A Strong National Cyber Strategy is Good– Even If You Disagree With It
The 2023 National Cybersecurity Strategy goes beyond truisms to articulate a clear cybersecurity policy vision to put the US on a different path. The Strategy’s strength comes from four characteristics. It has a transparent philosophical core, confronts hard problems, has a long-term outlook, and explicitly involves the legislative branch. Even if someone disagrees with the recommended policies, the Strategy’s clarity and definitive choices will make the resulting policy debates far more useful in making the changes we need to have a more secure digital ecosystem.
The White House released the National Cybersecurity Strategy in early March 2023. It articulates a clear vision for a desirable end-state, the principles that should guide cybersecurity policy to achieve that end-state, and concrete objectives that will demonstrate progress towards that goal. The Office of the National Cyber Director and the National Security Council staff deserve credit for successfully shepherding this document through the government’s policy review process because producing a strategy with less substance that said “cybersecurity is good, and we should have more of it” would have been much easier and quicker.
This policy’s success comes at a crucial time. Our cybersecurity challenges are multi-faceted and systemic, and our current policy frameworks are not driving toward a desirable ecosystem. In fact, we face a significant risk of catastrophic outcomes if we continue down our current path. If we want to achieve a different outcome, then we need to fundamentally change our approach and adopt some new policy frameworks. This National Cybersecurity Strategy achieves that goal. It puts the US on a different path, one that in my view will lead to a much more sustainable digital ecosystem that benefits everyone. However, even if you disagree with that view, you should still welcome this Strategy, because it provides a clear baseline against which you can argue and propose alternatives. This environment is much more conducive to debate and refinement, as opposed to having a Strategy that simply restates truisms against which no one can argue.
What gives the National Cybersecurity Strategy this strength? Four characteristics stand out.
The Four Key Characteristics of the National Cybersecurity Strategy
First, the National Cybersecurity Strategy is not just a list of related actions that agencies will take on the topic. Instead, it lays out how the Administration wants to change the status quo from a philosophical or first principles standpoint. These principles then run through the entire document, giving the Strategy strong policy coherence. In effect, its five pillars and 27 objectives all support three principles or themes: raise the level of cybersecurity through mandatory cybersecurity requirements for certain organizations, rebalance the security burden across the digital ecosystem to more capable entities, and disrupt the activities of malicious cyber actors more regularly. These three themes give the Strategy a set of organizing principles against which to measure proposed policies. If the idea would move the nation towards these goals, then it can be considered; if not, the policy can be rejected.
Second, these changes to the status quo will prove hard to achieve. This characteristic may not seem like a strength, but the fact that the Strategy does not shy away from advocating for policies the Administration knows will be hard to achieve gives the Strategy long-term relevance and staying power. Naturally, the status quo has proponents who will resist change for a wide variety of reasons, some based on principles, others based on self-interest. For example, altering the liability structure for the IT and OT software markets will prove exceptionally challenging because some perceive that proposal as faulty while others see it as costing them money. However, pretending that we can somehow achieve a fundamentally different outcome without taking some risks or creating costs for some entities in the ecosystem isn’t helpful or realistic. We will have to make tradeoffs and expend resources to alter our current trajectory. Tackling these issues head-on demonstrates strength.
Third, the Strategy cannot be fully executed in the remainder of President Biden’s first term. Going for short-term wins usually represents the path of least resistance and ensures credit for any payoffs goes to the current Administration. While the Biden Administration will want to show progress in implementing the Strategy, it has laid down a marker that it is not afraid to think long-term and is not concerned that a future Administration might get credit for the results. That’s a good thing, because the current digital ecosystem has developed over the last 30 years, and it will not radically change in the next two. Embracing the long-term nature of the needed solutions gives another kind of strength to the document.
Fourth, the Strategy does not shy away from calling on Congress to participate in implementing it. For the Executive Branch, focusing only on actions it can control is much easier and less politically challenging. Yet, only Congress can address some of the cybersecurity issues we face as a society. Only Congress can tackle issues such as software liability or regulatory harmonization among independent regulators. Getting Congress to act will not be easy – it took five years to pass the Cybersecurity Information Sharing Act and several more to establish the Cybersecurity and Infrastructure Security Agency as its own entity within the Department of Homeland Security. However, these issues are too important to leave solely to the Executive Branch; cybersecurity has such a profound effect on so many different aspects of our society that we need Legislative Branch participation to give any changes legitimacy and permanence. The Administration’s embrace of the need for Congressional participation is a welcome element of the Strategy and another source of strength.
Summing It All Up
As a result, even if readers disagree with some or all of the Strategy’s cybersecurity policy proposals, they should appreciate its transparency and strong principles. The clear policy positions will make the resulting policy debates far more useful in making the modifications we need to have a more secure digital ecosystem. At this point in cybersecurity’s maturation as a policy discipline, platitudes will not produce the change needed to reduce the impact of malicious cyber activity. Only fundamental alterations will do that. Let’s make use of the opening provided by the National Cybersecurity Strategy to make some thoughtful, meaningful changes.
ABOUT THE AUTHOR
Michael Daniel is the President and CEO of the Cyber Threat Alliance, a non-profit, threat intelligence-sharing organization focused on the cybersecurity industry. He previously served on the US National Security Council staff as the US Cybersecurity Coordinator and a Special Assistant to President Obama.