Skip to Primary Menu Skip to Utility Menu Skip to Main Content Skip to Footer
Noname Security Logo

National Cybersecurity Strategy Implementation Plan published; Carrots and Sticks

Dean Phillips
Share this article

This is the third installment in the National Cybersecurity Strategy series. To read the other two blogs, click here for part 1 and here for part 2.

As I was drafting the third installment on the National Cybersecurity Strategy, the National Cybersecurity Strategy Implementation Plan was published. This follow-on document provides greater specificity on detailed actions to be taken. As such, moving forward, the two should be viewed together and assessed as a pair.

The third pillar of the National Cybersecurity Strategy is “Shape Market Forces to Drive Security and Resilience”. I believe the free market is a powerful force and using the resources and influence of the government to shape the market can be an effective tool. But the government needs to be careful of unintended consequences resulting from policy decisions and investments. Remember Solyndra?  The objective within this pillar include:

  • Hold the Stewards of Our Data Accountable
  • Drive the Development of Secure IoT Devices
  • Shift Liability for Insecure Software Products and Services
  • Use Federal Grants and Other Incentives to Build in Security
  • Leverage Federal Procurement to Improve Accountability
  • Explore a Federal Cyber Insurance Backstop

Reviewing the implementation plan regarding this pillar, I noted the first objective of holding data stewards accountable had no specific actions identified. This was the first objective in the strategy that was not further fleshed out with specific actions in the implementation plan (I only noted one other objective, in Pillar 4, regarding digital IDs that also had no implementation actions associated with it, which I’ll address when I cover that pillar). At a comprehensive level, I wonder how you will get real results when you don’t hold someone accountable for them. This is a carrot versus stick situation. Four of the objectives are about leveraging government resources and policy authorities to drive improvements; they are carrots. Two are related to shifting liabilities and accountability; they are sticks. But I wonder how liabilities will be effectively shifted without accountability for those responsible for the problems. I wish everyone was altruistic enough that incentives were all that is needed. However, looking at the amount of fraud that accompanies every government program, I’m pragmatic enough to know there will be unscrupulous actors who are only concerned about their own well-being or profits with no concern for others. There will have to be some effort to drive accountability such as those regarding Software Bill of Materials (SBOM) accountability which should help.

Regarding the Federal Grants and Incentives to Build Security objective, this is a big carrot for the federal government and the $1B grant for state and local cybersecurity programs is indicative of that (a reference to which is in the implementation plan). There are other resources available to help, indicating a mature, concerted effort. For example, the Advanced Technology Academic Research Center (ATARC) has published two documents to help guide folks working in state, local and territorial cybersecurity strengthen their programs. 

Looking at the intermediate level guidance, APIs were rightfully identified as a leading attack vector as were the benefits of strong API security (see my previous blog on that document). In this arena, some folks have recognized the opportunity to use grant money to bolster their defenses with a partner like Noname.

The objective to Explore a Federal Cyber Insurance Backstop will start with an assessment of Federal insurance response to catastrophic events. Looking at this, any Federal insurance response needs to account for the efforts of those affected to protect themselves beforehand.  It should not be a handout to those who were unprotected. For example, knowing that APIs present significant vulnerabilities, those who aggressively work to utilize strong API security should have more favorable support than those who don’t.  It’s like getting a reduction in your homeowner’s insurance premiums for added safety features like a sprinkler system. Otherwise, some folks will avoid security costs to save money and then expect a bail-out when something bad happens when they could have potentially prevented it themselves.

Overall, I’m glad to see some concrete steps toward strategy implementation.  I wholeheartedly believe we need the right mix of carrots and sticks to drive desired outcomes.  Whether or not we see future cybersecurity insurance premium reductions for things like API security is yet to be seen, but regardless of that, strong security measures benefit us all. Check out the ATARC guidance for additional support and reach out to Noname for help in your federal, state and local API security needs.