The most challenging pillars to implement would be Pillar Three, which is about shaping market forces around cybersecurity, and Pillar Five, which focuses on having international partnerships for greater cybersecurity. My overall reasoning for both of these pillars is the difficulty of maintaining trust, holding parties accountable, and abrasiveness towards investing in something that will not grant visually immediate results, therefore leading to no investment.

Starting with Pillar Three, a significant issue is that organizations start investing in cybersecurity primarily after they have already been hit with a cyberattack, which wastes more money having to repair damages and then invest in cybersecurity. The challenge is that for that structure to change on a country-wide scale, it requires the government to make a massive change in the perception of cybersecurity within the context of organizations. This change would need to make organizations not see it as a hole they are dumping money into. The next issue is ensuring that organizations follow through with mandatory cybersecurity practices. It would require a form of surveillance all across the country to force organizations to acknowledge and maintain compliance with cybersecurity, which leads to another issue for the organizations themselves. Not all organizations are the same with the revenue that they have to invest in cybersecurity. With the inclusion of small businesses and non-profits that still need to invest in cybersecurity, an incredible amount of money is needed for this to function and be maintained at all levels for the future, even if the government is investing a significant amount of money into it.

Next, the biggest challenge with countries forming partnerships for cybersecurity is how that relationship forces a slight amount of openness and requires trust about how they utilize cybersecurity to collaborate better. While it would be valuable for countries to trust each other to improve overall cybersecurity, there is significant risk for those countries. In international partnerships, countries need to consider the possibility of their vulnerabilities being exploited or the potential for ulterior motives within the partnership. These kinds of risks may be too great for countries to get involved in international partnerships. Another issue is that there is no global standard for cybersecurity that all countries can fully agree on. While there are general frameworks that cover a lot of information and strategies, countries still have different perceptions of cybersecurity as a concept. This means that even if these international partnerships start to form, without a primary guide that all parties involved can look to for the same information, it will result in countries tackling the same issue without a sense of cohesion.

In conclusion, Pillar 3 and Pillar 5 of the National Cybersecurity Strategy present several challenges that I believe would have the most difficulties with implementation. For Pillar 3 to be implemented, it requires not only significant funding from the government and organizations but also a complete change in the perception of cybersecurity for the free market to be seen as a critical utility. Furthermore, maintaining the structure of the plan and ensuring every organization in the country is upholding compliance will be difficult. Pillar 5’s challenges require involved countries to be more open with cybersecurity, presenting risks that they may not be willing to take. A lack of a framework that all countries can look to and agree upon for cybersecurity also presents a difficult challenge to implement in the future.