Published by The Lawfare Institute
in Cooperation With
Editor’s Note: This piece is the second in a two-part series about White House cybersecurity policies. Part 1 of the series can be found here.
More than 50 years ago, an influential task force concluded that it was impossible to adequately secure computers and networks from cyberattacks unless they were entirely closed off from the outside world. Attackers, not defenders, generally have the advantage. Two years later, the Air Force convened another important task force, which found that “none of the [red team] efforts had failed to date.” That is, when friendly hackers attempted intrusions to test cybersecurity, they always succeeded.
Not only do those half-century-old assessments remain broadly relevant today, but so are many of the solutions: “Unless security is designed into a system from its inception,” these earliest computer security experts wrote in 1972, “there is little chance that it can be made secure by retrofit.” Or as cyber defenders say now, we need security by design, baked in from the beginning, not bolted on later.
After five decades, the same problems remain: Attackers still have the advantage. After five decades, reports make the same findings. After five decades, little seems to have changed. The improvements that defenders implement are overwhelmed by our growing (and already significant) dependence on technology and the improvements made by the attackers.
There may be hope, however. On March 2, the Biden administration released its new National Cybersecurity Strategy. Developed by the Office of the National Cyber Director (ONCD), the strategy is the United States’ boldest attempt yet to break this long running cycle, which, if not dealt with, will worsen over time. Unless cyber defenders drive real change now, the situation will worsen for another 50 years, or longer. Future generations will not have an internet as amazing and open as the one today, one that perhaps is taken for granted.
The new strategy tackles head-on the seemingly eternal challenges of security by design, calling for “fundamental changes to the underlying dynamics of the digital ecosystem,” rebalancing “the advantage to its defenders and perpetually frustrating the forces that would threaten it.”
This requires realigning incentives to favor long-term investments, one of the first fundamental shifts in the strategy. When faced with the trade-offs between easy but temporary fixes and durable, long-term solutions, the U.S. government must help ensure that organizations—whether public or private sector—are incentivized to consistently choose the more secure and resilient path. Software companies should no longer be incentivized, for example, to rush insecure products to market, maximizing their profit but inflicting insecurity on everyone else.
The other fundamental shift in the strategy is rebalancing the responsibility to defend cyberspace from those with the least ability to those with the greatest. It is ineffective—and frankly unjust—to expect individuals, small businesses, state and local governments, and others with limited resources to successfully implement cybersecurity.
The strategy essentially calls for the U.S. population to raise its expectations of cyberspace’s most capable actors—specifically the federal government but also the major technology companies—to weave a more defensible cyberspace.
To implement these shifts, the strategy advances across all four aspects of cybersecurity policy.
The Four Flavors of Cyber Policy
“Cybersecurity policy” is a phrase that is often thrown around without much explanation of what it means. Broadly, cybersecurity policies mean one of four different things: they are about “each of us,” “all of us,” “them,” or “everything.”
Each of Us. Most cyber strategies and policies address how “cybersecurity is everyone’s job.” They answer the question: How can each of us better secure our organization and personal technology?
Every person using an internet-connected device implicitly or explicitly makes similar policies for themselves. For example, we might ignore two-factor authentication for a streaming video account but not for online banking. Companies, which have more networks and computers, have more complex policies, such as for when employees use two-factor authentication, what data to encrypt, or when and how to allow personal devices to connect to the corporate network.
The federal government runs one of the world’s largest IT enterprises, spending over $65 billion across dozens of agencies and departments. Accordingly, it needs a complex set of policies. The National Cybersecurity Strategy will drive the federal government to update federal incident response plans and modernize its defenses so that any cyber intrusions are infrequent and minor (strategic objectives 1.4 and 1.5).
All of Us. How can security be improved, not for ourselves, but for others? Cybersecurity is hard (and inconvenient and sometimes expensive), so many of the decisions made by organizations and people may be good enough for them but impose socially unacceptable costs on others. Colonial Pipeline, for example, had not even invested in hiring a chief information security officer—one of the most basic security steps. This simple action might have prevented a major ransomware attack in May 2021, which led to the shutdown of the pipeline, causing gas shortages and emergency declarations in 17 states and Washington, D.C.
The National Cybersecurity Strategy, accordingly, has many objectives to protect all of us in cyberspace, with actions like a historic new push to establish cybersecurity regulations to secure critical infrastructure (1.1), pushing for the development of a secure digital identity system (4.5), and exploring a federal backstop for cyber insurance (3.6). These objectives are especially bold compared to past White House strategies, which relied largely on market forces to protect all of us.
Everything. Another set of strategies and policies addresses the question: How to make all of cyberspace more secure and defensible?
Cyberspace is far more than just people’s devices and the organizations of those who use it. There is a systemwide layer without which cyberspace does not operate and for which, unfortunately, security was an afterthought.
This systemwide layer includes the security of things owned by no one (such as intangible standards and protocols like Border Gateway Protocol and the Domain Name System), as well as the routers and networks that make up the core internet background, and the major software and cloud service providers that are the foundation of modern cyberspace. While disruptions to this systemwide layer can have massive scale (as with the Mirai or NotPetya attacks), the upside to its expansiveness is that investments here can be extremely efficient, improving security for billions of devices and people with minimum burden. For example, the New York Cyber Task Force, organized by my team at the School of International and Public Affairs at Columbia University, found that innovations like Windows Update or end-to-end encryption provide “leverage,” giving the largest advantage for defenders over attackers at the greatest scale and least cost.
This National Cybersecurity Strategy embraces leverage and protecting everything more than any previous strategy, with objectives like holding the stewards of our data accountable (3.1), driving the development of “Internet of Things” devices (3.2), shifting liability for insecure software products and services to software vendors (3.3), and securing the technical foundations of the internet (4.1).
Them. Cybersecurity differs from many other generational challenges because intelligent and well-funded adversaries are actively undermining U.S. efforts. Accordingly, a final set of strategies and policies address aims to stop adversaries by deterring them or frustrating their plans and operations.
The earliest cyber policies and strategies had few, if any, actions focused on adversaries. This National Cybersecurity Strategy, by contrast, has an entire pillar on strategic objectives to disrupt and dismantle threat actors, through actions such as integrating federal disruption activities (2.1), enhancing public-private disruption operations (2.2), increasing the speed and scale of intelligence sharing and victim notification (2.3), preventing abuse of U.S.-based infrastructure (2.4), and defeating ransomware (2.5), along with a range of additional measures to better collaborate in such activities with America’s international partners (5.1).
Implementing the National Cybersecurity Strategy
The cybersecurity deck has been stacked against defenders for longer than most of them have been alive. The new National Cybersecurity Strategy is an important step to break this losing streak, but it is not enough on its own.
Fortunately, the Office of the National Cyber Director (ONCD) has three advantages that will help drive implementation of this bold new approach to cybersecurity. Prior to the creation of the ONCD, fewer than 10 people were working on cyber-defense policies for the nation, out of the National Security Council (NSC). The ONCD now has more than 80 people and so can drive change like never before. For the first time, many of those 80 are permanent White House civil servants to ensure continuity between administrations and drive change. For example, the National Cybersecurity Strategy echoes language from the 2000 National Plan for Information Systems Protection about the need for a trained cybersecurity workforce; over 20 years later, this goal still hasn’t been met. The major difference now is that the ONCD has an assistant national cyber director for workforce, training, and education, who is backed by a team of experts to drive these efforts from the White House.
Even more importantly, Congress gave the ONCD the authority to review budget proposals from across the federal government to assess whether they are consistent with the strategy. The ONCD’s budget team is already building the objectives of the National Cybersecurity Strategy into the federal budget priorities to ensure they are adequately funded.
Another advantage the ONCD can rely on to drive more permanent improvement is an even more engaged and capable federal government. Through new organizations like the Bureau of Cyberspace and Digital Policy to advance cyber diplomacy at the State Department and new roles like the deputy national security adviser for cyberspace and emerging technology to drive change in the NSC, the Biden-Harris administration has even more talent and senior leaders than past administrations to see the strategy toward its conclusion. This effort builds on the successes of past administrations, such as the creation of the Cybersecurity and Infrastructure Security Agency.
Attackers have had the advantage for decades. They’ve had a lead that, as the strategy recognizes, cannot be overcome with one document in just a few years. But the new National Cybersecurity Strategy is an important change toward a more defensible cyberspace for future generations and a more resilient America.