From implementing the National Cybersecurity Strategy to issuing broad-sweeping software security guidelines, boosting the nation’s cyber posture was top of mind for the Biden administration in 2023.
As we reflect on the past year, here are some of the top 2023 cybersecurity moments – in no particular order – that you should care about as we head into 2024.
National Cybersecurity Strategy
The Biden administration released its much-anticipated National Cybersecurity Strategy (NCS) in March, harnessing the full power of the Federal government to promote better security, and wrapping private sector interests more fully into the effort.
The strategy features multiple focus points including continuing efforts to improve security in already-regulated critical infrastructure sectors, a high-level goal of shifting more security responsibility onto providers of tech products and services, and a robust focus on using “all tools of national power” to go after attackers.
Implementation of the strategy is underway under the coordination of the Office of the National Cyber Director (ONCD), which produced the plan. Notably, ONCD also published marching orders in July to implement the NCS. The implementation plan lays out 69 “high-impact” initiatives tasked to 18 separate Federal agencies, with a timeline for completion.
Overall, this strategy signaled a major change toward shifting the security and regulatory burden from users to providers.
National Cyber Workforce and Education Strategy
Similarly, the White House issued another major strategy this year that aims to help fill the hundreds of thousands of existing cyber job vacancies. ONCD issued the National Cyber Workforce and Education Strategy in July, securing commitments from 37 stakeholders – like the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Veterans Affairs (VA) – to increase the number of Americans in “good-paying, middle-class” cyber jobs.
The strategy is a first-of-its-kind comprehensive approach aimed at addressing both immediate and long-term cyber workforce needs.
The strategy emphasizes that cyber skills must become universal – like reading and math – and defines foundational cyber skills as consisting of three components: digital literacy, digital resilience, and computational literacy.
The White House noted this will be an ongoing effort. The Deputy National Cyber Director for Technology and Ecosystem Security, Camille Stewart Gloster, told reporters, “I want to reiterate that this is the beginning of the journey. This strategy articulates a bold vision, and we recognize that there are tasks in there in the short and the long term to accomplish that bold vision.”
National Cyber Director
This year marked the departure of one national cyber director and the arrival of another. Chris Inglis, the White House’s inaugural national cyber director, stepped down from his post in February.
Kemba Walden immediately stepped in as acting national cyber director but withdrew her name from consideration for the permanent position in July. Walden had support from important advocates on Capitol Hill, but reports noted that concerns about the debt levels of Walden and her husband could be a complicating factor in a nomination that needs Senate approval.
Then came Harry Coker. President Biden nominated Coker – a former National Security Agency (NSA) and CIA official – at the end of July. Just this month, the Senate confirmed Coker to serve as the nation’s second permanent national cyber director on a vote of 59-40.
Next year, Coker will continue Walden’s work on the National Cybersecurity Strategy and the strategy’s implementation plan.
CISA’s Secure-by-Design Guidelines
The Cybersecurity and Infrastructure Security Agency (CISA) published its secure-by-design and secure-by-default guidelines in April, which aim to outline clear steps that technology providers can take to increase the safety of products used around the world.
At their core, the guidelines strive to keep Americans safe in today’s technology ecosystem by putting more responsibility on the technology manufacturer instead of the user.
CISA updated the guidelines in October, incorporating feedback from hundreds of individuals, companies, and nonprofits. The agency issued a formal request for information (RFI) on the updated guidelines this month to get even more feedback.
CISA is encouraging technology manufacturers and all interested stakeholders to review the RFI and submit comments by Feb. 20, 2024. A third update could be in store for 2024.
FITARA’s Evolving Cyber Metrics
This year’s release of the 16th edition of the FITARA Scorecard marked a departure from the usual procedure, in which the House Oversight and Reform Committee releases the scorecard and then its government technology-focused subcommittee holds a formal hearing to discuss the results.
Instead, the office of Rep. Gerry Connolly, D-Va., ranking member of the House Oversight Subcommittee on Cybersecurity, Information Technology, and Government Innovation, released the scorecard and held a roundtable discussion to discuss it.
At the roundtable event, agency tech leaders offered suggestions for improvements – particularly in how agencies are graded for cybersecurity. Notably, the majority of agencies received a “C” or a “D” score for cybersecurity, with only the Nuclear Regulatory Commission receiving an “A.”
Both government and industry leaders are hopeful that the FITARA 17.0 Scorecard will require agencies to provide evidence of their progress in reducing cyber risk.
Happy Holidays from MeriTalk! We wish you a cyber-safe and secure holiday season and can’t wait to see what 2024 brings.