Published by The Lawfare Institute
in Cooperation With
Editor’s Note: This piece is the first in a two-part series about White House cybersecurity policies. Part 2 of this series will be published in the coming days.
Twenty-five years ago, on May 22, 1998, the Clinton administration published the White House’s first-ever national cyber policy: Presidential Decision 63 (PDD 63). On March 2, 2023, the Biden administration published the latest White House cyber strategy, the National Cybersecurity Strategy (NCS).
In comparison with other lingering national issues, such as climate change or immigration, this article highlights a broad cyber-policy consensus across three Democratic and two Republican administrations. New administrations haven’t torn down the initiatives of their predecessors; rather, each White House has built on and refined them. There is a downside to this consensus and teamwork, however. Despite the various iterations of cyber strategies (and the effort of those who worked to create and implement them) over the years, many underlying cyber problems facing the United States today are worse than they were in 1998. Accordingly, something needs to change if the impact of this strategy is going to be any different.
Comparing the new strategy with those of the past decades highlights how U.S. cyber policy has changed and where this strategy most represents continuity or change. The most important topics of comparison are the promise and threats of cyberspace, getting markets to deliver security, partnerships between the public and private sectors, and countering adversaries.
Strategic Concept and Prioritization
The most important shift in the new NCS (which I helped draft as a government detailee) is not the headline-grabbing actions such as regulation (mentioned below), but those that set out an actual strategic concept rather than just a laundry list of needed actions.
Real strategic concepts should be simple and short. The U.S. Cold War strategy was a single word (containment). The Army’s counterinsurgency strategy could be encapsulated in a simple phrase (roughly, to win hearts and minds). Moreover, a strategic concept should be expandable, that is, practitioners can take the basic strategic idea and unpack it to develop deeper objectives in line with the established concept. They are also both negatable, so that a critic can argue no, not “hearts and minds” but “kill the insurgents.” Together, these efforts drive priorities, so that the bureaucracy, when faced with competing priorities that improve cybersecurity, can decide which ones to invest in further and which to deprecate.
Past U.S. cyber strategies lacked any such expandible, negatable strategic concept. They have largely been just lists of actions, with little connection and with few ways to prioritize between them. For example, President George W. Bush’s National Strategy to Secure Cyberspace (2003) had three strategic objectives—prevent cyberattacks, reduce national vulnerability, and minimize damage and recovery time—but no guidance about which of the three was more important.
The NCS accordingly breaks new ground by calling for two shifts and a theory of change. The NCS first calls for a shift of the burdens from end users to the “most-capable and best-positioned cyber actors” who are most able to make cybersecurity improvements at scale. More specifically, the strategy aims to shift the responsibility of defending against cyberattacks from small businesses and independent users, for example, onto the federal government. The second shift calls for a change to realign incentives for more long-term investments. In other words, federal resources should be reallocated and directed to getting two marshmallows tomorrow rather than just one today.
The theory of change underlying the two shifts above, is leverage. The smallest investment of resources, the smallest change, “will produce the greatest gains in defensibility and systemic resilience.” This emphasis on leverage, taken from the New York Cyber Task Force, should help drive hard choices of investment decisions.
Promise and Threats of Cyberspace
White House documents from the past 25 years present the tension between the promise of new information technologies to the United States—and their corresponding perils.
While PDD 63 (1998) started this trend, the National Plan for Information Systems Protection of 2000 outlined it more clearly, starting with the very first paragraph of the “Message from the President,” which is essentially the most expensive piece of real estate for text in any U.S. government document:
In less than one generation, the information revolution and the introduction of the computer into virtually every dimension of our society has changed how our economy works, how we provide for our national security, and how we structure our everyday lives. … Yet this new age of promise carries within it peril. All computer-driven systems are vulnerable to intrusion and destruction. A concerted attack on the computers of any one of our key economic sectors or governmental agencies could have catastrophic affects [sic].
Every president since then has used generally similar language in their personal message to cover this promise/peril dilemma to energize a focus on cybersecurity.
While President Bush’s National Strategy to Secure Cyberspace (2003) framed the issue similarly to PDD 63, President Barack Obama’s Cybersecurity Review (2009) places blame for poor security on the “broad reach of a loose and lightly regulated digital infrastructure.”
Comparatively, President Donald Trump’s National Cyber Strategy (2018) acknowledged the promise/peril dilemma but emphasized malicious and implacable adversaries rather than American vulnerability. Uniquely for such a strategy, in the introduction of his 2023 strategy, President Joe Biden’s almost sidesteps the “peril” half of the dilemma, focusing not on the threats but on the opportunities if the United States gets security right:
Digital technology today touches nearly every aspect of American life. … This [strategy details the approach] to better secure cyberspace and ensure the United States is in the strongest possible position to realize the benefits and potential of our digital future.
For 25 years, presidents have acknowledged the amazing advantages of a connected society and economy but have also lamented the dangers. Even with that broad consensus in recognition of the problem (especially compared to, say, systemic racism or climate change), little progress seems to have been made as later strategies lament the same concerns.
Getting Markets to Work
Is cybersecurity best improved by letting the markets work or, if markets have failed, by regulation? This has been the most contentious debate in cyber policy and is where the Biden strategy makes the cleanest break with previous White House policies.
Until the new strategy, previous administrations’ positions on markets and regulations remained generally consistent since it was first set out 25 years ago in PDD 63:
The incentives that the market provides are the first choice for addressing the problem of critical infrastructure protection; regulation will be used only in the face of a material failure of the market to protect the health, safety or well-being of the American people.
The 2003 National Strategy to Secure Cyberspace reiterated this market-reliant (or perhaps regulation-shy) approach:
Federal regulation will not become a primary means of securing cyberspace. Broad regulations mandating how all corporations must configure their information systems could divert more successful efforts by creating a lowest-common denominator approach to cybersecurity, which evolving technology would quickly marginalize. … By law, some federal regulatory agencies already include cybersecurity considerations in their oversight activity. However, the market itself is expected to provide the major impetus to improve cybersecurity.
Despite calling out “loose and lightly regulated digital infrastructure” as a key factor driving poor security, the Obama review had little to say about markets and regulation. Beyond some calls for mandatory cyber-incident reporting, the focus was largely on incentives to improve the functioning of markets, not regulation for where they had failed.
The Trump strategy, in turn, avoided directly addressing whether there has been a market failure for which regulation is needed. The strategy does, however, feature several objectives to improve the market, such as promoting “best practices and develop[ing] strategies to overcome market barriers to the adoption of secure technologies” and improving “awareness and transparency of cybersecurity practices to build market demand for more secure products and services.”
By contrast, the Biden strategy asserts at least five times that markets have failed. The very first major action in the strategy, strategic objective 1.1, calls for more regulation:
While voluntary approaches to critical infrastructure security have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes. Today’s marketplace insufficiently rewards—and sometimes disadvantages—the owners and operators of critical infrastructure who invest in proactive measures to prevent or mitigate the effects of cyber incidents. Regulation can level the playing field, enabling healthy competition without sacrificing cybersecurity or operational resilience.
The role of regulation is one of the few cyber-policy topics that shows this partisan split. Strategies by Republican administrations either argue that new regulations make the problem worse or fail to mention them at all. Democratic administrations acknowledge that markets might fail, or that they have, and therefore action is needed. In particular, the difference between the Biden and Bush strategies could hardly be starker descriptions of the problem and solution.
Every strategy for 25 years has featured public-private partnerships. Though the Biden strategy goes much further than previous strategies, it is a difference only in scale and tone rather than in kind.
PDD 63 set the tone for a public-private partnership, arguing that “[s]ince the targets of attacks on our critical infrastructure would likely include both facilities in the economy and those in the government, the elimination of our potential vulnerability requires a closely coordinated effort of both the government and the private sector.”
Though PDD 63 called for a “partnership,” the new organizations and processes it called for were about information sharing, not operational collaboration, and it often seemed the federal government saw itself as the first among equals. It was, after all, a public-private partnership and not private-public.
But information sharing was never going to be enough on its own. Successful teams share information as they strive together for common goals rather than focusing predominantly on information sharing. Later strategies accordingly go beyond mere sharing.
The Obama Cybersecurity Review separated information sharing from partnerships, including for collective planning (but not collective action). While diagnosing many issues with sharing and partnerships and matching recommendations, the review was not clear about the goals of such partnerships, other than a few exceptions such as developing a common operating picture.
The 2018 National Cyber Strategy still featured information sharing and only loosely mentioned partnerships—perhaps with a patronizing element. Since information technology and communications (ICT) companies are in a “unique position to detect, prevent, and mitigate risk before it impacts their customers[,] … the Federal Government must work with these providers to improve ICT security and resilience in a targeted and efficient manner.” This characterizes federal partnerships as the government telling the private sector “let us help you do your job” rather than acknowledging it as a true partner.
By comparison, the tone for Biden’s National Cybersecurity Strategy was set early on by Chris Inglis, the inaugural national cyber director, who had a starkly different view. He understood the public-private relationship to extend far beyond mere information sharing and into collective action—not just partners but allies. It was his view that the U.S. government needed to stand “shoulder to shoulder” with the private sector so that adversaries have to “beat all of us to beat one of us.” The strategy accordingly calls for a “’network of networks that builds situational awareness and drives collective and synchronized action among cyber defenders.”
Building toward this broader goal for operational collaboration taps into an enduring American strength: harnessing the private sector. None of America’s authoritarian adversaries, which smother or control their private sector, can match this advantage. ICT companies bring unique subject matter expertise, agility, and the ability to directly transform cyberspace to improve security. As private entities, they can take any actions they want, so long as they aren’t specifically forbidden in law—the opposite of what applies to the U.S. government, which can do only what is specifically authorized. Despite pockets of excellence, the government generally does not have the ability to match these strengths enjoyed by the private sector.
Rather the U.S. government has other strengths: presumptive legitimacy; substantial budgets and, with that, the ability to stay focused on problems for years even if it isn’t profitable; and access to other levers of power, including the most coercive, up to arrests and use of deadly force.
The effort to align these strengths will take years—if not decades—as the U.S. government and private sector work with different methods and at different speeds. Even when their interests align, it is still hard to synchronize.
The earliest strategies didn’t include any specific actions to counter adversaries; they focused almost entirely on defensive actions, other than perhaps a few references to deterrence. Over time, successive strategies added more actions to address attackers.
PDD 63’s main mention of adversaries was quite limited and passive: Since “future enemies … may seek to harm us in non-traditional ways,” the government must enhance “collection and analysis of information on the foreign cyber/information warfare threat to our critical infrastructure.” There was no mention of disruption or dismantling of their infrastructure. Indeed, the Department of Defense is hardly mentioned, and deterrence was a Department of Justice mission for “responding to computer crime by juveniles.”
Bush’s 2003 strategy had slightly more active objectives, such as to “[r]educe threats and deter malicious actors through effective programs to identify and punish them” and called for “countering” attacks, possibly by developing new capabilities to “deter those with the capabilities and intent to harm our critical infrastructures.” Even though this strategy included the first cyber declaratory statement (that when attacked, the “United States reserves the right to respond in an appropriate manner”), countering adversaries just wasn’t a major focus of the strategy.
The Bush administration’s more muscular approach came out later, in the classified Comprehensive National Cyber Initiative (CNCI) of National Security Presidential Directive-54/Homeland Security Presidential Directive-23. Issued in January 2008, less than two weeks before Obama was inaugurated, CNCI included the first-known White House call to use offensive cyber forces for defensive purposes, calling for a “comprehensive and coordinated strategy to deter interference and attacks in cyberspace” and a coordinated plan “for the coordination and application of offensive capabilities to defend U.S. information systems.” Once President Obama was in office, his administration adopted the strategy.
The Trump administration’s 2018 strategy was markedly more focused on adversaries. For example, the “how we got here” subsection of the introduction focuses on adversaries’ malicious attacks, rather than U.S. vulnerabilities, as it did in previous administrations’ strategies. Accordingly, there is a sub-pillar devoted to tasks to “[i]dentify, counter, disrupt, degrade, and deter behavior in cyberspace that is destabilizing and contrary to national interests, while preserving United States overmatch in and through cyberspace.”
While the Biden strategy retains a more traditional focus on U.S. vulnerability as the primary problem to be solved, it goes further than any strategy before by calling for actively contesting adversaries. Whereas the Trump strategy—which is ostensibly more focused on disrupting adversaries—includes it only as a sub-pillar, spending one page out of 40 on the topic, the Biden strategy elevates it to a full pillar and devotes five and a half pages out of 35 to it.
Biden’s NCS commits the United States to:
use all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests[.] … Our goal is to make malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States.
Countering adversaries, unlike using regulation, has gone from one classified action among many to accepted wisdom, and a bipartisan policy priority.
Standing on Shoulders
The 2023 strategy does one more thing well, and differently: It says specifically it is rooted in the many previous Republican and Democratic White House strategies, including those summarized above. The strategy “replaces the 2018 National Cyber Strategy but continues many of its priorities” and “carries forward and evolves many of the strategic efforts initiated” by CNCI.
Not only does this indicate respect for the White House staffers who have come before, but it also recognizes that the challenges are long-standing. The authors of those earliest strategies never expected success to take more than 25 years (PDD 63 called for success “no later than five years from today”), yet here we are.
With the important changes in the 2023 National Cybersecurity Strategy—and the implementation plan currently being drafted in the Office of the National Cyber Director—hopefully, success won’t take another 25 years.