On July 13, 2023, the U.S. Government released the Implementation Plan for the National Cybersecurity Strategy, a roadmap which was published earlier in the year. While the National Cybersecurity Strategy was a product for all, the implementation plan is aimed towards those federal agencies tasked with ensuring that its objectives move from concept to tangible result. As we consider the implementation plan, it is helpful to revisit what the original strategy said about roles, specifically for the U.S. Government: “Government’s role is to protect its own systems; to ensure private entities, particularly critical infrastructure, are protecting their systems; and to carry out core governmental functions such as engaging in diplomacy, collecting intelligence, imposing economic costs, enforcing the law, and, conducting disruptive actions to counter cyber threats.¹” The implementation plan is the “kick-off” to moving the government forward to execute on those stated roles.
Many in the cybersecurity and legal communities have been pouring over the plan to understand potential impacts. To be clear, the activities directed in this plan to implement the larger strategy are important steps that should improve many aspects of cybersecurity in the Federal government as well as civil society. There are obvious near-term benefits such as enhancing partnering, better security in aspects of critical infrastructure, and more research and development dollars going to solve hard security problems.
With that in mind, what are the impacts to civil society and government if the plan works? We should consider that “collecting intelligence, imposing economic costs, enforcing the law, and, conducting disruptive actions” will work by some measure, and if so, the impacts to the cybersecurity ecosystem could be profound.
Impacts – Short & Long Term (Public & Private)
In the plan, government entities are tasked with initiatives that should improve cybersecurity efforts inside and outside of the government. As an example, the mandate to secure critical infrastructure with updated frameworks, secure by design concepts, and Cybersecurity and Infrastructure Security Agency (CISA)’s public/private collaboration efforts are all likely to benefit the broader landscape over time.
Additionally, the emphasis and funding of cybersecurity related research and development is a welcome sign, and those results should transition to civil society. If the plan is implemented effectively, there will be several ways the private sector can participate and partner with the government more. One example includes interacting and benefitting from a relationship with CISA. Corporate entities should take advantage of and engage in CISA’s efforts for outreach, notification, information sharing, and other collaboration efforts.
There are also indicators in the strategy and implementation plan that regulators will look to interact with covered entities more through greater oversight, rulemaking, and standards. Regulators will continue to evolve in size, speed, and sophistication and are likely to pursue “Big Tech” with more interest. The players in Big Tech have a significant role in controlling the infrastructure, platforms, and availability of how our nation lives, works, communicates, and socializes. Big Tech has incredible visibility into civil society, and they also have visibility into threat actor activity. As a result, these entities will not just continue to be targeted for compliance and privacy issues, but they are going to be asked to do more to help counter cyber threats. Such organizations should expect some pressure from a procurement and oversight perspective that will drive effects and usher in more change. Those entities should revisit the national strategy and assess where they may experience overlap and prepare for engagement with CISA and even the potential support to FBI disruption operations.
Commercial entities may also find that they are able to evolve the methodologies and tactics the government uses to “disrupt” threat actors against threats in corporate systems. If certain tactics are useful at a government level, they could drive expectations that commercial entities should do more to disrupt on an enterprise level. There are a few commercial companies that currently specialize in deploying deception technologies that include traps and decoys aimed to alert to and disrupt a threat actor’s access. is an area bound to expand—opening the door to an entire new suite of cybersecurity capabilities to organizations in both the public and private sectors yet to employ disruption tactics.
It is clear from the strategy and the plan that defense is not enough. Disruption activities are likely to become a standard way to safeguard equities, and even evolve to a future regulator expectation. To give a current commercial example, Facebook and Meta have invested significantly in a team tasked with disrupting threat actors, and they have been doing disruption activities since before 2016. David Agranovic, the Director of Threat Disruption at Meta recently wrote an article describing the work Meta is doing where they have disrupted more than 200 influence operations.² As the Meta example demonstrates, a reactive defensive posture has not been enough for the better part of the last decade, and like the National Cybersecurity Strategy, Meta seeks to disrupt threat actor activity as well. Look for more of this type of activity from Big Tech and others in the future: the national strategy and its implementation plan both demand it.
What is missing?
U.S. Counterintelligence would benefit from playing a larger role in the implementation plan. Counterintelligence functions in the Federal government, including the Department of Defense (DoD), are routinely tasked with disrupting threats, especially in cyberspace.
Counterintelligence is defined as: “Information gathered and activities conducted to identify, deceive, exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations, or persons, or their agents, or international terrorist organizations or activities.”³ National Counterintelligence Strategy says counterintelligence agencies should be: “identifying, assessing, and neutralizing foreign intelligence activities and capabilities in the United States; mitigating insider threats, countering espionage and assassination attempts by foreign intelligence services from occurring on U.S. soil and abroad; and protecting U.S. sensitive and classified information and sensitive facilities from technical penetrations or espionage.”
The authorities and mission of counterintelligence agencies are exactly what is needed to disrupt, deny, and counter cybersecurity threats. This is an area where the current National Cybersecurity Strategy Implementation Plan could incur more specificity and cohesion. Currently, the plan calls for “strengthening the NCIJTF,” which is a Task Force where many agencies assemble and collaborate. Strengthening the Task Force is much too tactical, and the plan and strategic results would be better served by calling for “strengthening of U.S. Counterintelligence capabilities” instead. Additionally, the agencies with counterintelligence authorities should be specifically named and tasked in the plan to ensure they receive the political backing and resources to execute the disruption and dismantling the plan describes.
What if the plan works?
Analyzing the varying elements of the plan, and areas where it can be strengthened even further, it is worth considering how success would change the landscape for national security, as well as commercial enterprise.
If “collecting intelligence, imposing economic costs, enforcing the law, and, conducting disruptive actions” reduces threat activity in some measure, the ecosystem that currently responds to, investigates, contains, and mitigates threat actor exploitation of computer systems will be impacted. For example, with less breaches, there will be less disclosures—which could have an impact on the legal ecosystem. Fewer breaches could also mean a downturn in insurance claims and less government intervention resulting from cybercrime. Over the last decade, we have built up a cybersecurity ecosystem that anticipates a rise in threat actor activity year after year. What then will the ecosystem do with a reduction?
Successful plan execution could mean that the risk landscape in just a handful of years looks drastically different than it does today, but that doesn’t mean that threat actors will disappear Putting new barriers up will drive bad actors to look for new ways to get around them, and the cybersecurity and national security ecosystems can start preparing now. In preparation for that future, the cybersecurity professionals of today in the legal community and elsewhere should plan for and embrace a new paradigm that shifts from the current reactive whack-a-mole to one of proactive disruptions.
Reprinted with permission from the August 01 edition of Cybersecurity Law & Strategy© 2023 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-256-2472 or asset-and-logo-licensing@alm.com.
¹ https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf
² https://digitalfrontlines.io/2023/07/13/detect-disrupt-deter-the-multistakeholder-threat-disruption-model/
³”https://www.dni.gov/files/NCSC/documents/features/20200205-National_CI_Strategy_2020_2022.pdf”