What do industry and cybersecurity experts want in the upcoming national cyber strategy?
The White House has been working with a range of industry stakeholders and cybersecurity experts on a forthcoming plan that could transform America’s cyber landscape. Here’s what they hope makes it into the new strategy.
The Office of the National Cyber Director, the federal agency tasked with advising the White House on cyber issues, didn't even exist when the last national cybersecurity strategy was released under former President Donald Trump in 2018.
Now, the office and its director, Chris Inglis, will soon be tasked with spearheading the implementation of a new, forthcoming cyber strategy – one that could dramatically transform the digital landscape and America's cybersecurity posture.
Inglis has said that ONCD worked in close collaboration with federal agencies, industry partners and key stakeholders while developing the plans that are due to be released in the coming days, though it may take a few months to finalize the official strategy.
The director also said at a conference last month that the plan will address market forces and push cyber regulation "a bit further, as we have for cars," with the strategy aiming to promote "affirmative intentionality."
While the previous administration has been criticized over a confusing legacy of cyber policies, Inglis’ office appears determined to produce a unified strategy around cybersecurity; one that improves public-private collaboration and information-sharing efforts, ensures federal coherence and aligns resources to increase cyber resilience.
But in order to make the strategy a success, Inglis has noted the effort will take a holistic approach and strong investments from industry stakeholders and other White House partners.
Intentionality was a primary reason Congress authorized the establishment of the ONCD, according to Josh Brodbent, regional vice president of solutions engineering at BeyondTrust and Industry Chair of the ATARC Zero Trust Working Group.
“Historically, misalignment and disorganization have been systemic challenges for the government,” Brodbent said. “Deliberate cybersecurity practices demand collaboration to avoid challenges due to a lack of intentionality.”
Ross Nodurft, executive director of the Alliance for Digital Innovation and a former head of the Office of Management and Budget's cyber team, told FCW that the ONCD's engagement with industry and stakeholders has been appreciated. Nodurft’s organization has encouraged ONCD to aim towards "harmonizing the regulatory landscape to encourage security over compliance,” he added.
Nodurft said ADI would like the strategy “to recognize the intrinsic security value that modernizing information technology brings to any organization," adding that adopting cloud-based technology "that embraces a zero trust architecture can be the fastest way to improve security across any enterprise.”
ONCD prioritized stakeholder engagement as one of its top lines of effort in a statement of strategic intent after the office was established through the fiscal year 2021 National Defense Authorization Act.
The document also emphasized cultivating more secure supply chains and critical infrastructure sectors through improved planning and incident response, budget reviews and assessments of federal cyber resources, in addition to expanded collaboration with the public and private sectors on technology and ecosystem security.
The White House has meanwhile continued to release a wave of guidance for agencies to bolster their cyber posture and improve overall security efforts, including a federal zero trust architecture strategy and an earlier executive order on improving the nation's cybersecurity.
With limited resources and an ever-expanding grab bag of cybersecurity challenges to choose from, federal agencies run the gamut in terms of their overall cybersecurity posture and maturity in their approaches to things like a ZTA architecture framework.
Lena Smart, chief information security officer of the developer data platform MongoDB, told FCW “a unified national strategy would be a show of strength in terms of bringing together expertise from government agencies and having one plan to follow, rather than a disjointed disparate melange of mini-projects all destined for failure.”
Smart also added that ONCD has an opportunity with the strategy to promote the Software Bill of Materials (SBOMs), which essentially serves as inventory lists for software products, but their use could be stifled without expanded information sharing.
“As of now, there isn’t a central repository for data to be stored and shared,” she noted. “SBOMs are a great requirement and will definitely help limit the damage that another Log4J event could cause, but if there isn’t a streamlined process where all agencies and FedRAMP-authorized vendors can submit and peruse SBOMs, then that is an opportunity for excellence lost.”
Officials have previously called on the Cybersecurity and Infrastructure Security Agency to oversee a central repository for SBOMs. Amy Hamilton, senior cybersecurity advisor for the Department of Energy, testified in November that it will be an "extraordinarily intensive" challenge for agencies to utilize SBOMs without a central repository.
Asked to comment on the forthcoming strategy, a representative for CISA referred FCW to the White House. ONCD and the White House have declined to provide a specific timeline for the release or finalization of the national cybersecurity strategy.
Davis Hake, whose cyber insurance company Resilience has participated in discussions with the White House to help build the forthcoming strategy – including last year's White House cybersecurity summit – said the guidance should also "prioritize efforts to fight ransomware collaboratively through information sharing on actionable intelligence."
"Issues that were small nuisances several years ago, like ransomware, are now Main Street problems faced by a range of US businesses," he said. "On the other end of the spectrum, geopolitical conflicts like the war in Ukraine have the potential for grave consequences to our national critical infrastructure."
Davis added that the strategy "should be a risk management guide for how we build resilience in our digital infrastructure in spite of new and unexpected threats."