White House Touts Cyber Strategy Implementation Successes

Two weeks after releasing the second version of the National Cybersecurity Strategy Implementation Plan, National Cyber Director Harry Coker touted government agencies’ achieving many of the goals outlined in the first version of the plan.

“The federal government was responsible for completing 36 initiatives led by 14 agencies by the second quarter of 2024. Thirty three were completed on time. For those of you doing the math, that’s 92%,” Coker said during Auburn University’s McCrary Institute’s White House National Cybersecurity Conference Wednesday.

Coker said an additional 33 action items were added in the second version of the plan and are on track to be completed on time. Before the release of the plan, President Biden signed National Security Memorandum 22 and released the fiscal year 2025 budget. With these initiatives, Coker said the White House has a holistic approach to tackling cybersecurity concerns.

“These documents all reflect a coherent approach to our efforts to build cyber resilience into our nation’s critical infrastructure. They complement and build off each other reflecting policy, resourcing and action that we’re taking together,” Coker said.

The plan also focuses on more partnerships with agencies, industry and international partners to target policy gaps. Coker cited the critical need for the Cybersecurity and Infrastructure Security Agency’s (CISA) Cyber Safety Review Board (CSRB) as part of the administration’s efforts to strengthen cybersecurity. The board, a public-private partnership between government and industry experts, reviews cyber incidents by conducting root cause analysis and provides recommendations to prevent and reduce future incidents.

With the help of this board, federal agencies will lead by example when it comes to addressing cybersecurity threats, Coker said. The board reviewed the use of open-source software after the Logj4 event in 2021. CSRB also released its findings of attacks associated with Lapsus$ showing the use of juveniles to avert consequences from adult cybercriminals.

The new plan assigns the Department of Justice with tasks to tackle juvenile cybercrime offenders.

“We need to give kids a path to move away from these criminals, and I look forward to seeing DOJ’s progress as they act on this recommendation,” Coker said.

Coker’s office will also partner with CISA and National Institute of Standards and Technology (NIST) to create an open-source software security risk assessment center. The center would help government agencies understand code and create best practices through the implementation plan.

Cherilyn Pascoe, director of the National Cybersecurity Center of Excellence at NIST, said her agency has priorities that align with the cybersecurity implementation strategy. The center will work with organizations to migrate to the new post-quantum cryptography standards that NIST is set to release this summer with the help of vendors and financial institutions.

“We have to understand what the cybersecurity challenges that industry faces, the critical infrastructure pieces, so that we can then work with them and work with experts around the world to build the best technical solution that we hope that they will implement,” Pascoe said.

Assistant National Cyber Director for Cyber Policy and Programs Nicholas Leiserson reiterated the White House’s strategy that puts more onus of cybersecurity on industry and encouraged use of CISA’s Secure by Design initiative.

“Cybersecurity will always be a responsibility. If you’re in critical infrastructure, you always have some responsibility for that,” Leiserson said. “But we as the government, we as capable actors in this ecosystem and technology providers need to do a better job of scoping that responsibility.”

Leiserson and Pascoe emphasized that the future of cybersecurity will include “digital solidarity” with international partners. This aligns with developments at the State Department, which launched an international cyberspace and digital policy plan emphasizing cyber diplomacy.

“We’ve done a lot of great work with the [State Department] to kind of talk to other foreign governments. They’ve picked up the cybersecurity framework for their own uses within their own regulations,” Pascoe said. “That focus on international harmonization is also a really big priority for us as we move forward.”