Washington, D.C.

May 22, 2024

Remarks As Prepared for Delivery

Thank you, Frank.

And thank you to the McCrary Institute for hosting today’s event. I am delighted to be here to discuss several important topics, to include National Cybersecurity Strategy Implementation Plan Version 2 and the importance of federal coherence.

We are in the midst of a fundamental transformation in our Nation’s cybersecurity. Our cyberspace is growing in complexity, more interconnected than ever before, and increasingly defined by competition.

The threats we face remain daunting. Our defenses are not impregnable. Aspiring just to manage the worst effects of cyber incidents is insufficient.  Our work must continue to evolve to meet the changing landscape.   

And yet, we have made progress in realizing an affirmative vision for a safe, prosperous, and equitable digital future – a vision laid out in President Biden’s National Cybersecurity Strategy.

A vision that guides the work of ONCD.

Two weeks ago, while many of us were at RSA, ONCD delivered a first of its-kind report to the President, the National Security Adviser, and Congress.  The 2024 Report on the Cybersecurity Posture of the United States provided our view on the state of cybersecurity in America.  

I can say that the U.S. national cybersecurity posture has improved and will continue to do so.

It’s clear that a reactive posture cannot keep pace with fast-evolving cyber threats and a dynamic technology landscape. It is also clear that just managing the worst effects of cyber incidents is no longer sufficient to ensure our national security, economic prosperity, and democratic values.

In the report, we examine the evolving risks to critical infrastructure, persistence of cybercrime/ransomware, increasingly complex supply chain exploitation, growth of commercial spyware, and the power of artificial intelligence.

In light of these trends, a coherent program of action led by the Federal Government and aligned with private sector and allied efforts is required.

Much of this work was captured in the first round of implementation of the National Cybersecurity Strategy. As many of you know, we published that plan in July.

And here are the quick stats:

The Federal Government was responsible for completing 36 initiatives, led by 14 agencies, by the second quarter of 2024.  33 were completed on time. For those of you doing the math, that’s 92%.

33 additional items are due over the next two years and they’re all on track to be completed on time.

And thanks to the new version of the National Cybersecurity Strategy Implementation Plan that we’ll discuss today, there are 31 new initiatives with six new Federal agencies leading initiatives.

All of this work, and frankly all of our progress, is due to one element we all discuss often: partnership.

At ONCD – we are at the center of Federal cohesion, tasked with bringing collaboration and coordination to levels commensurate with the challenges our Nation faces.

And today I feel bold enough to say that the level of coherence that ONCD and our mission partners have demonstrated is enhancing our Nation’s security.

ONCD brings value to the cybersecurity ecosystem by bringing parties together, driving action, and developing strategy – but our progress depends on the willingness, capabilities and passion of our partners.

Our important collaborators include: partners and friends from across the Federal Government; international partners; state, local, tribal and territorial government partners; those from industry, academia, non-profits and many more who enhance our collective resilience to cyber threats.

Congress has also been a vital partner in this implementation process, and we will continue to engage with our partners on the Hill to ensure that departments and agencies have the resources and authorities they need.

With no shortage of challenges on the horizon, the Administration and Congress must continue to work together in a nonpartisan manner to advance U.S. cybersecurity and resilience. In fact, implementing our Strategy requires more than a collaborative, whole-of-nation effort. As I stated earlier, to succeed we need our international allies so it is really a whole-of-nations effort.

So, with our thanks to the McCrary Institute for bringing us all together today, let me highlight some of the key elements of our new Implementation Plan.

One of the things we’re most proud of in the new implementation plan are the new Federal agencies that we’ve brought to the table. Six agencies are leading initiatives for the first time. Four of them are Sector Risk Management Agencies.

I want to take a minute to unpack what that says about our approach to partnership and how it embodies the federal coherence I’ve already discussed.

First, it’s important we all acknowledge that the Administration has been very busy on critical infrastructure security policy the last few months.

The week before we released this latest Implementation Plan, the President signed National Security Memorandum 22 on Critical Infrastructure Security and Resilience. And NSM 22 came on the heels of the President releasing his Budget for Fiscal Year 2025.

These documents all reflect a coherent approach to our efforts to build cyber resilience into our nation’s critical infrastructure. They complement and build off each other – reflecting policy, resourcing and action that – when taken together – are multiplicative, not merely additive.

To understand the through line, let’s first look at the National Security Memorandum. The process to update our critical infrastructure policy kicked off in response to Congressional action: the codification of SRMA roles and responsibilities in the 2021 National Defense Authorization Act.

Based on the input and impetus from our partners in Congress, the Biden-Harris Administration fleshed out what those responsibilities really mean. We clarified that SRMAs, in partnership with CISA and other relevant agencies, including regulators, must develop plans to mitigate risk that are grounded in core security requirements.

These plans must make use of every tool and authority available, from cyber insurance to regulation to grants like those being made under the Bipartisan Infrastructure Law. The NSM also requires the Director of National Intelligence to provide targeted support to SRMAs to help them – and their sectors – better understand the threat landscape. And it empowers CISA, the National Coordinator for Critical Infrastructure Security and Resilience, to support its fellow SRMAs by providing capabilities and resources, such as cybersecurity expertise, risk assessments, and other essential services.

Each of these policy changes build on initiatives in the National Cybersecurity Strategy Implementation Plan Version 1. The National Cybersecurity Strategy stated that the government would pursue regulatory approaches for critical infrastructure where appropriate, and the first IP has initiatives focused on mapping authorities and regulatory harmonization.

The Strategy calls for increased intelligence sharing with the private sector and the IP contains an initiative – nearly complete – for the Office of the Director of National Intelligence, ODNI, to review existing classification policies.

Version 1 of the plan also called on CISA to create an office to support SRMAs in need; those functions will be part of CISA’s new Office of the National Coordinator.

These documents are synergistic. From the bill to the Strategy to the Implementation Plan to the NSM, each is building on and reinforcing the work of the past. This is what coherence looks like. And it extends to resourcing as well.

Last June, as part of the first Implementation Plan, OMB and ONCD jointly released cybersecurity budgetary guidance for agencies for fiscal year 2025. We highlighted the role of SRMAs, and the need for agencies to appropriately fund those functions.

The President’s Budget proposal reflects those priorities.

The Department of Health and Human Services request has a $12 million increase for the cybersecurity capacity of the Administration for Strategic Preparedness and Response.

The Environmental Protection Agency requested $25 million in additional SRMA capacity as well as $25 million for its first ever dedicated cyber grant for water utilities.

The United States Department of Agriculture doubled its SRMA funding request. These appropriations will be vital to continue implementation of the Strategy and of NSM 22. And we are now looking to our partners in Congress to, having kicked off conversations on SRMA responsibilities, fund them. This is what coherence looks like.

Now, of course, we have our new implementation plan. And it contains initiatives from these agencies as they continue to mature. For example:

  • In the health care and public health sector, HHS will implement their cybersecurity strategy, develop baseline standards for hospitals, and work with Congress to deliver aid to small, rural, and critical access care facilities.
  • In the water and wastewater systems sector, the EPA will bring more technical assistance to the public water systems that not only keep our taps flowing, but also provide critical coolant for everything from power plants to data centers.
  • And, in support of the water sector, USDA will invest in its Rural Water Circuit Rider Program to fully integrate cybersecurity offerings for vulnerable utilities.

These efforts complement the ongoing sector risk management planning under NSM 22. And, I would fully expect to see discrete cyber tasks from the sector plans in future iterations of the NCSIP. This is what coherence looks like.

Getting all the oars in the boat pulling in the same direction isn’t always easy, but it’s amazing what we can accomplish when we do.

I’d like to focus on another theme you’ll see in this Version 2 of the Implementation Plan.

As I mentioned before, one of President Biden’s first major cybersecurity actions was signing Executive Order 14028. While largely focused on ensuring the Federal Government will lead by example in cybersecurity by getting its own house in order, the EO also created the Cyber Safety Review Board, or CSRB.

This innovative public-private partnership brings together experts from government and industry to review cyber incidents, conduct root-cause analysis, and then provide recommendations on how to prevent or reduce the impact of future cyber intrusions.

The National Cybersecurity Strategy doubles down on the value of the CSRB, calling for its codification by Congress. In the first version of the Implementation Plan, ONCD also had an initiative to ensure that significant recommendations from the CSRB are actually put into practice.

Let me highlight two examples of what that looks like.

The CSRB’s Lapsus$ report focused on a loosely organized threat actor group that – for several months in late 2021 and early 2022 – conducted a series of high-profile hacks of everything from government agencies to chipmakers. One of the more sinister findings from the Lapsus$ report was the criminals’ use of juveniles to aid their schemes. Many of the core Lapsus$ members were themselves under the age of 18, and the CSRB found that “criminal gangs… exploit adolescents’ legal status in the criminal justice system, redirecting repercussions that could be imposed on adult threat actors operating in the background.”

Frankly, this is terrifying – it’s terrifying to think that our children are being recruited to commit crimes. It shows a clear gap in our policy and a horrific opportunity for our adversaries.

We need to go after the real criminals, and we need to remove the incentives for them to actively recruit our youth.

Thankfully, in the second version of our National Cybersecurity Strategy Implementation Plan, and thanks to the recommendation by the CSRB, the Department of Justice will develop a whole-of-society approach to improve prevention, deterrence, and redirection of juvenile cybercrime offenders. We need to give kids a path to move away from these criminals, and I look forward to seeing DOJ’s progress as they act on this recommendation.

Beyond Lapsus$, the CSRB also examined the exploitation of the popular log4shell open-source software project. At ONCD, we chair the government’s Open Source Software Security Initiative, so this report had special resonance with us.

We know that open-source software is foundational to nearly every technology we use in government, critical infrastructure, or our homes. We also know we need to continue to incentivize activities to shore up secure development of open-source to prevent a true “tragedy of the commons.”

As part of the CSRB’s review, the Board noted that there was not a centralized inventory of the open-source software used by the Federal Government. There is no easy way for the government to understand the code that supports its critical mission delivery – and to make commensurate investments in secure development.

The Board recommended exploring the creation of an open-source software security risk assessment center to house this inventory and to develop metrics for and advocate for best practices in software security across the government. Through the implementation plan, CISA, with support from NIST, is assessing the feasibility of such a center and taking the next step in evolving risk management in light of one of the most significant cyber events of the past several years.

Integrating lessons learned into our approach is core to the success of the National Cybersecurity Strategy. The CSRB helps us identify gaps. The Implementation Plan helps us close them. And both are ongoing processes that will drive continuous improvement in our Nation’s cybersecurity posture.

As with so many projects that are partnership-driven, our path ahead must be clear.

Thanks to this second version of our Implementation Plan, we have renewed our collective commitment to building a defensible, resilient, and values-aligned digital ecosystem. 

To our Federal Government partners that are a part of today’s program and our vital work ahead, thank you.

And, Frank, I’m looking forward to talking with you.

Stay Connected

Sign Up

We'll be in touch with the latest information on how President Biden and his administration are working for the American people, as well as ways you can get involved and help our country build back better.

Opt in to send and receive text messages from President Biden.

Scroll to Top Scroll to Top