The IT and OT systems that support not only federal governmental agencies but also national critical infrastructure must be protected, but developing a security strategy effective against threats is no easy feat. It can be difficult to cover all of the necessary areas, given that these systems are “complex and dynamic, technologically diverse, and often geographically dispersed,” according to a report from the United States Government Accountability Agency (GAO).
The GAO report concerns the 2023 National Cybersecurity Strategy and its associated implementation plan, assessing the strategy according to GAO’s preexisting criteria. The report found that the National Cybersecurity Strategy did not meet all of the agency’s “desirable criteria,” identifying where it fell short and making recommendations for additional actions.
GAO’s Desirable Characteristics of a National Strategy
GAO has long reported on the need for a comprehensive national cybersecurity strategy, including reviewing cybersecurity strategies in place and offering recommendations to increase security and optimize the national strategy. The desirable characteristics of a national strategy are used as a metric for the thoroughness and effectiveness of the country’s cybersecurity efforts, and GAO evaluates the national strategy based on how it addresses these areas.
The six factors that GAO considers desirable characteristics for a national cybersecurity strategy are:
- Purpose, scope, and methodology—What the strategy is being developed for, how far its scope reaches, and the process of its development.
- Problem definition and risk assessment—Addressing the threats and challenges the strategy is built for, including assessment and analysis of risks, threats, and vulnerabilities regarding critical assets and operations.
- Integration and implementation—How the national strategy is interconnected with other objectives and activities and how the strategy will be implemented.
- Organizational roles, responsibilities, and coordination—Addressing the roles of those implementing the strategy and mechanisms for coordination with others.
- Goals, subordinate objectives, activities, and performance measures—What the strategy aims to achieve, steps to achieve the intended results, alongside priorities, milestones, and mechanisms for measuring results.
- Resources, investments, and risk management: The cost of the strategy, resources and investment required, and targeting these resources to balance risk reduction and costs.
How the National Cybersecurity Strategy Measures Up
The February 2023 National Cybersecurity Strategy and the July 2023 implementation plan were put out by the White House and the Office of the National Cyber Director (ONCD), outlining the administration’s approach to managing national cybersecurity and how the strategy will be carried out. GAO assessed relevant strategy and plan documents against the above desirable characteristics in order to determine how closely the strategy adheres to the agency’s idea of a thorough and effective cybersecurity strategy.
The evaluation found that the National Cybersecurity Strategy fully addressed the first four desirable characteristics and partially addressed the last two: goals, subordinate objectives, activities, and performance measures, as well as resources, investments, and risk management. These areas are crucial for a national strategy, as information regarding plan outcomes and implementation costs can heavily impact funding.
According to GAO, the documents did not effectively address the following aspects:
- Outcome-oriented performance measures—ONCD said it was not realistic to develop these measures at this point, but GAO asserts that such measures can feasibly be developed in applicable areas, such as measuring the number and dollar value of ransomware incidents to measure the effectiveness of anti-ransomware efforts.
- Resources and estimated costs—The implementation plan described initiatives involving executive visibility and interagency coordination, but failed to identify the cost of these initiatives.
GAO Conclusions and Recommendations
The number, sophistication, and impact of cybersecurity incidents can be devastating, causing catastrophic damage to agencies, companies, critical infrastructure, and individuals. Any cybersecurity strategy must include steps to protect against the most common and pressing threats, such as:
- Phishing
- Credential theft
- Vulnerability exploits
- Ransomware
- Data breaches
- AI-empowered attacks
- State-sponsored attacks
The GAO report explores the necessity of fully establishing a national cybersecurity strategy “to guide the federal government’s cybersecurity activities, including its coordination with the private sector.” The desirable characteristics of a national strategy that GAO developed outline the vital components of a thorough and effective strategy, and this report urges ONCD to take additional steps to align the National Cybersecurity Strategy with these criteria.
With governmental entities and the private sector both continually at risk from a wide range of cyberthreats, it only grows ever more important for ONCD to address all of GAO’s desirable characteristics. Cybersecurity incidents “pose a serious challenge to economic, national, and personal privacy and security,” and current measures are not sufficient to prevent them.
The report concludes that the National Cybersecurity Strategy falls short in two major areas and that without implementing additional measures to address those areas, ONCD, stakeholders, and other agencies will be unable to gauge the effectiveness of their efforts or secure sufficient resources and funding for the strategy. The recommendations for executive action are to identify initiatives that allow for outcome-oriented performance measures and develop those measures, as well as to identify initiatives that warrant cost estimates and develop those estimates.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.