private sectors to counter malicious actors has long been a tedious and often monumental task. Removing barriers to accessing critical information needed to defend against attacks (2.3) by expanding access to cyber threat intelligence for critical infrastructure owners and operators is a necessary step in the right direction. We hope that a concerted effort across sector risk management agencies, intelligence apparatuses and law enforcement will streamline defensive operations with the private sector (2.1, 2.2).
We are happy to see the federal government’s dedication to working closely with the private sector, civil society, academia and other counterparts to defend our nation’s cybersecurity and to promoting secure-by-design and secure-by-default software development practices (1.2). Providing safe harbors for companies (3.3.1) that develop and maintain software products and services securely could also improve our nation’s cyber posture. However, a new liability regime has the potential to be abused. We are skeptical of the notion that companies can be forced to adapt to secure development practices by threat of lawsuits. Prior to taking any steps toward a liability regime, the Office of the National Cyber Director should work closely with Congress and the private sector to find solutions that avoid burdening industry players with potential suits—especially if it comes at the cost of hampering continued innovation.
There is a lot to be lauded in establishing a concerted nationwide effort to improve U.S. cybersecurity. As implementation progresses, it is imperative for non-government stakeholders to remain engaged. The consideration and integration of the private sector in solutions is a positive and necessary development, and we hope to see continued collaboration in the coming months and years.
