Three things missing from the National Cyber Strategy: funding, planning and prioritization

The recently released National Cybersecurity Strategy will make lasting changes in our approach to cybersecurity and establishing resilience for the federal...

The recently released National Cybersecurity Strategy will make lasting changes in our approach to cybersecurity and establishing resilience for the federal government as well as within critical infrastructure. It will increase the scale of public-private collaboration efforts and shift cybersecurity responsibility onto government agencies and larger organizations. This is a seismic shift in the way the government approaches cybersecurity.

However, the strategy needs to address three points: funding, planning and prioritization.

Funding: Strategies without funding are plans that can’t be executed. The federal government frequently mandates changes without providing the funds necessary for agencies to implement those changes, and this strategy is no exception. Agencies already have limited budgets and resources.

The plan describes various funding options, including joint annual guidance on cyber budget priorities from the Office of Management and Budget and the Office of the National Cyber Director as well as grants and incentives for critical infrastructure organizations, but these options will not come close to covering the expenses agencies will incur. Only an unwavering commitment to funding will allow us to address these challenges.

The Biden Administration’s fiscal year 2024 budget request proposes a total of $74 billion in IT spending for federal civilian agencies, a 13% increase. If Congress can fund cybersecurity initiatives at these levels and avoid the uncertainty of continuing resolutions, then agencies would have new funds to implement some of the new goals called for in the National Cybersecurity Strategy. While a great start, the federal government has underspent in cyber for so long, this is a drop in the bucket.

Short term planning: The strategy gives a ten-year timeline for accomplishing the goals it sets forth. But ten years is an eternity in the world of technology. IT companies have difficulty planning even two years in advance given how quickly technology changes. Challenges, goals and technology could look quite different in ten years. Long-term investments must be made carefully so the technology does not quickly become obsolete.

The strategy speaks a great deal about long-term planning and realigning “incentives to favor long-term investments.” While the idea of long-term planning is necessary and valuable, the strategy doesn’t focus enough on what agencies should do today to achieve cyber resilience. Aside from acknowledging existing executive orders, it gives little guidance on approaching short-term planning or addressing immediate challenges. Without specific short-term action items, it’s hard to achieve long term goals.

Nor does the strategy give much concrete guidance for agencies trying to thwart today’s ransomware attacks. These attacks are costing the country billions every year and interfering with operations across sectors, from healthcare to government services to education, and more. A ten-year plan does little to address this urgent problem. While the strategy articulates core objectives in fighting cyberattacks, it does not provide agencies with tactics or resources they need to address the crisis today.

Prioritization: Agencies need guidance about how to prioritize today’s cyber challenges and there’s not much to go on. Federal agencies are overwhelmed with mandates and executive orders about cybersecurity and IT operations. The strategy adds to that pile of marching orders without telling them which to follow first.

Not knowing how to prioritize can lead to agencies wasting resources. For example, agencies are often intimidated by lists of beginner, intermediate and advanced guidelines or requirements for cybersecurity. Often, they believe they must complete all the basic tasks before they move to the intermediate ones and all intermediate steps before proceeding to advanced. This approach makes perfection the enemy of progress. Instead, agencies should look at those lists and decide which tasks they can complete and should prioritize based on their needs and current capabilities.

In addition, each agency’s top priority should be acquiring visibility into its existing assets. Many agencies lack internal visibility into how their enterprise is actually functioning, making it difficult to secure the environment.

The National Cybersecurity Strategy is a valuable contribution to the national conversation about maintaining the safety of our data, IT and critical infrastructure. But we must not lose sight of the fact that we need a timely plan, resources and prioritization to make a meaningful impact on our national cyber resilience.

Gary Barlet is federal chief technology officer for Illumio.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Getty Images/iStockphoto/TraitovCybersecurity and secure nerwork concept. Data protection, gdrp. Glowing futuristic backround with lock on digital integrated circuit.

    Does the National Cybersecurity Strategy spell the end of the government market for commercial software?

    Read more

    U.S. National Cybersecurity Strategy: What we can expect this time around, and what else should be considered

    Read more