March 3, 2023 | The Cipher Brief

We Have a New National Cybersecurity Strategy. Now What?

March 3, 2023 | The Cipher Brief

We Have a New National Cybersecurity Strategy. Now What?

The new National Cybersecurity Strategy is clear and concise, laying out the case for a more robust and engaged approach to defending our national critical infrastructure from a growing list of threats in cyberspace.  Implementing it is the next big challenge.

The document articulates priorities and affirms for our allies and adversaries alike, that we will defend our interests and values in cyberspace. The key to long-term improvements in national cyber resilience, however, is not just the articulation of policy. It will be in the implementation and resourcing of the guidance laid out in the strategy.

The new strategy is consistent with, and expands on, the work of the Cyberspace Solarium Commission (on which we both served), and it is informed by three additional years of attacks on our nation’s security, prosperity and democracy by nation-state and criminal actors.

This administration cut its cyber teeth on responses to Russia’s years-long, sophisticated cyber espionage campaign against the U.S. government through U.S. software company SolarWinds and China’s vast espionage effort exploiting Microsoft vulnerabilities to target the private sector. Then, came criminal ransomware attacks against U.S. critical infrastructure and the discovery of a dangerous vulnerability at the heart of the software in millions of devices around the world.

These experiences informed the strategy as it identified key operational objectives: building more resilient national critical infrastructure, kick-starting under-performing public-private collaboration, investing in federal IT network security, improving the security of the overall cyber ecosystem, imposing costs on hostile actors, and developing the cyber capabilities of our international partners.

To begin to address critical infrastructure resilience challenges, the strategy lays out a strong argument for regulating or incentivizing the cybersecurity of key industries that currently lack specific guidelines and standards. The White House calls out the need to shift the cybersecurity burden to those “most capable and best-positioned to reduce risks for all of us” like cloud service providers. At the same time, the strategy acknowledges what industry has long been saying: there is too much confusion around whom industry should call if and when they need cybersecurity assistance, information, and guidance. The strategy commits the government to harmonizing existing regulations in sectors where there are already too many straws stirring the drink.

Critical infrastructure resilience requires partnership, and the strategy acknowledges that the federal government has not been a steady partner. The strategy alludes to the inconsistent performance of federal agencies working with private sector counterparts. Through this strategy, the administration is pledging to improve the capabilities and commitment of these sector risk management agencies. The Cybersecurity Infrastructure Security Agency, meanwhile, will need to step up into its national coordination and risk management roles.

To promote collaboration that strengthens critical infrastructure resilience, the strategy affirms a need for speed. Collaboration at the speed of data between government agencies and among the federal government, state and local partners, and the private sector creates a shared understanding of the threat landscape. In short, the strategy effectively endorses the Joint Collaborative Environment recommendation issued by the Cyberspace Solarium Commission and championed by former Representative Jim Langevin (D-RI) over the past two years. This nod, plus a directive in the annual defense bill for the National Security Agency to study a cyber threat information collaboration environment, may give the proposal the boost it needs to get over the finish line.

Shifting from the domestic to the international sphere, the strategy emphasizes expanding cyber capacity building support to less mature allies and partners and increasing cyber cooperation with more developed allies and partners. Capacity building and collaboration are critical to U.S. military and economic interests – as demonstrated most vividly by the efficacy of Ukraine’s cyber defenders against Russia’s onslaught.

The State Department has multiple programs to fund cyber capacity building. U.S. Cyber Command’s “hunt forward” operations, meanwhile, see Americans working side-by-side with foreign cyber operators to excise malicious actors from the networks of partners and allies. These programs will need more resources to implement the vision behind the new strategy.

The strategy also endorses the continued application of a defend forward strategy. Persistently pursuing operations in cyberspace (and in other diplomatic, legal, and economic lanes) with the intent of disrupting adversary malicious cyber activity, has been key to reducing cyber threats to our nation. When coupled with the operational guidance in National Security Presidential Memorandum 13, it has given U.S. operators the ability to impose costs on adversaries in cyberspace.

The National Cybersecurity Strategy is an important step in the development of a more robust and forward leaning cybersecurity posture. It is also an inflection point for the Office of the National Cyber Director, which drafted the document and which Congress designed to lead the federal government in combating cyber threats. The document reflects the strong legacy of the inaugural NCD, Chris Inglis and gives the new acting NCD, Kemba Walden, the lead on implementing the strategy’s numerous important tasks over the next two years.

In its last pages, the strategy pledges to incorporate lessons from past and future cyber incidents, to use data to assess the effectiveness of its implementation and invest to achieve its goals. Of all the promises and commitments in the document, this last one will be the most important.

Implementation is where the rubber meets the road – where resources must be spent, workforces deployed, bureaucratic battles fought – all against the backdrop of ongoing incidents. But without effective implementation, this strategy will become just another well written paper.

Rear Adm. (Ret.) Mark Montgomery is a senior director at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies, where he is also a senior fellow. He directs CSC 2.0, which works to implement the recommendations of the congressionally mandated Cyberspace Solarium Commission, where he previously served as executive director. Follow him on Twitter @MarkCMontgomeryMs. Ravich is the chair of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. She serves on the U.S. Secret Service’s Cyber Investigation Advisory Board and was as a commissioner on the Cyberspace Solarium Commission, vice chair of the President’s Intelligence Advisory Board, and co-chair of the Artificial Intelligence Working Group of the Secretary of Energy Advisory Board. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.