We Have a New National Cybersecurity Strategy. Now What?
OPINION — The new National Cybersecurity Strategy is clear and concise, laying out the case for a more robust and engaged approach to defending our national critical infrastructure from a growing list of threats in cyberspace. Implementing it is the next big challenge.
The document articulates priorities and affirms for our allies and adversaries alike, that we will defend our interests and values in cyberspace. The key to long-term improvements in national cyber resilience, however, is not just the articulation of policy. It will be in the implementation and resourcing of the guidance laid out in the strategy.
The new strategy is consistent with, and expands on, the work of the Cyberspace Solarium Commission (on which we both served), and it is informed by three additional years of attacks on our nation’s security, prosperity and democracy by nation-state and criminal actors.
This administration cut its cyber teeth on responses to Russia’s years-long, sophisticated cyber espionage campaign against the U.S. government through U.S. software company SolarWinds and China’s vast espionage effort exploiting Microsoft vulnerabilities to target the private sector. Then, came criminal ransomware attacks against U.S. critical infrastructure and the discovery of a dangerous vulnerability at the heart of the software in millions of devices around the world.
These experiences informed the strategy as it identified key operational objectives: building more resilient national critical infrastructure, kick-starting under-performing public-private collaboration, investing in federal IT network security, improving the security of the overall cyber ecosystem, imposing costs on hostile actors, and developing the cyber capabilities of our international partners.
It’s not just for the President anymore. Are you getting your daily national security briefing? Subscriber+Members have exclusive access to the Open Source Collection Daily Brief that keeps you up to date on global events impacting national security. It pays to be a Subscriber+Member.
To begin to address critical infrastructure resilience challenges, the strategy lays out a strong argument for regulating or incentivizing the cybersecurity of key industries that currently lack specific guidelines and standards. The White House calls out the need to shift the cybersecurity burden to those “most capable and best-positioned to reduce risks for all of us” like cloud service providers. At the same time, the strategy acknowledges what industry has long been saying: there is too much confusion around whom industry should call if and when they need cybersecurity assistance, information, and guidance. The strategy commits the government to harmonizing existing regulations in sectors where there are already too many straws stirring the drink.
Critical infrastructure resilience requires partnership, and the strategy acknowledges that the federal government has not been a steady partner. The strategy alludes to the inconsistent performance of federal agencies working with private sector counterparts. Through this strategy, the administration is pledging to improve the capabilities and commitment of these sector risk management agencies. The Cybersecurity Infrastructure Security Agency, meanwhile, will need to step up into its national coordination and risk management roles.
To promote collaboration that strengthens critical infrastructure resilience, the strategy affirms a need for speed. Collaboration at the speed of data between government agencies and among the federal government, state and local partners, and the private sector creates a shared understanding of the threat landscape. In short, the strategy effectively endorses the Joint Collaborative Environment recommendation issued by the Cyberspace Solarium Commission and championed by former Representative Jim Langevin (D-RI) over the past two years. This nod, plus a directive in the annual defense bill for the National Security Agency to study a cyber threat information collaboration environment, may give the proposal the boost it needs to get over the finish line.
Shifting from the domestic to the international sphere, the strategy emphasizes expanding cyber capacity building support to less mature allies and partners and increasing cyber cooperation with more developed allies and partners. Capacity building and collaboration are critical to U.S. military and economic interests – as demonstrated most vividly by the efficacy of Ukraine’s cyber defenders against Russia’s onslaught.
The State Department has multiple programs to fund cyber capacity building. U.S. Cyber Command’s “hunt forward” operations, meanwhile, see Americans working side-by-side with foreign cyber operators to excise malicious actors fro