U.S. Sets Cybersecurity Goals Through 2026 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

The Biden administration published Thursday a step-by-step plan on how it aims to enact its national cybersecurity strategy through 2026, including short time frames for putting into effect some key planks of cyber policy.

The strategy, published in March, outlined an exhaustive list of cybersecurity priorities, covering domestic concerns such as critical infrastructure protection through to international affairs, in which it proposed collaborative efforts to combat cybercrime. Thursday’s deployment plan lays out which agency the White House has assigned to lead specific tasks and the time by which they should be completed.

“If this strategy represents the President’s vision for the future, then this implementation plan is a road map to get there,”

Kemba Walden,

the acting national cyber director, said on a call with reporters Wednesday.

The plan encompasses the business sector, besides federal agencies. The 16 sectors designated as critical infrastructure by the U.S. government are largely operated by the private sector in areas such as healthcare, financial services, energy and manufacturing. 

At the same time, businesses will be expected to meet new standards set by federal agencies. The Securities and Exchange Commission, for example, is preparing a raft of rules that will impose incident-reporting requirements on listed companies. These rules are also intended to scrutinize board oversight of cyber risk. The Federal Trade Commission and the Food and Drug Administration also want to flex their muscles in privacy enforcement and medical device security. 

Of major concern to businesses are potentially overlapping and perhaps conflicting rules from the White House and regulators that might require different processes and timelines to satisfy. The Cybersecurity and Infrastructure Security Agency is due to issue final rules for incident reporting by critical infrastructure operators by late 2025.

Elsewhere, the Justice Department is working on legislative proposals for cross-border cooperation in disrupting cybercrime. Some proposals have been sent to Congress, a senior administration official said on Wednesday’s call.

Other parts of the plan are completed or nearly so, Walden said. They include the development of a cyber workforce strategy and legislative proposals to bestow the Cyber Safety Review Board with legal authority to investigate significant cyberattacks, both of which are due this quarter. The board is a federal project that includes private-sector participants.

“I acknowledge that we’re aggressive, but I know we’re able to move fast in this office,” Walden said.

Walden said she expects the private sector to weigh in on the development of the plan’s particulars. For example, the office of the national cyber director is planning a conference for the second quarter of 2024 on developing a software liability framework. Walden’s office wants to hold software makers liable for security problems in their products, which has caused unease among tech companies. The conference will bring in people from academia and “civil society.”

Sen. Angus King, left, and Rep. Mike Gallagher, once co-chairmen of the now disbanded Cyberspace Solarium Commission.


Tom Williams/Zuma Press

The national cyber director’s office also plans to establish an open-source software security working group by early next year designed to “raise the security baseline” of that sector. The disclosure of a vulnerability in the open-source Log4j program, which is widely used in commercial software, prompted a scramble to patch the flaw over the 2021 Christmas holidays, and sharpened the government’s focus on the issue of open-source security.

A government push for tech companies to build more secure products will help curb supply-chain cyberattacks, said

Suzie Squier,

president of the Retail and Hospitality Information Sharing and Analysis Center, a nonprofit that aids companies in the sector in exchanging details about cyber threats.

Prominent supply-chain attacks, such as the recent compromise of several file-sharing services, often start by exploiting flaws in software. Squier said the industry supports plans to improve software security, in part to avoid stressful rushes to deal with vulnerabilities in the future.

 “Whatever we can do so we’re not all dealing with Log4j,” she said.

The government’s plan is ambitious and will bolster cyber guidance that public agencies provide to companies, said

Steven Silberstein,

chief executive of the Financial Services Information Sharing and Analysis Center.


Mike Gallagher

(R., Wis.) and Sen.

Angus King

(I., Maine), who co-chaired the influential, now disbanded Cyberspace Solarium Commission that helped reshape U.S. cyber policy, said they would like to see an annual implementation plan and strict deadlines. 

“If there is anything that we have learned about government over the last 20 years, it is that ‘execution is as important as vision,’ and that strategic plans pertaining to cybersecurity that are not properly implemented are destined to fail,” the two lawmakers said in a joint statement. 

Walden said the plan is designed to evolve, and that annual iterations will be released.

Write to James Rundle at [email protected] and Catherine Stupp at [email protected]

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8


Click Here For The Original Source.

National Cyber Security