After a good deal of run-up, the Biden administration released an updated National Cybersecurity Strategy on March 2. This strategy is an update on the 2018 National Cyber Strategy and, by my count, is the third national cybersecurity strategy of the 21st Century – and it will probably be the most impactful. (As an aside, I wonder if one should read much into the fact that this is titled a “Cybersecurity” Strategy as opposed to the 2018 “Cyber” Strategy.)
That is mainly because, for the first time, there is a senior government official – the National Cyber Director (the NCD) — accountable for the implementation of the Strategy with a staff element in place to ensure that implementation is monitored, resolve interagency conflicts, and advocate for resources and authorities for the federal government to achieve its aims. And while the NCD is currently an acting official, the well-qualified Kemba Walden, one can expect a permanent director will be nominated by the president shortly.
Before diving too deeply into implementation, however, it is worth taking a minute to review what is and isn’t new in the Strategy. The first thing I note is the intentional reflection of evolution not revolution in our national approach to cybersecurity – as the document states, it “builds on the work of prior administrations,” and that is particularly true when it comes to the core aim of cybersecurity, which is for the federal government to work a whole-of-community approach to securing critical infrastructure and national security systems from cyber adversaries.
Similarly, the Strategy is consistent with previous iterations in emphasizing the need for international collaboration, prioritizing federal cybersecurity, and taking the fight to our adversaries – here specifically named as China, Russia, Iran and North Korea as well as criminal elements (the same set of strategic adversaries as 2018).
So, is it fair to say the strategy is more of the same? I tend to think not. While the Strategy builds off the structures and collaborative model that has been front of mind since digital information security became a national issue in the 1990s, it places new emphasis on some key strategic concepts. I’d emphasize four of those.
Putting the onus on tech providers. The shift in thinking about systemic cyber risk reduction in the new Strategy is an important one. The easiest way to achieve this is to alter the underlying security of the hardware, software, and services that enable digital technology. And the administration seems keen on doing that by putting critical hardware and, in particular, software providers on notice that they need to create safer products or be held liable. The document states that “the Administration will work with Congress and the private sector to develop legislation establishing liability for software products and services.” These efforts will certainly be interesting to watch in the new Congress and will be more than a little controversial.
Tying cybersecurity to federal investment dollars. Federal purchasing power and contracts have been long used as a lever to increase cybersecurity but the new Strategy takes that a step further and links cyber requirements to infrastructure investment dollars – something that the administration can do using existing authorities. Using those funds “can drive investment in critical products and services that are secure- and resilient-by-design, and sustain and incentivize security and resilience throughout the lifecycle of critical infrastructure.” The Strategy also calls for cybersecurity requirements to be part of the move toward a clean energy future. Taking these steps is going to require security agencies and economic development agencies to more squarely collaborate and it will be important to the Executive Office of the president to drive that.
A bias toward regulation. As the Strategy states, “While voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.” The Administration has committed itself to using existing authorities to regulate certain critical infrastructure sectors while also seeking new authorities. This is the most significant policy push for cyber regulation since 2011-12 and is an explicit strategic statement that voluntary public-private partnerships, while valuable, have limits.
Supply chain security. The stats are becoming clear that supply chains are one of the main sources of cyber attacks and cyber vulnerabilities. HelpNet Security found that in 2022 “supply chain attacks caused more data compromises than malware.” The reality is many vulnerable supplies can be sourced to foreign suppliers; “this dependency on critical foreign products and services from untrusted suppliers introduces multiple sources of systemic risk to our digital ecosystem,” says the Strategy. The Strategy reinforces the administration’s push to build trusted supply chains and emphasizes cybersecurity as one of the imperatives to do so and to do more than just leverage federal contracts to do so.
Overall, my read of the Strategy is that it is a muscular one and puts a marker down for a busy policy and legislative agenda going forward. There has been a lot of talk of cybersecurity being a shared responsibility over the past several years, but there has not always been a lot of talk about a “shared accountability” model. What the Strategy is trying to do is build the foundation for that shared accountability where the product developer, the end user, and financial marketplace play a role with government mandating and incentivizing better performance in a harmonized manner. Sounds easy, doesn’t it?
That gets us back to the important role of the ONCD in implementation. The release of this Strategy is a real coming-out party on the national stage for ONCD. In place since 2021, the Office has staffed up smartly over the past two years and become a real source of talent within the government for cybersecurity policy makers. While the National Security Council staff and the Office of Management and Budget have traditionally provided Executive Branch leadership and accountability, they have not always had the depth and capacity to stay on top of strategy implementation while dealing with policy, resource, and crisis issues. Presumably having an office that can keep eyes on tracking progress will enhance likelihood of success.
There is a lot in the Strategy, however, that also depends on buy-in from Congress and that will be a trickier proposition. The Republican House does not share a bias toward regulation. And issues like a federal cyber insurance backstop, software maker liability, and tying requirements to federal dollars are sticky ones and will require some level of congressional support and, in certain areas, new legislative language. Whether the Strategy opens the door for new legislative opportunity remains to be seen and, ultimately, that may be one of the determinants of its success.
In the meantime, however, there is a lot of work that the Executive Branch can move forward on, building on what has come before. The fact that the Strategy was developed in a fairly transparent and collaborative process is a good sign and it will be worth watching if the spirit of collaboration between industry and government can be maintained as the nation moves toward a shared accountability model for cybersecurity.
New National Cybersecurity Strategy Calls for ‘Fundamental Shifts’ in Cyber ‘Roles, Responsibilities, and Resources’