This is the first iteration of the Implementation Plan, which is a living document that will be updated annually.
US National Cybersecurity Strategy Implementation Plan, July 2023
We should be seeing the annual update, Version 2.0, of the Implementation Plan this summer. The major change, or improvement, that is needed is to have a sizable percentage of the initiatives be measured by risk or consequence reduction, not by activity.
The 2023 updated US National Cybersecurity Strategy and corresponding Implementation Plan received a generally positive response. There were some things to like about 65 initiatives in the Implementation Plan.
- Each initiative was assigned to a responsible agency (e.g. ONCD, CISA, NSC, NIST, etc.)
- Each initiative had a completion date
- To a lesser extent, the success of each initiative could be measured
My criticism, and I didn’t hear this from many others, is the majority of the 65 initiatives were generating government activity and only loosely tied to progress in reducing cyber risk (in OT and elsewhere). Put another way, the US Government could bat 1000%, succeed in all 65 initiatives, and make little progress on addressing the purpose of the strategy.
This is easily seen in the wording of the initiatives:
- Establish an initiative
- Investigate opportunities
- Evaluate
- Publish documents
- Identify mechanisms
- Explore approaches
This could be excused as the necessary starting point for a multi-year plan, except the Biden Administration has been working on these issues for three years, previous administrations for even longer, and Cyberspace Solarium Commission had the same issue. Over two-thirds of 80 Cyberspace Solarium Commission recommendations involved setting up the US Government to work on the cyber risk issue.
Let’s be charitable and say Version 1.0 was a necessary reset. Version 2.0 should be judged on initiatives that:
- Have an output, a deliverable, that is expected to reduce cyber risk or the consequence of cyber incidents.
- Include a metric tied to the reduction of cyber risk or actual consequences to evaluate if the initiative is effective.
It would be too much to expect all Version 2.0 initiatives to meet these two criteria, and we have to start somewhere. It would be a failure if we see Version 1.0 be viewed as a success because a bunch of activity took place and Version 2.0 defines another set of initiatives that will be measured by activity rather than the desired results that drove the need for a strategy.
Let’s take it a step further. It would be a failure if some of the 65 initiatives in Version 1.0 were not evaluated as a failure. Something like, we thought this would be the right approach, we were proven wrong as evidenced by x, y and z, and we learned the following.
See my interview with Brian Scott, Deputy Assistant National Cyber Director for Cyber Policy and Programs at ONCD, Office of the National Cyber Director, on the National Cybersecurity Strategy Implementation Plan.