After keeping the cybersecurity community in suspense, the Biden Administration officially released an updated National Cybersecurity Strategy (https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf) on March 2. This marks the third national cybersecurity strategy that has been released in the 21st century and it is likely to be the most impactful. Prior to this strategy update, the US has not seen an update since the Trump Administration released the 2018 National Cyber Strategy. The release marks a long-awaited response from the Biden Administration to combat mounting cyber threats across the United States and across the globe.
The Strategy is not a complete shift from its last iteration 5 years back – in fact, the strategy makes clear the necessity for cybersecurity to be a buildable discipline that must take past learnings and collaboration to continue to evolve. In this way, the new Strategy does not seek to revolutionize Federal cybersecurity practices or approaches, but instead to reiterate the importance of shared accountability and broad collaboration in the fight against adversarial cyber threats, which have remained consistent since 2018 – named as China, Russia, Iran and North Korea.
Perhaps one of the most impactful differences in this iteration of the Strategy is that for the first time, there has been a senior government official – the National Cyber Director (NCD) – tasked with overseeing its implementation. Kemba Walden, the current acting NCD, will be accountable for advocating for resource allocation from the Federal government as well as overseeing staffing in order to act on the directive of the Strategy and ensure its proper implementation. Walden is well-acquainted with the intricacies of cybersecurity strategy, but I hope there to be a permanent Director named, whether she or someone else, in the coming weeks by the President.
A Proactive Approach
While taking from past work in Federal cybersecurity, I believe this Strategy has an important evolutionary direction for cybersecurity that highlights proactive measures, rather than just reactivity to information security issues that have persisted since the 1990s. I’d like to emphasize four primary concepts that the Strategy highlights that have promise:
Investments from the Federal government will require demonstrated proactive cybersecurity
While increases in cybersecurity were previously encouraged through the promise of Federal purchasing power and increased contracts, the Strategy now begins to tie cybersecurity requirements to increased infrastructure and grant funding levels to attempt to put the onus on organizations to improve their cyber postures when they receive Federal support. The goal for this is fully secure and resilient networks that can function even under duress, and the Federal government and Executive Office of the President will have to lead this charge to ensure that funds are tied consistently to cyber security and resilience outcomes.
Securing supply chains is of utmost importance
Supply chains have become the primary target for cyber threat actors looking to inflict serious damage. Across the globe, many critical aspects of businesses rely on foreign suppliers without a full understanding of the intricacies of supplier networks. Not only does this leave too much to chance, but the Administration has outlined in the Strategy that the Federal government must work to establish and create trusted supplier networks that both have full supply chain visibility and have prioritized cybersecurity in their operations.
Ransomware has become a primary threat
The Strategy recognizes that ransomware threats have grown exponentially in the last few years to become one of the most damaging cross-border threats to national security and critical infrastructure. “Ransomware operators have disrupted hospitals, schools, pipeline operations, and government services,” says the Strategy, which places the onus on shaping this threat environment with national governments’ deterrence efforts. The Counter-Ransomware Initiative has launched an international task force with cooperation from over 30 countries to combat this growing threat – it will be interesting to see political and economic isolation will be leveraged against countries that continue to harbor ransomware criminals without punishment.
Collaboration is key for critical infrastructure
As the strategy states, “When incidents occur, Federal response efforts must be coordinated and tightly integrated with the private sector and State, local, Tribal and territorial partners.” Like its predecessors, the current Administration has expressed the importance of avoiding disruption to critical infrastructure through the strengthening of collaborative cyber defenses. The Strategy reiterates this necessity and puts the onus of the Federal government to streamline its response strategy while also placing more regulation on critical infrastructure providers to ensure operational resilience in the case of cyber threats.
It is important to note that this Strategy needs to be followed by a clear path forward for an increased policy and legislative agenda to tackle the growing adversarial cyber threat. Previously, cybersecurity has been considered a matter of shared responsibility across the global community to stamp out cyber-criminal organizations and protect national defenses. However, what I see is a move towards a “shared accountability” model that involves all aspects of cyber defense from the development of products to the responsibility of end users to do their part in cyber defense. It sounds like quite a lofty goal, not an easy feat. It remains to be seen how the Federal government will put into action this proposed symbiotic relationship of cybersecurity and what regulations will emerge to ensure its implementation.
A potential hold-up to achieving this Strategy is the aspects that rely on Congressional approval. While the strategy relies on many existing precedents and within the purview of existing Federal agencies, there is a level of buy-in that is required from a Republican-controlled House and a nearly split Senate that tends to lean away from increased regulation. One area where this legislative fight may play out is the language for tech company liability and cyber requirements being tied to Federal funding, This is likely to be a challenge to implement the full scope of the Strategy. It will be interesting to see how Congressional conversations unfold with the released Strategy and what aspects will be challenged.
A Logical Shift in Cybersecurity Strategy
While the Strategy is a mature shift in cybersecurity approaches, what really cements its chance of successful implementation if the Office of the National Cyber Director, which was developed in 2021 to be a strategic source of cyber expertise within the government. ONCD has taken charge of talent resourcing since its founding with the goal of providing oversight and cybersecurity guidance to the Executive Branch. This is a wise move in the lead-up to the Strategy release, as it provides office-specific accountability for the implementation of the Strategy and will likely lead to a higher chance of success. The coming appointment of a permanent NCD will be one of the largest pushes to ensure cyber defense oversight, going even beyond previous roles of the National Security Council to advise the Executive Branch leadership and provide a greater sense of expertise and accountability.
It is still too recent to say exactly how the new Strategy will shake out in shaping national efforts, but there is still work that the Executive Branch can do today to expand upon previous cybersecurity directives. Collaboration is hard to enforce, but the new Strategy makes it clear that the key to strong cyber defenses rests in the hands of collaborative agencies across the Federal government and beyond international borders. A shared accountability model will surely shake up previous models of engaging the international community in ensuring cyber posture, and it will require a large international effort to protect critical infrastructure and ensure protection against adversarial threat actors in an increasingly unstable cyber landscape.