April 03, 2023
The Biden Administration’s Updated National Cybersecurity Strategy
On March 2 – one week before release of President Biden’s FY24 Budget – the Administration unveiled a long-awaited National Cybersecurity Strategy (NCS). The 39-page strategy bridges public and private sector equities, includes a heavy emphasis on international coalitions, and is designed to, “secure the full benefits of a safe and secure digital ecosystem for all Americans.” The framework seeks to ensure that both the US and the globally interdependent digital ecosystem is defensible, resilient, and aligned with America’s, “most cherished values.”
When considered alongside the FY24 Budget, the NCS represents a comprehensive and expansive cybersecurity roadmap with increased investments in several new areas.
MAJOR NCS COMPONENTS
While this represents the Administration’s first cybersecurity strategy, it builds upon several executive actions already taken, including the National Security Strategy, Executive Order 14028 (Improving the Nation’s Cybersecurity), National Security Memorandum 5 (Improving Cybersecurity for Critical Infrastructure Control Systems), M-22-09 (Moving the U.S. Government Toward Zero-Trust Cybersecurity Principles), and National Security Memorandum 10 (Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems).
The strategy has five collaborative pillars.
Pillar I – Defending critical infrastructure (CI), ensure availability and resiliency by expanding the use of minimum cybersecurity requirements across sectors; enabling fast and scaled private-public collaborative efforts; modernizing and updating Federal networks and incident response policies.
Pillar 2 – Disrupt and Dismantle Threat Actors, disrupt adversaries by employing all tools of national power to “make malicious cyber actors incapable of threatening…the United States” and leveraging scalable partnerships with the private sector and international partners.
Pillar 3 – Shape Market Forces to Drive Security and Resilience, drive responsibility, risk-reduction, and trust across the digital ecosystem through the use of data privacy and security, promotion of secure software development practices, and new Federal investments that are secure and resilient.
Pillar 4 – Invest in a Resilient Future, lead the world in innovation of secure and resilient next-generation technologies and infrastructure through strategic and coordinated investments, reducing systemic vulnerabilities across the Internet, and prioritizing cybersecurity R&D for post-quantum encryption and other transformative technologies.
Pillar 5 – Forge International Partnerships to Pursue Shared Goals, leverage international coalitions among like-minded nations to counter threats, increase the capacity of our partners to defend themselves, and ensure a secure and trustworthy global supply chain for technology products and services.
Within these pillars, several newer areas of NCS emphasis stand out, including:
- Zero Trust principles and architectures are continually referenced throughout the strategy, highlighting alignment and emphasis on OMB’s Federal zero trust architecture.
- Quantum Computing and Quantum Resistant Cryptography technologies and investments are called out prominently for the first time in a national-level cybersecurity strategy, with a major objective being to, “Prepare for our Post-Quantum Future” via NSM-10.
- Clean energy technologies and “smart” energy generation are additionally emphasized throughout the strategy and aligned with the Administration’s broader objective to, “secure a clean energy.”
- Supply chains – the strategy stresses the importance of software supply chain risk mitigation, consistent with EO 14028, as well as more generally supply chains that produce information, communications, and operational technology products and services.
ALIGNING WITH FY24 INVESTMENTS
Biden’s FY24 Budget provides initial investment contours and detail for several key cybersecurity areas – most notably for the Department of Defense and the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security. These requests build upon earlier multi-year IT and R&D investments.
DEPARTMENT OF DEFENSE
The DOD nested and related cyberspace strategic objectives are in three areas:
- Defend forward in the cyber domain to meet and disrupt advanced and persistent cyber adversaries.
- Accelerate the transition to Zero Trust as the next generation cybersecurity architecture across the Department.
- Increase defenses of U.S. critical infrastructure and secure defense industrial base partners against malicious cyber-attacks.
More than $13.5 billion is requested to support and advance cyberspace activities that include: operationalizing zero-trust to reduce attack surfaces and fortify networks; advancing next-generation encryption solutions and integration; defense industrial base cybersecurity resources and solutions via the Cybersecurity Maturity Model Certification and supply chain risk management.
Biden’s Budget would also fund an increase of five Cyber Mission Force teams (for a total of 147), and align full budget authorities and resources for the Joint Cyber Mission Force to U.S. Cyber Command. Related cybersecurity funding is also called out for and included within requests supporting advanced technology demonstrations, and weapons systems and supporting infrastructure.
CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
Although more modest, CISA’s budget request increases by $145 million for a total of $3.1 billion. Programs of note – and aligned with the National Cybersecurity Strategy – include:
- $1.8B for cybersecurity efforts to protect Federal civilian executive branch (FCEB) networks and partner with the State and local governments and the private sector to increase the security of critical networks;
- $493.1M for mission support activities;
- $244.5M for Integrated Operations to support and deliver CISA’s frontline, externally facing activities to ensure seamless and timely support to stakeholders to address critical needs;
- $177.6M for Infrastructure Security efforts to secure and increase resilience for critical infrastructure through risk management and collaboration with the critical infrastructure community;
- $144.5M for the National Risk Management Center to provide infrastructure consequence analysis, decision support, and modeling capabilities;
- $126.6M to ensure Emergency Communication interoperability and provide assistance and support to Federal, State, local, tribal, territorial (SLTT) stakeholders; and
- $85.5M for Stakeholder Engagement and Requirements to foster collaboration, coordination, and a culture of shared responsibility for national critical infrastructure risk management and resilience with Federal, SLTT, and private sector partners within the United States, as well as with our international partners abroad.
While Congress has consistently increased CISA funding above levels proposed by the Biden Administration, we expect increased budget scrutiny for CISA from the Republican-controlled House of Representatives.
Implementation of the National Cybersecurity Strategy is already underway. Agencies and Departments have begun providing justification for their FY24 budget requests to Capitol Hill and their respective authorizing and appropriations committees.
OMB continues to monitor cybersecurity implementations across agencies including newer sweeping directives such as NSM 10. These new mandates on Federal agencies are requiring inventories and vulnerability assessments to ensure modernization and could identify budget shortfalls that – at a minimum – spark debate on how best to apportion limited resources across the Federal government.
While we expect cybersecurity discussions and deliberations to be mostly bipartisan, final funding levels won’t be decided until after a bipartisan spending deal emerges late this year.