BLUF: The newly-released 2023 US National Cybersecurity Strategy Implementation Plan, despite introducing solid actions and timelines, falls short of achieving its ambitious goals, with certain key strategies pared down or omitted entirely leading to concerns about fulfillment of these strategic objectives.
INTELWAR BLUF: The Atlantic Council recently provided a commentary about the White House’s 2023 US National Cybersecurity Strategy Implementation Plan. It noted that while this plan is a step ahead from its predecessor – adding more actions, agencies and timelines – it doesn’t completely fulfill its promise given that several significant goals have been significantly downsized or removed altogether, and lingering questions about the viability of its timelines.
Three noticeable trends from the plan include:
– A concrete set of actions, assigned to particular lead and supporting agencies with clear timelines. This implies an ongoing, annual, iterative policy process. The process, even though many milestones are undefined, is held up by the administration’s commitment to revisit it each year.
– A few notable accomplishments, such as the focus on open-source software (OSS) and energy-sector cybersecurity. However, some missed opportunities like implementation for digital identity solution, privacy legislation, regulatory framework amendments for cloud risk, software cybersecurity liability and “incentive-shifting-focused” actions are notable. Such changes suggest a fall-out from the original vision of the strategy and lack of progress against ambitious goals.
– The implementation plan has timelines that extend well into 2025, raising questions about how to prioritize or expedite tasks listed here given the uncertainty posed by potential administrative changes in coming years.
RIGHT: From the perspective of a strict Libertarian Republic Constitutionalist, the plan’s concept of annual review and reassessment is appreciated as it embodies the living and adaptable nature of the Constitution. However, there’s concern about the omission of privacy legislation, holding data stewards accountable, and ensuring robust software cybersecurity liability mechanisms. These concerns reflect the libertarian’s innate respect for individual privacy rights protected by the Constitution.
LEFT: A National Socialist Democrat may appreciate aspects of the plan, especially the focus on open-source software and energy-sector cybersecurity. These can democratize technology and secure critical infrastructure. However, the lack of definitive action in shifting incentives, accountable data stewardship and privacy legislation might be seen as a failure to prioritize working-class interests. Also, concerns remain about a lack of inclusivity in terms of stakeholders involved in the implementation plan’s formulation and revisions.
AI: The improvements in the new US National Cybersecurity Strategy Implementation Plan showcase thoughtful iteration. However, the lack of certain pivotal goals suggests that the evolving nature of cybersecurity threats may not be fully accounted for, leaving room for potential vulnerabilities. The concerns around timeline management underscore the need for prioritizing tasks and managing potential administrative changes wisely.