According to recent reporting, the Office of the National Cyber Director (ONCD) intends to issue an update to the national cybersecurity strategy implementation plan in the coming months.  Published in 2023, the initial Implementation Plan set into motion how the federal government would regulate digital security.  The document had more than 65 initiatives to carry out the five pillars of the plan (defending critical infrastructure, disrupt threat actors, shape the market to drive resilience, investment, and forging international partnerships) which were to be executed over a period of time.  However, the document was not intended to be cast in stone, with implementation expected to evolve, with revisions and new initiatives emerging as necessary, which makes sense given the dynamic nature of cyberspace.  Addressing today at the expense of tomorrow has not turned out to be an effective strategy.

The federal chief information security officer acknowledged that the Implementation Plan update will begin the next “public facing series of commitments,” a diplomatic way of intimating that the government will start to corral the private sector to fall in line with a series of reforms.  At a recent security conference, the deputy assistant national cyber director for cyber policy affirmed this saying that companies can expect an update on software liability reform, with the intent on building a framework around software liability.  Instrumental to making this goal happen is Congress drafting and passing legislation to “incentivize” companies to create software with more secure code.  This legislation would allow customers to take legal action against software makers should they fail to design their software and products with the appropriate amount of security.  Being able to hold these manufacturers liable for failing to do so would be the “stick” to ensure that they do the right thing.  For those companies willingly adopting best practices (ostensibly government driven), they would enjoy the “carrot,” and dodge any legal action in the future.

The deputy also asserted that the Administration sought regulatory harmonization across critical infrastructure sectors, a notable endeavor given the volume of cybersecurity regulations and standards to which entities in those sectors must adhere.  In July 2023, the ONCD sent out a request for industry insight on some of the challenges of regulatory overlap and the possibilities of regulatory reciprocity and compliance.  On face value, it is difficult to argue against this goal, especially if it can eliminate duplicative bureaucratic efforts, technologies, and streamline processes to be more cost effective and efficient.  But given the number of organizations falling under the 16 identified critical infrastructures, and the breadth of the topics that need to be addressed (e.g., auditing, breach reporting), the effort is not only ambitious, but would be exceedingly time consuming, taking several years and over the tenures of several Administrations at the very least.  This may prove to be an even bigger challenge.

But as the update of the Implementation Plan comes closer to publication, there is a growing concern that the regulatory reform, while good on paper, may not be practical and even detrimental to cybersecurity.  One argument that has some merit is the fear that prioritizing security in products will invariably impact the pace of product development, as well as potential competition in the market.  Simply, companies will have to be willing to take a hit on potential profit to make sure they have complied with security standards.  On one hand, the current cyber threat landscape is indicative of what happens when smart people take advantage of faulty product design.  It has favored nefarious activities and has put defenders consistently behind more agile foes that need only to look for vulnerabilities to achieve their goals.  However, given the push from both governments and industry to be a consistent cutting-edge leader in emerging technologies on the global stage against competitors like China, slowing down development in key areas like Artificial Intelligence, Green technology, and Quantum Computing would seem contrary to winning the technology race, as well as marketspace.

One critic of the harmonization correctly points out the potential for information overload – something government agencies have not been able to handle in the past.  While some suggest that mandatory reporting is essential for better insight into the cyber threat landscape, it can also achieve the opposite effect with contradictory and conflicting data points that fog understanding rather than clarify it.  The critic points to the proposed Federal Acquisitions Rule that would require companies with governments contracts to report potential incidents within eight hours.  With approximately 94,000 companies falling under this rubric, potential victims could pass on potentially thousands of “possible” incidents on their network every day.  The Cybersecurity and Infrastructure Security Agency (or whomever would be deemed the steward of this reporting) would be hard pressed to synthesize, process, and distill the data into usable, helpful information in any reasonable amount of time.

There is no question that the Biden Administration has invested substantial time on the cybersecurity issue, a welcome change from previous administrations that tended to give cyber an obligatory nod.  A lot has been accomplished a year into the National Cybersecurity Strategy.  Per the new National Cyber Director, progress has been made on 69 initiatives of the first iteration of the National Cyber Security Strategy’s Implementation Plan, with 20 tasks having been completed.  This imparts confidence, though the hardest parts of the Plan have yet to be addressed.  How Implementation Plan 2.0 is executed and received may be the true test before the Administration.  Harmonization is a good thing.  But it will unquestionably be one of the biggest hurdles to get over.  This is where the government and industry need to invest substantial time in hammering out the framework for the critical infrastructures.  It will require finding common areas of agreement and making concessions where necessary.  That is usually where problems arise, and progress tends to be caught in a bureaucratic quagmire.  

The amount of work that needs to be accomplished will likely extend past the current Administration and into the tenures of future presidents if they so choose to pursue it.  Therefore, it is paramount that industry and government are in accord at the start, which is why any initial framework must be created in complete concert and buy-in from all stakeholders.  Otherwise, the effort will languish incomplete with the government touting minor accomplishments as significant steps though the real goals remain unfulfilled.