The National Cybersecurity Strategy Implementation Plan

By Andrew Martin

A shorter-form version of this article appeared on the OpenUK Blog

The National Cybersecurity Strategy Implementation Plan

The first annual iteration of the National Cybersecurity Strategy Implementation Plan has been released, detailing how the US government plans to achieve the goals previously outlined in 2021’s National Cybersecurity Strategy.

It drives two significant endeavours:

  • placing greater responsibility on “more capable actors in cyberspace” for cybersecurity
  • an impetus to shape market forces and incentives for “investments in long-term resilience”

The plan notes that successful implementation is contingent upon close collaboration amongst US entities and their international partners, and follows on from previous documents:

  • Executive Order 14028 on Improving the Nation’s Cybersecurity (May 12, 2021) โ€” new and enhanced cybersecurity standards for federal government agencies and their consumed commercial software, including provisions on zero trust architecture, software bill of materials (SBOMs), and supply chain security
  • National Security Memorandum 36 (NSM-36) (February 10, 2022) โ€” directing the federal government to take steps to improve the security of software supply chains, with further provisions on SBOMs, vulnerability disclosure, and risk management
  • Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive (BOD) 22-01 (March 8, 2022) โ€” requiring federal agencies to implement SBOMs for all software used in their systems

The plan is divided into five pillars, with 27 subordinate Strategic Objectives and 65 Initiatives:

  1. Defend Critical Infrastructure
  2. Disrupt and Dismantle Threat Actors
  3. Shape Market Forces to Drive Security and Resilience
  4. Invest in a Resilient Future
  5. Forge International Partnerships to Pursue Shared Goals

The headline initiatives of especial interest to OpenUK look to:

  • Enhance software security through memory safe languages, secure-by-default and secure-by-design patterns, and software supply chain security initiatives
  • Enhance network security through BGP, DNS, IPv6, and post-quantum cypher upgrades for TLS and cryptographic applications for national and critical infrastructure
  • Instigate liability and penalties for producers of non-compliant and unpatched software, and a continued push for SBOMs for government suppliers
  • Amplify collaboration within the US and alongside international partners, especially in incident detection and response, and defensive operations
  • Establish supply chain resilience for software and hardware, and start an IOT insecurity labelling system
  • Pressure IaaS providers and foreign nations to prevent threat actors on their platforms, proactively monitoring for and preventing hostile use of their infrastructure
  • Attack and dismantle rogue threat actors, especially in the state-affiliated ransomware space

While the report considers underwriting insurance for catastrophic cyber events, it does not specifically discuss current plans around insuring open source software. This need must be considered as a whole with the White Houseโ€™s earlier policy which talks about a shift away from end-user liability, which would be a shift from the status quo through regulation and which is an important consideration in the overall picture. Currently, we have a principles-based approach where the end user chooses software as a tool and is accountable for its curation and with open source software which is distributed free without liability it sits with the end user.

If this scenario becomes a reality it will be a problematic shift for any business which sells services around open source software. Any small businesses monetising the freely distributed open source software by providing services will suffer the absolute requirement to shoulder any liability in order to continue selling those services. The mega companies selling open source can self-insure, if such insurance is available in the market. But the cost of insurance for community-created or collaborative open source software (which in all cases is distributed without liability) means that the risk would be entirely borne by any organisation monetising their contributions. Without some level of government support, that crippling potential liability would inhibit innovation and competition in the software marketplace.

ControlPlane CEO and OpenUK CISO Andrew Martin comments:

We welcome the focus on the hardening of fundamental internet-scale protocols, a continued threat vector for the mass harvesting of traffic and metadata, as well as the continued attention on memory-safe runtimes and software supply chain security. We expect that the addition of legal incentives for US government suppliers to produce secure software to expand to healthcare, and eventually all producers of software.

Requirements for secure-by-default and secure-by-design mesh with the realities of human computer interactions โ€” we are often the weakest link in the chain, and designing guardrails deep into system architectures helps to alleviate this risk. However cloud providers have so far been reticent to instigate these controls without a formal legal requirement, and there is some complexity in changing existing IaaS API defaults, so legislation and collaboration is required to push this goal forward.

The UK looks forward to continuing its relationship with partners in the US security industry, and contributing to an international strengthening of the landscape against malicious actors.โ€

Interesting Initiatives

Some of the further stand-out initiatives to OpenUK and ControlPlane include:

  • A legal symposium to address liability for insecure software products and services, with secure software providers shielded by future legislation
  • Requirements for US cloud and infrastructure providers to enhance detection of malicious activity by threat actors, and collaboration with international partners to dismantle cyber safe-havens
  • Public-private partnerships and design requirements for secure-by-design and secure-by-default hardware and software systems, to reshape the cyber landscape for greater security and resilience
  • Champion the adoption of memory safe programming languages (Rust, Golang et al), and open source software security, in applications, operating systems, and critical infrastructure
  • Promotion of Cybersecurity Supply Chain Risk Management (C-SCRM) best practices to suppliers nationally and internationally

    This dependency on critical foreign products and services from untrusted suppliers introduces multiple sources of systemic risk to our digital ecosystem. Mitigating this risk will require long-term, strategic collaboration between public and private sectors at home and abroad to rebalance global supply chains and make them more transparent, secure, resilient, and trustworthy.

  • Promotion of the ongoing development of SBOM and reflection on current gaps in scale and implementation, with a focus on widely used by unsupported software that may be present in critical infrastructure
  • New โ€œBlue Cellโ€ collaborative defensive operations, enabling rapid threat response by temporary units of dedicated trusted operators using virtual collaboration platforms
  • Internationally coordinated vulnerability disclosure to incentivise secure software development and reduce competitive disadvantage for responsible vendors
  • Identify best practices for cross-border supply chain management, shifting network and service supply chains to flow through trusted countries and vendors
  • A study on the European Cybercrime Centre to inform the development of future cyber hubs, and future partnerships in other regions
  • Enhanced national and foundational Internet-scale network security through the existing zero trust mandate, and deployment of secure BGP, DNS, and IPv6 protocol variants and extensions, with public and private sector collaboration critical to success

    The Internet 1s critical to our future but retains the fundamental structure of its past. … We must take steps to mitigate the most urgent of these pervasive concerns such as Border Gateway Protocol vulnerabilities, unencrypted Domain Name System requests, and the slow adoption of IPv6… Preserving and extending the open, free, global, interoperable, reliable, and secure Internet requires sustained engagement in standards development processes to instil our values and ensure that technical standards produce technologies that are more secure and resilient.

  • Standardisation, and future widespread adoption, of quantum-resistant cryptography, and steps to ensure cryptographic agility in the face of unknown future risks

    The National Institute of Standards and Technology will finalise its process to solicit, evaluate, and standardise one or more quantum-resistant public-key cryptographic algorithms. New public-key cryptography standards will specify one or more additional unclassified, publicly-disclosed digital signature, public-key encryption, and key-establishment algorithms that are available worldwide, and are capable of protecting sensitive government information well into the foreseeable future, including after the advent of quantum computers.

  • Advancing common cybersecurity interests with other international partners through threat detection, best practices, secure-by-design, policy, investment, and incident response activities, facilitated by an International Cyberspace and Digital Policy Strategy, Federal law enforcement, and an enhanced ability to help allies and partners

…the United States will work to scale the emerging model of collaboration by national cybersecurity stakeholders to cooperate with the international community. We will expand coalitions, collaboratively disrupt transnational criminals and other malicious cyber actors, build the capacity of our international allies and partners, reinforce the applicability of existing international law to state behaviour in cyberspace, uphold globally accepted and voluntary norms of responsible state behaviour in peacetime, and punish those that engage in disruptive, destructive, or destabilising malicious cyber activity.

We must enable our allies and partners to secure critical infrastructure networks, build effective incident detection and response capabilities, share cyber threat information, pursue diplomatic collaboration, build law enforcement capacity…and support our shared interests in cyberspace by adhering to international law and reinforcing norms of responsible state behaviour.

Summary of Further Initiatives

The rest of the document is wide ranging and ambitious, but provides a solid foundation upon which to build a generation of secure, low-carbon, and collaborative systems:

  • Publication of an updated DoD Cyber Strategy and critical infrastructure requirements under NIST CSF 2.0, in collaboration with CISA, including secure-by-design principles
  • Faster reporting and notification of breaches and threats to critical infrastructure owners and operators, with a review of current clearance and intelligence access requirements
  • Disruption of ransomware and other cybercrimes, both federally, in the private sector, and internationally, and addressing the abuse of virtual currency, under the Joint Ransomware Task Force (JRTF)
  • Anti-money laundering and financing of terrorism standards (AML/CFT) with international assistance to low-capacity countries
  • Breach and ransomware attack training, unified incident response and reporting, and tabletop exercise scenarios to simulate and prepare
  • A new Cyber Safety Review Board (CSRB) under the DHS to review significant incidents
  • Information sharing between departments and a maturity model to asses by
  • IOT security standards and a security labelling program
  • Funding and federal grants for cybersecurity research and infrastructure security, including cyber economics, human factors, and information integrity
  • Pursuit of vendors that knowingly do not comply with cybersecurity requirements in Federal contracts
  • Consider underwriting insurance for catastrophic cyber events
  • Integrate cybersecurity efforts with decarbonisation goals and finops principles, to secure the clean energy grid of the future
  • Education strategies to support the next generation of the cyber workforce
  • Hold irresponsible nation states accountable for failure to uphold commitments, below the threshold of armed conflict, through statements of condemnation and imposition of meaningful consequences
  • A $1.5bn Public Wireless Supply Chain Innovation Fund for open and interoperable networks

    The Department of State will further accelerate these efforts through the new International Technology Security and Innovation Fund to support the creation of secure and diverse supply chains for semiconductors and telecommunications.

  • Security reviews and security modernisation of Federal Civilian Executive Branch (FCEB) systems, including software supply chain risk management
  • And a systemic review of the entire strategy to assess efficacy

We build and secure zero trust platforms

Learn More