The views expressed by contributors are their own and not the view of The Hill

Forget the regulatory red herring: Here’s what the National Cybersecurity Strategy is really telling us

Last week, the Office of the National Cyber Director (ONCD) released the long-awaited National Cybersecurity Strategy — the first under the Biden administration.

Countless industry listening sessions and extensive interagency coordination didn’t leave much need for guesswork. As telegraphed (and reported), the strategy explicitly calls for a shift in the regulatory landscape. It also makes the best business case for cybersecurity investment and coordination that we’ve seen yet in a comprehensive government strategy document.

Cyber risk and liability get a new paradigm

The strategy doesn’t break from previous work; it builds on it, while also establishing a new approach to accountability, calling for a continuum of responsibility and liability that applies pressure at the points most likely to produce the greatest and earliest positive impact.

Highlighting two “fundamental shifts,” the strategy outlines the need to “rebalance the responsibility to defend cyberspace” away from the end user and to the owners and operators of systems and to “realign incentives to favor long term investments.” Both demonstrate a level of business acuity not often explicitly acknowledged in esoteric government planning.

While the strategy makes it clear the administration believes market forces require a regulatory push to advance this paradigm shift, the underlying message is earnest.

The lens through which we have collectively been addressing cyber risk and assigning accountability is insufficient and lacks a consistent and effective approach to liability. Again, the Biden administration did not wait until publication to share this strategy. Around this time last year, former National Cyber Director Chris Inglis and Assistant Cyber Director for Strategy & Research, Harry Krejsa, called for a “new cyber social contract” that more appropriately distributed responsibility for “mitigating systemic cyber hazards.” More recently Cybersecurity and Infrastructure Security Agency Director Jen Easterly and Executive Assistant Director Eric Goldstein advised us to start viewing cybersecurity as a “foundational business risk” as both customers and suppliers. They urged tech companies to “stop passing the buck on cybersecurity” and build more security into products, a message that Director Easterly echoed last week at a fireside chat at Carnegie Mellon University.

Defenders of the digital ecosystem don’t just live in government

Even in attempting to close what the administration sees as the gaps in purely voluntary approaches to systemic cyber risk management, the strategy affirms the importance of public-private sector collaboration. It underscores the value of Information Sharing and Analysis Centers (ISACs) and points to government-industry collaboration centers, including the Cybersecurity and Infrastructure Security Agency’s (CISA) Joint Cyber Defense Collaborative (JCDC), the National Security Agency’s (NSA) Cybersecurity Collaboration Center (CCC), and the Department of Energy’s (DOE) Energy Threat Analysis Center (ETAC) (among others) as key arenas for operationalizing coordination.

In emphasizing the importance of building the cyber workforce of the future, the document outlines roles for academia, industry, nonprofits and government agencies alike.

In acknowledging the “cost and burden” of compliance for industry, the strategy also explicitly addresses the current overlapping patchwork of cybersecurity regulatory frameworks and commits to tackling the complicated issue of regulatory harmonization. The document identifies the need to consider cross-border requirements to prevent them from “impeding digital trade flows.” Industry groups have long advocated streamlining compliance requirements, and perhaps we have reached a flashpoint — especially with a slate of new cybersecurity regulations proposed at both the state and federal levels in the last year.

The new strategy also highlights the responsibility of the Cyber Incident Reporting Council, authorized by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), to coordinate and deconflict mandatory federal cyber incident reporting requirements.

“Build America, Buy America” isn’t protectionist; the fight requires more global coordination than ever

In the context of securing global supply chains, the strategy explicitly identifies the principles of “Build America, Buy America,” both as investment in the domestic digital economy and fortification against dependence on unreliable foreign supply chains, namely China.

It also leaves no question that China is not simply a competitor in cyberspace, but is our “broadest, most active, and most persistent threat to both government and private sector networks.” Unsurprisingly, Russia, North Korea and Iran round out the big four threat actors in the domain.

While it stops short of detailing cyber offensive operations, there is also a notable focus on disrupting the adversary and, again, balancing the burden of cyber defense and accountability. The strategy directly looks to take down the networks enabling nation-state and other threat actors, rendering them “unprofitable.” This follows the recent dismantling of the Hive network by the FBI and international partners. It also doubles down on the principles of the Trump-era executive order intended to prevent foreign cyber actors’ use of U.S. Infrastructure as a Service (IaaS) for malicious purposes, as well assist in identification of foreign threat actors to hold them accountable.

Even with the “Build America, “Buy America” reference (along with some new challenges to navigate globally post-Inflation Reduction Act criticism) and the nation-state adversary spotlight, the message isn’t protectionism. In fact, an entire pillar and five pages of the new strategy are dedicated to foreign partnerships, including strategic, intelligence and law enforcement collaborations. Notable among them, is the International Counter Ransomware Initiative. The effort brings together three dozen countries and the European Union to champion a series of coordinated efforts to “disrupt cyber criminals, counter illicit finance, build private sector partnerships, and cooperate globally” on the ransomware challenge, which the White House describes as a “pocketbook issue.”

This is a national strategy, not simply a White House strategy

Though not the first federal cybersecurity strategy, it boasts the highest-level agreement and commitment yet from across the executive branch, which bodes well for federal cohesion.

It also makes it clear that the mission to defend our digital ecosystem, which includes our nation’s most critical infrastructure, does not exist in a vacuum. With hardly a page lacking references to partners in industry, academia, and across the globe, the need for collaboration is simultaneously the most crucial and most challenging factor in implementation. Key will be continuing to include those diverse voices in developing future federal and Congressional actions.

Acting National Cyber Director, Kemba Walden remarked at the strategy’s unveiling that the “strategy is only as good as its implementation,” and this document is not in itself the implementation. Rather it is a thesis statement for the coming years. It is detailed, but not prescriptive, with room to innovate and adopt principles and approaches that will only emerge as possibilities as we begin to execute on the current blueprint. Now comes the need for unified, coordinated, whole-of-community action to bring it to life.  

Katherine D. Ledesma is former Senior Policy Advisor at the Cybersecurity and Infrastructure Security Agency (CISA). She has also served in Deputy Chief of Staff and Senior Policy Analyst positions at the U.S. Department of Homeland Security and held positions at the North American Electric Reliability Corporation (NERC) the U.S. Department of State.