The 69-step plan from the White House to implement its broad cybersecurity strategy assigns more than a dozen federal agencies specific deadlines with the goal of protecting the nation through aggressive regulation.
The implementation plan, announced late last week by acting National Cyber Director Kemba Walden, spells out how the White House National Cybersecurity Strategy released in March would be carried out to protect critical infrastructure like water and power plants.
That strategy calls for large public and private sector entities to take on a greater responsibility to reduce risks, while offering incentives to boost investment in long-term cybersecurity measures.
Publishing the step-by-step implementation plan is intended to “ensure accountability,” Walden said at an event hosted by ITI, a technology trade group. It is also intended to ensure that the “federal government, one of the more capable actors in the cyber ecosystem, is practicing what we preach,” she said. The plan will be updated annually based on feedback from agencies and companies, Walden said.
Key House Republicans were generally supportive of the goal, but raised concerns the plan would impose more burdens on private companies that operate critical infrastructure facilities.
“We remain steadfast in our belief that the Biden administration must streamline existing regulations while working with the private sector to identify new opportunities for partnership rather than punishment,” Reps. Mark E. Green, R-Tenn., and Andrew Garbarino, R-N.Y., said in a statement.
Green is chairman of the House Homeland Security Committee, and Garbarino is chairman of the Cybersecurity and Infrastructure Protection Subcommittee.
“Implementation of this strategy must be a collaborative process that aims to ease regulatory burden while maintaining strong cybersecurity practices,” they said. “We intend to exercise strict oversight on CISA’s efforts as the responsible agency for at least 10 initiatives and a contributing entity to at least 19 initiatives, as it continues to execute its federal cybersecurity and critical infrastructure resilience mission,” they said, referring to the Cybersecurity and Infrastructure Security Agency.
The plan calls for the Office of the National Cyber Director and the Office of Management and Budget to work with federal agencies to develop, by the end of December, a uniform set of regulations for operators of critical infrastructure facilities.
The Department of Homeland Security identifies 16 sectors as critical, including chemical, water, and waste processing plants; financial services; health care facilities; and utilities operated by private companies.
The plan says the “federal government will use existing authorities to set necessary cybersecurity requirements” in those critical sectors. And in cases where agencies lack statutory authority to impose minimum requirements, the administration “will work with Congress to close them.”
The Biden administration already has run into opposition in trying to use existing authorities to impose cybersecurity requirements on private companies. The 8th U.S. Circuit Court of Appeals last week granted a stay of the EPA’s March order directing states to assess cyber defense practices of water systems as part of regular sanitation surveys.
The order was challenged by Arkansas’ attorney general and the American Water Works Association, a group that represents water utilities, among others. The EPA cited powers under the Safe Drinking Water Act as the basis for its regulation.
Specific roles
The White House plan calls on CISA to deepen public-private partnerships to drive development and adoption of “software and hardware that is secure-by-design and secure-by-default.”
CISA has published a guide calling on software and hardware developers to prioritize security instead of shifting that burden to users. The agency has said developers should “pride themselves” on producing secure products in addition to being the first to market.
The White House Office of the National Cyber Director will work with academics and civil society groups to develop an outline of how to shift liability for insecure software on to companies that develop them.
“The administration will work with Congress and the private sector to develop legislation establishing a liability regime for software products and services,” the plan says.
The administration also plans to explore ways to create a federal insurance system in “response to catastrophic cyber events that would support the existing cyber insurance market.”
The BSA Software Alliance, an industry trade group that represents Cisco, Oracle, Microsoft and others, welcomed the plan while calling for a collaborative effort.
“The implementation plan will be most effective if it ensures that industry stakeholders responsible for developing cybersecurity technologies have a seat at the table,” Henry Young, BSA’s director of policy, said in a statement.
The discussions between the administration and the software companies should focus on “providing a safe harbor for those organizations that have demonstrated their commitment to using best practices for secure software development,” Young said.
The plan also calls on CISA to figure out whether federal agencies that oversee private companies are adequately sharing cybersecurity information and whether the agencies are collaborating with each other on best practices.
To disrupt the hacking done by other countries, the Pentagon would have to draw up an updated cyber strategy by the end of fiscal 2025 that focuses on “challenges posed by nation-states and other malicious actors” that pose strategic threats to the United States and its interests.
The Justice Department is directed to “increase the volume and speed” of efforts to disrupt cybercriminals, nation-states and others that attack U.S. networks.
The Commerce Department is directed to propose rules to ensure that the U.S.-based providers of computer infrastructure such as cloud services are not used by criminals and others to attack U.S. companies and agencies.
In addition to boosting domestic cybersecurity efforts, the plan also calls for greater international cooperation with allies to crack down on cyber criminals as well as promote development of secure software.
The State Department is tasked with publishing an international cyber and digital policy strategy that includes bilateral and multilateral activities. The FBI is asked to expand its collaboration with law enforcement agencies from allied nations to “increase the volume and speed of international law enforcement’s disruption campaigns against cyber criminals and nation-states.”
