In March 2023, the Biden Administration released the National Cybersecurity Strategy. Given the significant onslaught of cyberattacks from nation-state actors and domestic cyber criminals, coupled with the rapid advancement of AI and the unknown perils quantum computing will pose for cybersecurity professionals, the Strategy was warmly received. The Strategy is divided into five pillars:
1. Defend Critical Infrastructure
2. Disrupt and Dismantle Threat Actors
3. Shape Market Forces to Drive Security and Resilience
4. Invest in a Resilient Future
5. Forge International Partnerships to Pursue Shared Goals
One of the key strategic objectives in the Strategy is 4.5: Support the Development of a Digital Identity Ecosystem. This caught my attention and that of my industry peers. Compared to most G7 members, the United States is laggard regarding digital identity. The U.S.’s poor digital identity infrastructure was exposed during the COVID-19 pandemic when cybercriminals stole billions of dollars in unemployment benefits. While posing as eligible state residents, these cybercriminals were able to apply for and receive benefits. According to the U.S. Department of Labor’s Office of Inspector General, at least $191 billion in pandemic UI payments could have been improper payments, with a significant portion attributable to fraud. To address this problem, on July 13, 2023, the Department of Labor announced $377 million in grants, funded by the American Rescue Plan Act, to states as part of a modernization of unemployment-insurance programs “to strengthen the integrity and resilience of their unemployment insurance programs.”
When the National Cybersecurity Strategy Implementation Plan (NCSIP) was released on July 13, 2023, one glaring omission was 4.5: Support Development of a Digital Identity Ecosystem. Huh? Oversight? What happened? Evidently, the NCISP is a living document, and a 2.0 version will be released in the future. Still, I am scratching my head as to why this strategic objective that impacts so many Americans was omitted in v1.0.
Much like weak military defenses put a country at risk of physical invasion; vulnerable digital identity infrastructure not only puts citizens at risk of identity theft, but it also puts government systems and the nation’s secrets at risk. All levels of government are susceptible to fraud and financial impact on private sector companies, including small businesses, which negatively impact the nation’s economy.
While omitting digital identity is disappointing, the NCISP is robust, with numerous welcomed initiatives. Here are a few worth noting…
Pillar 1- Defend Critical Infrastructure
Strategic Objective 1.1 – Establish Cybersecurity Requirements to Support National Security and Public Safety
Initiative 1.1.1 – Establish an initiative on cyber regulatory harmonization
Tasks the Office of the National Cyber Director (ONCD) in coordination with the Office of Management and Budget (OMB) and the Federal Communications Commission (FCC) to “identify opportunities to harmonize baseline cybersecurity requirements for critical infrastructure” with a due date of December 31, 2023. Given the work the National Institute of Standards and Technology (NIST) has spearheaded, in collaboration with the Federal Risk and Authorization Management Program (FedRAMP), on developing the Open Security Controls Assessment Language (OSCAL), I was surprised NIST wasn’t listed as a contributing entity. As regulatory harmonization draws more attention, efficiencies for governing at scale requires improvements in automating compliance activities. With DoD sending their finalized draft CMMC rule to OMB, the timeline for implementation is in 2024. Easy Dynamics is a leading OSCAL industry collaborator, and based on our expertise, OSCAL is ideally suited to harmonize baseline cybersecurity requirements across all 16 critical infrastructure sectors.
Initiative 1.1.3 – Increase agency use of frameworks and international standards to inform regulatory alignment
According to NIST’s website, version 2.0 of the Cybersecurity Framework (CSF) has a target release date of “early 2024”. This will be the first update to the CSF since the current 1.1 version was released over five years ago in April 2018. The NCSIP directs NIST to provide technical assistance in aligning regulations with international standards and the CSF. NIST will be supported by Cybersecurity and Infrastructure Security Agency (CISA) and the Sector Risk Management Agencies (SRMAs). SRMAs are federal agencies assisting and protecting one or more of the nation’s 16 critical infrastructures.
With Identity Management and Access Control included in the “protect,” one of the five Framework Core elements, I expect updates to NIST’s Digital Identity Guidelines, Special Publication 800-63-4, which should be released later this year to be included in the CSF 2.0.
Strategic Objective 1.5 – Modernize Federal Defenses
Initiative 1.5.2 Modernize Federal Civilian Executive Branch (FCEB) technology
As a leading technology services provider focusing on cybersecurity, cloud computing, Identity, Credential, and Access Management (ICAM), and Information Sharing, we know firsthand that several FCEB agencies are in various stages of modernizing their cybersecurity and eliminating legacy systems.
Pillar 4 – Invest in a Resilient Future
Older systems are difficult and expensive to maintain, and cybercriminals will undoubtedly penetrate these vulnerable systems and continue to do so. Further migration to the cloud will undoubtedly help in this area, and we look forward to OMB’s leadership with contributions from CISA, GSA, and the ONCD.
Strategic Objective 4.1 – Secure the Technical Foundation of the Internet
Includes an Office of National Cyber Director-led initiative to establish an Open-Source Software Security Initiative (OSSI) to promote open-source software security and the adoption of memory-safe programming languages.
This comes on the heels of a whitepaper published in May 2022 by the Linux Foundation and the Open Source Security Foundation titled “The Open Source Software Security Mobilization Plan,” which cites that 70-90% of any software “stack” consists of OSS and highlights that “vulnerabilities and weaknesses in widely deployed software present systemic threats to the security and stability of modern society as government services, infrastructure providers, nonprofits and the vast majority of private businesses rely on software to function.”
In November 2022, the National Security Agency (NSA) published a Cybersecurity Information Sheet on Software Memory Safety. According to the NSA, “Memory is managed automatically as part of the computer language; it does not rely on the programmer adding code to implement memory protections.
The language institutes automatic protections using compile time and runtime checks. These inherent language features protect the programmer from introducing memory management mistakes unintentionally. Examples of memory-safe language include C#, Go, Java®, Ruby™, Rust®, and Swift®.”
As a leading cybersecurity company and proponent of OSS, we applaud this initiative as securing OSS and expanding the use of memory-safe languages will benefit the nation.
While the National Cybersecurity Strategy and the accompanying NCSIP outline ambitious goals to protect the nation, kicking the can down the road on supporting the development of a digital identity ecosystem continues to put our digital identities at risk, and the nation’s digital economy remains exposed to fraud. This, partnered with the advancements of AI and deep fakes, warrants investment and a government-wide approach to address the nation’s lack of a digital identity ecosystem. Getting out in front of protecting citizens online ahead of a potential administration change in January 2024 is imperative.
Key Links:
National Cybersecurity the Strategy
National Cybersecurity Strategy Implementation Plan (NCSIP)
Pending EO 12866 Regulatory Review (reginfo.gov)