The National Cybersecurity Strategy Implementation Plan: A CSI Markup
On July 13, the White House released the Implementation Plan for the 2023 US National Cybersecurity Strategy. Read along with CSI staff, fellows, and experts for commentary and what the NCSIP means for the Strategy.
The 2023 National Cybersecurity Strategy (NCS) offered a marked shift in the dialogue around cyber policy. No longer would policy need to be defined as the sum of resistance to an adversary or preparation for catastrophe. Instead, the NCS articulated a vision of proactive intervention against structural flaws in the markets for digital technology, detailed a means both to better coordinate the disruption of adversaries and to shore up some levers of federal cyber policymaking, while offering the faint outlines of a more active and ambitious role for international diplomacy in the American school of cyber strategy. As we shared in our analysis of the strategy when it was launched in March of this year, the document was long on vision, and work remained to capture much of its promise.
The Implementation Plan (NCSIP) released last week, which has been subject to a vicious trifecta of rumor, promise, and speculation since before the strategy was released, is the Biden administration’s first attempt to answer the charges of having ‘vision without a plan’ and to articulate specific, measurable goals to turn the strategy’s five pillars into meaningful change. It provides the first clues as to how the Office of the National Cyber Director (ONCD) plans to realize the vision it outlined in the strategy of “rebalancing responsibility” in cyberspace.
So far, at least three trends emerge:
First, the plan contains a (somewhat) more concrete list of actions than its parent strategy, with useful delineation of lead and supporting agencies, as well as timelines aplenty. By assigning each action a designated lead and timeline, and by including a new nominal section (6) focused entirely on assessing effectiveness and continued iteration, the ONCD suggests that this is not so much a standalone text as the framework for an annual, crucially iterative policy process. That many of the milestones are still hazy might be less important than the commitment. the administration has made to revisit this plan annually, allowing the ONCD team to leverage their unique combination of topical depth and budgetary review authority.
Second, there are clear wins. Open-source software (OSS) and support for energy-sector cybersecurity receive considerable focus, and there is a greater budgetary push on both technology modernization and cybersecurity research. But there are missed opportunities as well. Many of the strategy’s most difficult and revolutionary goals—holding data stewards accountable through privacy legislation, finally implementing a working digital identity solution, patching gaps in regulatory frameworks for cloud risk, and implementing a regime for software cybersecurity liability—have been pared down or omitted entirely. There is an unnerving absence of “incentive-shifting-focused” actions, one of the most significant overarching objectives from the initial strategy. This backpedaling may be the result of a new appreciation for a deadlocked Congress and the precarious present for the administrative state, but it falls short of the original strategy’s vision and risks making no progress against its most ambitious goals.
Third, many of the implementation plan’s goals have timelines stretching into 2025. The disruption of a transition, be it to a second term for the current administration or the first term of another, will be difficult to manage under the best of circumstances. This leaves still more of the boldest ideas in this plan in jeopardy and raises questions about how best to prioritize, or accelerate, among those listed here.
These are a few thoughts, but they are an incomplete analysis of the plan and its implications for the state of cybersecurity and of policy. To that more fulsome end, we gathered a group across the Cyber Statecraft Initiative from engineering, security, research, and policy backgrounds to contribute their thoughts: Sara Ann Brackett, Safa Shahwan Edwards, Maia Hamin, Trey Herr, Danielle Jablanski, Amelie Koran, Will Loomis, Wendy Nather, Katie Nickels, Marc Rogers, Stewart Scott, Margaret Smith, Bobbie Stempfley, and Chris Wysopal, as well as Jennifer Lin for building out the implementation plan timeline. Find their thoughts and the group’s conversation below as we mark up the 2023 National Cybersecurity Strategy Implementation Plan.
Implementation Plan TOC
3.1 Hold the Stewards of Our Data Accountable (not included in the NCSIP)
3.2 Drive the Development of Secure IoT Devices
3.3 Shift Liability for Insecure Software Products and Services
3.4 Use Federal Grants and Other Incentives to Build in Security
3.5 Leverage Federal Procurement to Improve Accountability
3.6 Explore a Federal Cyber Insurance Backstop
4.1 Secure the Technical Foundation of the Internet
4.2 Reinvigorate Federal Research and Development for Cybersecurity
4.3 Prepare for Our Post-Quantum Future
4.4 Secure Our Clean Energy Future
4.5: Support Development of a Digital Identity Ecosystem (not included in the NCSIP)
4.6 Develop a National Strategy to Strengthen Our Cyber Workforce
5.1 Build Coalitions to Counter Threats to Our Digital Ecosystem
5.2 Strengthen International Partner Capacity
5.3 Expand U.S. Ability to Assist Allies and Partners
5.4 Build Coalitions to Reinforce Global Norms of Responsible State Behavior
5.5 Secure Global Supply Chains for Information, Communications, and Operational Technology Products and Services
Pillar One: Defend Critical Infrastructure
Pillar Two: Disrupt and Dismantle Threat Actors
Pilar Three: Shape Market Forces to Drive Security and Resilience
Pillar Four: Invest a Resilient Future
Pillar Five: Forge International Partnerships to Pursue Shared Goals
NCSIP Initiative Timeline
Click the up and down arrows to navigate the timeline or drag along to move more precisely. Clicking on a specific pillar in the legend to toggle it on the timeline. Clicking it again will re-insert them. Use this tool to isolate pillars you are particularly interested in on the timeline.
Authors and Contributors
Sara Ann Brackett is a research associate at the Atlantic Council’s Cyber Statecraft Initiative under the Digital Forensic Research Lab (DFRLab). She focuses her work on open-source software security, software bills of material, and software supply-chain risk management and is currently an undergraduate at Duke University.
Safa Shahwan Edwards is the deputy director of the Atlantic Council’s Cyber Statecraft Initiative under the Digital Forensic Research Lab (DFRLab). In this role, she manages the administration and external communications of the Initiative, as well as the Cyber 9/12 Strategy Challenge, the Initiative’s global cyber policy and strategy competition. Safa holds an MA in International Affairs with a concentration in Conflict Resolution from the George Washington University Elliott School of International Affairs and a BA in Political Science from Miami University of Ohio. Safa is of Bolivian and Jordanian heritage and speaks Spanish and Arabic.
Maia Hamin is an associate director with the Atlantic Council’s Cyber Statecraft Initiative under the Digital Forensic Research Lab (DFRLab). She works on the Initiative’s Systems Security portfolio, which focuses on policy for open-source software, cloud, and other technologies with important systemic security effects.
Trey Herr is the director of the Atlantic Council’s Cyber Statecraft Initiative. His team works on cybersecurity and geopolitics including cloud computing, the security of the internet, supply chain policy, cyber effects on the battlefield, and growing a more capable cybersecurity policy workforce.
Danielle Jablanski is a nonresident fellow at the Cyber Statecraft Initiative and an operational technology (OT) cybersecurity strategist at Nozomi Networks, responsible for researching global cybersecurity topics and promoting OT and industrial control systems (ICS) cybersecurity awareness throughout the industry. Jablanski serves as a staff and advisory board member of the nonprofit organization Building Cyber Security, leading cyber-physical standards development, education, certifications, and labeling authority to advance physical security, safety, and privacy in the public and private sectors. Since January 2022, Jablanski has also served as the president of the North Texas Section of the International Society of Automation, organizing monthly member meetings, training, and community engagements.
Amelie Koran is a nonresident senior fellow at the Cyber Statecraft Initiative and the current director of external technology partnerships for Electronic Arts, Inc. Koran has a wide and varied background of nearly thirty years of professional experience in technology and leadership in the public and private sectors. During her career, she has supported work across various government agencies and programs including the US Department of the Interior, Treasury Department, and the Office of the Inspector General in the Department of Health and Human Services. In the private sector, she has held various roles including those at the Walt Disney Company, Splunk, Constellation Energy (now Exelon), Mandiant, and Xerox.
Will Loomis is an associate director with the Cyber Statecraft Initiative. In this role, he manages a wide range of projects at the nexus of geopolitics and national security with cyberspace.
Wendy Nather is a nonresident senior fellow at the Cyber Statecraft Initiative under the Atlantic Council’s Digital Forensic Research Lab (DFRLab) and leads the Advisory CISO team at Cisco. She was previously research director at the Retail Information Sharing and Analysis Center, where she was responsible for advancing the state of resources and knowledge to help organizations defend their infrastructure from attackers. Nather was also research director of the Information Security Practice at independent analyst firm 451 Research, covering the security industry in areas such as application security, threat intelligence, security services, and other emerging technologies. She is an advisory board member for the RSA Conference, and serves on the advisory board for Sightline Security, an organization that helps provide free security assessment services to nonprofit groups. Nather is a senior cybersecurity fellow at the Robert Strauss Center for International Security and Law at the University of Texas at Austin, and is based in Austin, Texas.
Katie Nickels is the director of intelligence for Red Canary as well as a SANS certified instructor for FOR578: Cyber Threat Intelligence and a nonresident senior fellow for the Cyber Statecraft Initiative. She has worked on cyber threat intelligence (CTI), network defense, and incident response for over a decade for the US Department of Defense, MITRE, Raytheon, and ManTech.
Marc Rogers is currently CTO for nbhd.ai. He formerly worked at Okta, Cloudflare, Lookout, and Vectra. Rogers is a well-known security researcher (Tesla Model S, TouchID, Google Glass), senior advisor to IST, a member of the Ransomware Taskforce, and co-founder of the CTI League.
Stewart Scott is an associate director with the Cyber Statecraft Initiative. He works on the Initiative’s Systems Security portfolio, which focuses on software supply chain risk management and open source software security policy.
Maggie Smith is a nonresident senior fellow at the Cyber Statecraft Initiative of the Atlantic Council’s Digital Forensic Research Lab, where her research interests are focused on social media and the effects of disinformation campaigns as a national-security challenge and the geopolitics of military cyberspace operations. Smith is graduate faculty at the University of Maryland, College Park and teaches courses on near-peer and strategic competition for the Terrorism Studies program that investigates the geopolitics of the modern world and the tensions and relationships that shape state behavior, conflict, competition, and cooperation. Finally, Smith directs the Cyber Project for the Irregular Warfare Initiative, serving as the editor and curator of the organization’s cyber focused content.
Bobbie Stempfley is a nonresident senior fellow for the Cyber Statecraft Initiative under the Digital Forensic Research Lab (DFRLab) at the Atlantic Council and serves a vice president and business unit security officer at Dell Technologies and a leader in the field of security and the use of technology to support the public’s interests. In her over twenty years of public service at DOD, DHS, CMU, and now at Dell Technologies, she has focused on strategy and driving transformation in organizations allowing her to develop an understanding of the exquisite possibilities at the crossroads of strategy, policy and technology. She serves on the board of the Center for Internet Security. Her passion is in increasing resilience through diversity and collaboration. She has a B.S. in engineering mathematics from the University of Arizona and an M.S. in computer science from James Madison.
Chris Wysopal is the co-founder and CTO of Veracode, an application security technology provider for software developers. He was one of the original software vulnerability researchers in the 1990’s. He has testified in Congress on the topic of government cybersecurity.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.