First, there was the strategy. Now, there’s a plan.
The White House unveiled its “to-do” list for addressing cyber weaknesses last week, taking initiatives laid out in the March National Cybersecurity Strategy and now charging 18 federal agencies with tasks to be completed in the coming months and years to ensure the U.S. can ward off digital threats.
“This plan details more than 65 high-impact federal initiatives, from protecting American jobs by combating cybercrimes to building a skilled cyber workforce equipped to excel in our increasingly digital economy,” the White House said on July 13.
The plan is sweeping, touching on several challenges that have hamstrung cyber security at the federal level. To combat them, the government will shape a workforce and education strategy aimed at bolstering cybersecurity talent, a multi-year plan to address aging technology and enforceable legislation to prosecute cybercrime. Industry leaders who commented on the plan applauded government for laying out several years worth of accountability, not just one.
“We know it’s a massive effort, it’s going to take all hands,” said Joel Krooswyk, federal chief technology officer at GitLab, in an interview. “I think that is the right thing.”
In the last two months alone, widespread cyber attacks propelled the looming threat to the forefront. But for years, government watchdogs have been hounding federal agencies to update susceptible legacy technology and fill cyber workforce shortages.
The other challenge is vacant leadership positions in offices critical to the plan’s success. For one, it’s unclear who will become the new national cyber director after The Washington Post reported that the acting official, Kemba Walden, would not be nominated. That office is in charge of carrying out the implementation plan and reporting progress to the president and Congress.
The plan will be the government’s cyber north star, but it shouldn’t be the only way to navigate the future, experts said. For one, it lacks detail on some high-priority issues that industry experts said will be critical to reaching cyber and modernization goals.
“What doesn’t show up in the plan? Artificial intelligence,” said Krooswyk. “The best chance we have of vaulting forward and making this work is going to require enormous efficiencies. And the way we get to those efficiencies right now is starting to look like AI.”
AI can be of use to agencies who need help translating millions of lines of ancient coding or extracting insights from tied-up datasets, thereby freeing up the limited IT workforce to do other things. Some agencies already have many use cases for AI; others are a bit slower to adopt.
Without a standard, agencies may decide to adopt policies for themselves.
However regulation takes shape, the White House plan seems to indicate there is a desire to ensure open-source software has oversight and accountability. Some experts pointed to the fact that by its nature, open source lacks a strong fingerprint, but the legal and regulatory burden has to fall on somebody at some point, said Varun Badhwar, CEO of Endor Labs, in a statement.
“We’re gonna have to watch the legislation for the next couple years,” Krooswyk said. “Without some better guidance on that soon, what we’re going to possibly see is some struggles with the implementation.”
Similarly, the plan leaves some open questions about “software bills of materials” (aka “SBOMs”) and how much they should play a more immediate role in identifying and mitigating risky technology.
Per the plan, the government is aiming for 2025 to develop a process for closing gaps in SBOMs and shoring up unsupported software in critical infrastructure. Again, it leaves out specifics the private sector could glean to respond to that goal.
“These are all blind spots that currently prevent us from understanding risk, and from a security standpoint, I’m scared about what we’ll find,” Badhwar said.
Molly Weisner is a staff reporter for Federal Times where she covers labor, policy and contracting pertaining to the government workforce. She made previous stops at USA Today and McClatchy as a digital producer, and worked at The New York Times as a copy editor. Molly majored in journalism at the University of North Carolina at Chapel Hill.