After months of speculation, media buzz and industry dialogue, the long awaited 2023 National Cybersecurity Strategy has been released. We’ve been hearing rumbles of the strategy for quite some times.
Leaders such as the recently retired first U.S. National Cybersecurity Director Chris Inglis stated in 2022 that “cybersecurity needs a whole-of-society effort”.
The Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly has been engaging with the public and calling for technology companies to take more responsibility and quit shipping unsafe products that are “embedded into the very foundations of our society”.
Others such as the Deputy National Security Adviser for Cyber and Emerging Technology, Anne Neuberger, when discussing the longstanding voluntary nature of cyber standards has made statements such as “voluntary efforts have been insufficient against the threat to the critical services Americans rely on”.
That said, all the previous public speculation and commentary aside, let’s take a look at the various aspects of the new strategy and see how it has unfolded.
Opening
The 2023 National Cyber Strategy opens with words from President Joe Biden.
Mr. Biden discusses how technology touches nearly every aspect of American life and touts previous efforts of the administration, such as the Bipartisan Infrastructure Law, which aims to enable all Americans to have access to high-speed Internet.
The President goes on to discuss the essential role of cybersecurity to the basic functioning of every aspect of our society, from the economy, critical infrastructure and our democratic institutions. President Biden discusses the previously issued Cybersecurity Executive Order on Improving the Nation’s Cybersecurity, which has gotten tremendous industry attention, specifically in areas such as Zero Trust, Cloud Computing and Software Supply Chain Security. President Biden states the world is at an “inflection point”, including in our digital world and how critical it is to make the right choices to secure cyberspace for the decades that will follow.
The strategy goes on to cover an introduction, which discusses the various ways the Internet has transformed the world and touch on both the promise and perils of technology. From promoting democracy, free speech and innovation to enabling repression and digital authoritarianism and IP/data theft - technology, like any tool, can be incredible good, or incredible harm, depending on how you wield it.
Strategic Environment
Following that introduction, the strategy lays the groundwork of the current strategic environment. While progress is being made to enable a secure digital ecosystem that is inclusive and aligns with American values, it is also threatened by malicious actors.
Some of the emerging trends discussed is the deepening trend of digital dependencies and interdependent complex systems, we now live in a society rife with systemic risk, most of which is invisible to the eye, but just as dangerous.
The strategy discusses How the Internet connects everything from individuals, organizations and entire countries but also how the global interconnectivity allows cascading risks and impacts, such as the NotPetya situation with Russia in 2017. The barrier between the digital and physical world continues to blur as critical infrastructure and operational technology systems evolve.
There is also an emphasis on the malicious actors themselves, naming nations such as China, Russia, Iran and North Korea and the respective threat they pose to the U.S. and Western national interests and ways of life. There’s an emphasis on the capabilities of these nations in the digital battlefield, especially those such as the People’s Republic of China (PRC) and Russia who have heavily invested and cultivated their cyber capabilities to destabilize and disrupt other nations that they have contentious relationships with. From attacking critical infrastructure, spreading mis/disinformation and IP theft, the attacks are constant and sophisticated, impacting even the most capable and well-resources U.S. and Western organizations and institutions.
A Path to Resilience in Cyberspace
The strategy lays out the path to a resilient cyberspace, which is stated revolves around five pillars, which are:
Defending Critical Infrastructure
Disrupting and Dismantling Threat Actors
Shaping Market Forces to Drive Security and Resilience
Investing in a Resilient Future
Forging International Partnerships to Pursue Shared Goals
It’s stated that to ensure the five pillars materialize, two fundamental shifts must occur, which are:
Rebalancing the Responsibility to Defend Cyberspace
Realigning Incentives to Favor Long-Term Investments
You’ll notice that these shifts align with statements we cited earlier from folks such as Jen Easterly, Chris Inglis and Anne Neuberger.
The rebalance shift stresses that the best-positioned, capable and well-resources organizations (often technology vendors) need to be good stewards of the digital ecosystem. It is stated that end users/citizens often bear the consequences of cyber risks and unsafe products and calls on the best-positioned actors to help contribute to create a more secure and safe digital ecosystem.
This is a perspective shared by researchers such as Chinmayi Sharma, who in her research publication titled “A Tragedy of the Digital Commons” referred to Software/Technology Vendors as a “least-cost avoider”, which is an economic concept that as a society we should impose liabilities and obligations on those in a position to fix problems while also incurring the least cost. This is discussed in a Cyber Lawfare Blog as old as 2013 from Paul Reosenzweig.
Next up is the need to realign incentives to favor long-term investments. This section discusses the need to incentivize decision making that takes the long-term implications of a resilient and secure cyberspace into consideration and not just short-term objectives and desires.
This is in line with the concept put fourth by many that cybersecurity is a “market failure”, which is often described as a situation where “individual incentives for rational behavior do not lead to rational outcomes for the group”. To align this with cybersecurity, vendors and technology companies often act in their own self-interest aligned with objectives such as speed to market, market share and profits, over secure and resilient products, which leads to the widespread systemic cybersecurity risk we see now impacting our society.
At the end of the day, technology and software producers simply aren’t incentivized by market forces along to prioritize cybersecurity. The strategy says that “the United States has an opportunity to rebalance the incentives necessary to lay a stronger, more resilient foundation on which to build the future of our digital ecosystem”.
This largely points to Pillar 3, which has and will be the most contentious and debated aspect of the strategy, especially in our free-market capitalistic society that is leery of the heavy hand of regulation as well as efforts by lobbyist and incredibly well-resources companies to avoid the burden of regulation. For examples, we’ve seen efforts by industry groups and lobbyists to push back on efforts such as Software Bill of Material (SBOM) language in the National Defense Authorization Act (NDAA) and recent Office of Management and Budget Memo 22-18.
The 2023 National Cybersecurity Strategy aims to build on existing policy, citing efforts such as DFI, the Freedom Online Coalition, the Cyber EO, National Security Memorandums and DoD and IC guidance and publications.
Pillar One: Defend Critical Infrastructure
The first pillar up in the strategy is Defending Critical Infrastructure. For those unfamiliar with the term, critical infrastructure is defined by DHS/CISA as sectors “whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof”.
Those include sectors such as Communications, the Defense Industrial Base (DIB), Dams, Energy, Financial Services and several others, 16 in total, which you can find here.
The strategy states that American’s must have confidence in the availability and resilience of our critical infrastructure and the essential services they support. It calls on the owners and operators of critical infrastructure to have cyber protections in place to disrupt malicious actors. While the number is debated, it is often said that tup to 85% of the U.S.’s critical infrastructure is owned and operated by the private sector.
The strategy cites how the administration has established new cyber requirements for specific critical sectors, such as a May 2021 Security Directive, issued by the Transportation Security Agency (TSA), which required critical pipeline owners and operators to report confirmed and potential cyber incidents to CISA as well as designate a Cyber Coordinator. This of course followed the ransomware attack on the Colonial Pipeline, which led to a variety of impacts such as impacting airlines, fuel shortages, panic-buying and general public disruption and concern.
There are calls to facilitate new and innovative capabilities for the owners and operators of critical infrastructure to secure it and also to enable collaboration with their industry peers as well as Federal and other government entities.
Pillar One goes on to lay out various strategic objectives, which will discuss. The first of which is:
Strategic Objective 1.1: Establish Cybersecurity Requirements to Support National Security and Public Safety.
This objective emphasizes the impact that voluntary approaches to critical infrastructure cybersecurity have had but states that the lack of mandatory requirements has led to inadequate and inconsistent outcomes. It is stated that regulation can level the playing field while still enabling healthy competition. There is a need for modern and “nimble” regulatory frameworks tailored for each sectors risk profile and also harmonized to reduce duplication, which has been a concern and recommendation raised recently to the President by the National Security Telecommunications Advisory Committee (NSTAC).
The objective states that the Federal Government will use existing authorities to set necessary cyber requirements in the various critical sectors. It will do this by addressing existing gaps in cyber requirements and striving to mitigate market failures, as discussed above. It is said that the Administration will encourage states and independent regulators to exercise their existing authorities to set cyber requirements. The strategy says the regulations should be “performance-based” and use existing frameworks and standards, a nod to the goal of harmonize cyber frameworks and avoiding duplication and burden on the industry. For a discussion of “performance-based” cyber standards, see this excellent article from James Dempsey at Lawfare Blog.
There is further emphasize on harmonizing and streamlining new and existing regulations. This is being pursued to try and minimize the burden of unique requirements and toil on the regulated entities and organizations. It is said that the Office of the National Cyber Director (ONCD), along with the Office of Management and Budget (OMB) will lead efforts to harmonize regulations.
Cybersecurity and regulation doesn’t come without a cost and this objective stresses the need to enable regulated entities to be able to actually afford security. As noted in the strategy, the resources and capabilities of regulated entities various greatly, from some that are well-equipped to absorb the costs of cyber regulation to those that aren’t. This is often referred to as the “Cybersecurity Poverty Line”, which is a phrase coined by Wendy Nather in a 2013 RSA presentation titled “Living Below the Security Poverty Line: Coping Mechanisms”.
Strategic Objective 1.2: Scale Public-Private Collaboration
This strategic objective is aimed at improving collaboration between the public and private sector, both of whom are targeted and impacted by the efforts of malicious actors. It is said that cyber defenses must emulate the distributed nature of the Internet. There is a call to create a “network of networks” through technology-enabled connectivity and cross-organizational collaboration.
Examples of how this can and does occur are given with relation to CISA coordinating with Sector Risk Management Agencies (SRMA)’s, who in-turn coordinate with the owners and operators of critical infrastructure as well as organizations such as Information Sharing and Analysis Organizations (ISAOs) and sector-specific Information Sharing and Analysis Centers (ISACs).
There’s an emphasis that these activities and collaboration will continue and also leverage technology to facilitate more efficient and effective information sharing.
Strategic Objective 1.3: Integrate Federal Cybersecurity Centers
This objective touts the role that Federal Cybersecurity Centers play in coordinating authorities and capabilities of the various Federal departments and agencies responsible for supporting the defense of critical infrastructure. It points to entities such as CISA’s Joint Cyber Defense Collaborative (JCDC), the National Cyber Investigative Joint Task Force (NCIJTF), Cyber Threat Intelligence Integration Center (CTIIC), Department of Energy’s (DOE) Energy Threat Analysis Center (ETAC) and others.
Strategic Objective 1.4: Update Federal Incident Response Plans and Processes
This section stresses that while the private sector is capable of responding to most cyber incidents without the help of the Federal government, the Federal government does and must be capable of responding when required.
This includes ensuring private sector entities know who to engage on the Government side through coherent and clear incident response coordination and communication processes.
Focus on this objective will include updating resources such as the National Cyber Incident Response Plan (NCIRP) and leaning into efforts such as the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
This requires covered entities in the critical infrastructure sectors to report incidents to CISA within hours, to enable rapid sharing of information and involvement of respective Government and industry organizations to mitigate the impact of incidents.
There is also emphasis on the use of the recently formed Cyber Safety Review Board (CSRB), to provide deep analysis and lessons learned from incidents, such as they did in their first report on the Log4j incident that rattled both the Open Source Software (OSS) and vendor community alike.
The strategy states that the Administration will continue to work with Congress to codify and empower the CSRB to provide these comprehensive reviews of security incidents.
Strategic Objective 1.5: Modernize Federal Defenses
This objective emphasizes the need for the Federal Government itself to possess resilient technology, services and operations to perform its functions.
The strategy points to efforts such as the Cyber EO 14028 and subsequent release of NSM 8 “Improving the Cybersecurity of National Security, the Defense Department and Intelligence Community Systems” as well as the OMB Federal Zero Trust Strategy and CISA Zero Trust Maturity Model. This section goes on to stress the key role that zero trust principles play in mitigating threats to Federal systems. There are also 3 sub-sections listed, as follows:
Collectively Defend Federal Civilian Agencies: This section discusses how Federal Civilian Executive Branch (FCEB) agencies play in securing their own IT and OT systems to carry out their diverse missions and responsibilities. There’s a recognition of the dichotomy of balancing individual authorities of agencies against a collective approach to defense. This balance will be found in leaning into things such as centralized shared services and software supply chain risk mitigation, including the Cyber EO Section 4 which focuses on Software Supply Chain Security and SBOM’s, as well as NIST’s Secure Software Development Framework (SSDF), which we have discussed previously, here.
Modernize Federal Systems: Modern sophisticated cyber threats require capable modernized IT/OT systems. Again ZT principles and capabilities are stressed here, such as MFA, encryption, enhanced visibility and cloud security capabilities and tooling. It states OMB will lead the development of a multi-year plan to accelerate FCEB technology modernization efforts and the elimination of legacy systems to bolster security of FCEB’s and the services they provide to the American people.
Defend National Security Systems: There’s a recognition that National Security Systems (NSS) process and store some of the Government’s most sensitive data. They need to be secured accordingly, both against foreign nation-states but also against internal risks such as insider threats. This section states the NSA will work with OMB to develop a plan for NSS’s at FCEB agencies to continue to implement the enhanced security requirements captured in NSM-8, which we discussed above.
Pillar Two: Disrupt and Dismantle Threat Actors
Moving on from the emphasis of our internal critical infrastructure and FCEB/NSS systems, the focus shifts a bit with Pillar Two to focus on threat actors. This pillar opens with a bold statement:
“The United States will use all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests”
For some, I am sure this elicits thoughts of concepts such as “hack back” and “defending forward” as they are often referred to. The section states these efforts will include diplomatic, information, military (both kinetic and cyber), financial and more to disrupt threat actors. It points to examples of successful disruption of transnational criminals through activities such as travel bans, denying access to money and service providers, cutting off access to digital infrastructure and more. The goal in this pillar is reliable and capable effective disruption of adversaries and malicious actors and the strategic objectives align with that pursuit.
Strategic Objective 2.1: Integrate Federal Disruption Activities
There’s an acknowledgement in this objective that the Federal governments disruption campaigns must be “so sustained and targeted that criminal cyber activity is rendered unprofitable”. Or as the old saying goes, ensuring the “juice isn’t worth the squeeze”. This comes down to trying to increase the cost in terms of time and resources that it takes from malicious actors to achieve their objectives to try and dissuade the activities from occurring, at least to the extent they do currently.
This section goes on to outright discuss “defending forward” and cites efforts from the DoD to generate insights on threat actors, expose malware and disrupt malicious activity before it impacted targets. It calls for the DoD to create an updated departmental cyber strategy that aligns with the National Security Strategy, National Defense Strategy and of course the National Cybersecurity Strategy which we are currently discussing.
This new DoD Cyber Strategy should clarify the role of U.S. Cyber Command and other DoD entities in cyberspace and defending against both state and non-state actors that threaten U.S. interests.
Strategic Objective 2.2: Enhance Public-Private Operational Collaboration to Disrupt Adversaries
This objective of Pillar 2 acknowledges the visibility and insight the private sector has when it comes to adversary activity. This is particularly true of areas such as critical infrastructure, which as we discussed earlier, is largely owned and operated by the private sector.
The strategy also acknowledges this visibility is due to the rapid pace of innovation in tooling and capabilities, which the Government is often trying to emulate with their “adoption of commercial best-practices” or capabilities, and we see widespread efforts in areas such as the DoD to adopt dual-use and commercial technologies.
This objective encourages private sector organizations to come together through non-profits as well as Federal entities such as the National Cyber-Forensics and Training Alliance (NCFTA) for operational collaboration. These collaboration efforts can be enhanced by leveraging technology and digital collaboration platforms, all aimed at rapidly disrupting malicious actors.
Strategic Objective 2.3: Increase the Speed and Scale of Intelligence Sharing and Victim Notification
There’s an acknowledgement that disrupting malicious actors requires timely sharing of threat intelligence between Federal and non-Federal partners and leveraging both OSS cyber intelligence and private sector threat intelligence providers.
Lastly, there’s the truth that national intelligence provides unique insights that private sector entities often don’t have visibility into. Examples include the NSA’s Cybersecurity Collaboration Center, which engages with industry groups such as the Defense Industrial Base (DIB). Other groups also enable information with the private sector such as CISA and the FBI and others such as Law Enforcement.
The goal of this objective is for the Federal Government to quickly and broadly share cyber threat intelligence with cyber defenders and to notify victims that are actively being targeted by malicious actors.
Strategic Objective 2.4: Prevent Abuse of U.S. based Infrastructure
This strategic objective cites malicious actors targeting U.S. based cloud infrastructure, domain registrars, hosting, and other digital services to carry out various activities against individuals and organizations alike.
It states the U.S. Government will work with providers such as cloud and Internet/Infrastructure providers to quickly identify malicious use of U.S. based infrastructure, share information and seek to disrupt those activities.
There’s an emphasis on the role that service providers play and the need for them to attempt to disrupt malicious activity using their infrastructure for abusive purposes.
The goal is working with Infrastructure-as-a-Service (IaaS) providers and others to make it difficult for malicious actors to abuse U.S. based infrastructure while also not impeding on citizens privacy. Malicious actors using the cloud to launch their attacks isn’t new or surprisingly.
Cloud IaaS offers a dynamic, ephemeral and often anonymous approach to quickly spinning up infrastructure and systems to carry out malicious activities. In fact, AWS admitted that hackers used their EC2 service to perform aspects of their attacks.
Strategic Objective 2.5: Counter Cybercrime, Defeat Ransomware
Anyone who has been in IT/Cybersecurity for some time is undoubtedly familiar with Ransomware. It remains one of the most successful and widespread types of attacks wielded by malicious actors, impacting everything from private SMB’s to critical infrastructure providers, educational institutions, Government agencies and more.
This objective refers to ransomware as “a threat to national security, public safety, and economic prosperity”. It cites the trend of malicious actors launching ransomware attacks from safe havens such as Russia, Iran and North Korea. It states the U.S. will employ all elements of national power across four lines of effort to disrupt the impact of malware on key critical infrastructure.
These lines of effort include international cooperation, law enforcement, bolstering critical infrastructure resilience and addressing the abuse of virtual currency for ransom payments. It cites the ability to subject financial institutions that offer covered services for crypto to oversight through sources such as Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) controls.
Pillar Three: Shape Market Forces to Drive Security and Resilience
Pillar Three inevitably represents the pillar that has generated the most industry buzz and dialogue, as well as concerns from industry. Economies that are organized like the U.S. are always skeptical when it comes to increased regulation. That said, as we have discussed above, many make the argument that cybersecurity is a market failure and the strategy even previously discussed the need to revise incentives and market dynamics to try and drive a more serious focus on the security and safety of digital products.
This pillar opens by stating that:
“To build the secure and resilient future we want, we must shape market forces to place responsibility on those within our digital ecosystem that are best positioned to reduce risk".
Like many others, I quickly take pause when I see discussion of the government shaping the market. That said, it is also hard to refute years/decades of failures in the areas of IT and Cybersecurity when it comes to natural market dynamics and forces driving an emphasis on security.
The strategy states that too often organizations deliberately choose not to invest in cyber and ultimately end up disproportionately impacting those not best positioned to address the cyber risks, such as SMB’s and vulnerable communities. The strategy does emphasize that market forces are the first and best route for agile and effective innovation, they simply have fallen short in motivating industry to prioritize secure and safe products and software.
Goals within this pillar include holding data stewards accountable for the protection of personal data, driving the development of more secure devices and reshaping laws that govern liability for data losses and harm from sources such as cyber errors, software vulnerabilities and more. There is also the point that the Federal government plans to use its massive purchasing power and grant-making to incentivize security.
We already see examples of this taking hold with the Cyber EO, OMB Memo 22-18 and efforts around SBOM’s from NTIA and now CISA, which has made SBOM’s one of the most widely discussed topics in the industry as of late, even among commercial sector organizations and innovators.
Strategic Objective 3.1: Hold the Stewards of our Data Accountable
This strategic objective focuses on the importance of protecting consumer privacy in our digital future. Organizations now possess massive amounts of personal data and this comes with the need to be responsible data stewards and properly safeguard this personal data.
When they don’t, as the strategy points out, the cost is passed on to everyday Americans. This objective makes it clear that the Administration is open to supporting legislative efforts to impost “robust, clear limits on the ability to collect, use, transfer and maintain personal data and provide strong protections”. It states these requirements should align with guidelines published by sources such as NIST.
Strategic Objective 3.2: Drive the Development of Secure IoT Devices
Among the most prevalent trends in IT is the prolific growth of IoT devices. IoT devices include networked devices such as fitness trackers and baby monitors, but also industrial control sensors and more. Current estimates on the number of IoT devices reach into the tens of billions.
This objective states that many IoT devices deployed today are not sufficiently protected against cyber threats. This includes problems such as insecure default settings, inability or lack of patches and upgrades and unnecessary components and capabilities that enable malicious actors. The objective points to the IoT Cybersecurity Improvement Act of 2020 as an example of continued efforts to bolster the security of IoT devices.
It also mentions IoT security labeling efforts, which spawned out of the Cyber EO. The labeling efforts aim to address the information asymmetry (remember we discussed this related to market failures) that currently exists between software/technology producers and consumers.
For an example of the potential power of IoT insecurity, take a look at the Verkada breach, which involved over 150,000 connected cameras.
Strategic Objective 3.3: Shift Liability for Insecure Software Products and Services
As we have discussed throughout this article, market incentives don’t encourage secure software products. In fact, this objective states “markets impose inadequate costs on, and often reward, those entities that introduce vulnerable products or services into our digital ecosystem.
This means vendors often neglect “baking in” security measures and best-practices in the name of speed to market, cost-savings and other profit driven factors. The objective states we must begin to shift liability onto the entities who are failing to take these reasonable precautions and produce secure software, but while also recognizing that no software secure programs are infallible, no matter how advanced.
Once again we hear calls to place responsibility on those most capable of taking action to prevent bad outcomes, aligning with the earlier mention of the “least cost avoider”, in this case software and technology vendors, not end users and consumers. One particular aspect I was glad to see is that there is also a point made that the onus shouldn’t fall on the OSS developer of a component that a software/technology vendor decided to integrate into their commercial products.
I previously made a post explaining that OSS developers and maintainers are not your “suppliers” and you own the responsibility for the OSS components you integrate into your commercial software and products. You can find that in an article I dubbed “Supplier Misnomer”.
This objective states that the Administration plans to work with Congress and the private sector to develop legislation to establish liability for software products and services, aimed at preventing manufacturers and software publishers from disclaiming liability by contract and establish a higher standard of care. On the flip side, it states that the Administrator will drive a safe harbor framework to shield companies that act responsibility from liability.
Once again, it points to NIST’s SSDF, saying safe harbor will point to SSDF as an example of best-practices that would shield producers and providers from liability. going further, the strategy states it will incentivize secure software development practices such ad coordinated vulnerability disclosure across all sectors, promote the development of SBOM’s and the use of memory safe languages, which is something sources such as the NSA have been championing as of late.
Strategic Objective 3.4: Use Federal Grants and Other Incentives to Build in Security
This objective identifies Federal grant programs as strategic opportunities to make investments in critical infrastructure. It points to examples such as Bipartisan Infrastructure Law, Inflation Reduction Act and the CHIPS and Science Act as “once-in-a-generation” investments in our infrastructure.
Strategic Objective 3.5: Leverage Federal Procurement to Improve Accountability
As we have discussed above, the Federal government has massive purchasing power, and by extension, the ability to drive behaviors in the technology market.
This objective points to examples such as the Cyber EO and follow on memos such as OMB 22-18, which call for software vendors selling to the Federal government to self-attest, and in some cases undergo a 3rd party assessment to their use of secure software development practices, as well as providing artifacts such as SBOM’s to demonstrate the security of their products and offerings.
Building on these examples the objective points to sources such as the Civil Cyber-Fraud Initiative (CCFI) that can use DOJ authorities and the False Claims Act to pursue civil actions against Federal contractors that fail to meet cyber obligations.
Strategic Objective 3.6: Explore a Federal Cyber Insurance Backstop
This objective calls for the Federal government to “stabilize the economy and aid recovery” in the case of a catastrophic cyber incident. This is an attempt to structure what this aid may look like in advance of an incident, rather than when the chaos is upon us. Many would argue this is prudent with sources such as the World Economic Forum (WEF) predicting a major catastrophic cyberattack within the next two years.
Pillar Four: Invest in a Resilient Future
This pillar opens with the line that:
“A resilient and flourishing digital future tomorrow begins with investments made today”
There’s a call for the Federal Government to leverage their strategic public investments in innovation, R&D and education to serve the national interest. This includes leveraging sources such as the National Science Foundation (NSF) as well as others mentioned previously such as the CHIPS and Science Act.
Strategic Objective 4.1: Secure the Technical Foundation of the Internet
There’s an acknowledgement that the Internet is both critical to the future but ultimately a structure of its past. This means security wasn’t a key consideration in many of the fundamental aspects of technology and the Internet and its led to a situation where in some ways we’ve built on a foundation of sand.
Specific examples it points to include Border Gateway Protocol (BGP) vulnerabilities, unencrypted Domain Name System (DNS) requests and slow adoption of IPv6. Moving forward, the objective calls for sustained engagement to create technical standards and technologies that are more secure and resilient.
There’s also an emphasis that the Government will be working with non-governmental Standards Development Organizations (SDF) and industry organizations, academia and others to drive this secure technical foundation.
Strategic Objective 4.2: Reinvigorate Federal Research and Development for Cybersecurity
This objective points to the Federal Cybersecurity Research and Development Strategic Plan to identify and prioritize the R&D community to mitigate cyber risks.
This includes working with sources such as NSF as well as DOE National Labs and Federally Funded Research and Development Centers (FFRDCs). It states there are three families of technologies that will be prioritized, which include computing related technologies (e.g. microelectronics, quantum, AI etc), bio-technologies and clean energy technologies.
Strategic Objective 4.3: Prepare for our Post-Quantum Future
As we all know, a major component of ensuring the C of the CIA triad (Confidentiality, Integrity and Availability) is encryption. This objective points to the reality that quantum computing brings the potential to break many of the most pervasive encryption standards in use today.
This requires investment in hardware, software and services to replace vulnerable legacy technology that quantum computing poses risk towards. The objective points to NSM 10 “Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems”.
Strategic Objective 4.4: Secure our Clean Energy Future
This objective acknowledges a broad push for clean energy as a primary energy source in the future, and it facilitating a new generation of hardware/software systems into the U.S. electric grid.
These devices and systems are of course “smart”, which means they are connected, which means they are vulnerable, perhaps more so than legacy systems that often exist in “air gap” environments and don’t necessarily provide robust software-driven capabilities and network accessibility.
The objective emphasizes the role DOE needs to play in ensuring cyber for electric distribution and distributed energy resources, along with collaboration from industry and others.
Strategic Objective 4.5: Support Development of a Digital Identity Ecosystem
Anyone operating in the industry over the last several years has watched the industry shift from a perimeter security model to one that is data/identity focused. This objective points out that insecure privacy preserving digital identity solutions allow massive fraud, inefficiency and risk.
The objective states that the Federal government will encourage and enable investments in digital identity solutions, including accessibility and interoperability.
The Federal CIO community has produced robust Identity, Credentialing, and Access Management (ICAM) guidance and playbooks that agencies are now pursuing as part of digital modernization and zero trust efforts. NIST also provides a series of Digital Identity Guidelines in their NIST 800-63 series of documentation, which are worth a read. I also created a robust GitHub repository of Federal Identity resources, which can be found here.
Strategic Objective 4.6: Develop a National Strategy to Strengthen Our Cyber Workforce
I was personally very glad to see the workforce be prominently featured in the National Cyber Strategy. As an industry, we often disproportionately focus on the technologies and tools, neglecting the reality that underneath all of it are humans.
The best strategy will fail without the appropriate workforce to support its implementation. The strategy cites that there are hundreds of thousands of unfilled vacancies in cyber positions nationwide and the gap is growing. This is supported by sources such as ISC2’s 2022 Workforce Study.
Challenges attracting and retaining talented cyber professionals impacts the public and private sector alike (but the former disproportionately). This objective aims at expanding the national cyber workforce, improving access to cyber education and training pathways.
It points to sources such as the National Initiative for Cybersecurity Education (NICE), CyberCorps, Scholarship for Service and other programs aimed at the cybersecurity workforce.
The objective also emphasizes the need to expand the hiring pool to be more inclusive and not neglect underserved and neglected communities that aren’t proportionately represented in the cyber workforce.
On this topic, just a couple of weeks ago the DoD CIO issued their new Cyberspace Workforce Qualification & Management Program (also known as the DoD 8140 series).
Pillar Five: Forge International Partnerships to Pursue Shared Goals
Phew, we’ve finally made it to the fifth and final pillar of the 2023 National Cybersecurity Strategy, thanks for sticking with me this long, as it is a comprehensive strategy with a lot of ground to cover.
As discussed in the opening of the strategy, the Internet and cyberspace (and cybercrime) operates across State, National and Continental lines, in a borderless fashion that touches every society in some shape or fashion.
Due to this reality, it requires to the U.S. to work with its international partners and community towards shared goals to create a more secure, safe and resilient digital global ecosystem.
Strategic Objective 5.1: Build Coalitions to Counter Threats to our Digital Ecosystem
Much like alliances are formed to insulate nations from the threat of kinetic warfare and aggression, we need alliances to mitigate threats in cyberspace as well. This objective cites the launch in 2022 of the Declaration for the Future of the Internet (DFI) which includes over 60 countries and coalition partners - all oriented around a “common, democratic vision for an open, free, global, interoperable, reliable, and secure digital future”.
Efforts such as DFI are focused on bringing together countries with a shared vision of what our international digital ecosystem should look like.
The objective goes on to cite numerous other efforts such as the Quadrilateral Security Dialogue, Indi-Pacific Economic Framework for Prosperity (IPEF) and the U.S.-EU Trade and Technology Council (TTC) as examples of entities fostering this International digital collaboration.
These efforts include attempts to mitigate the ability of malicious actors to avoid the rule of law by operating out of foreign computing infrastructure while attacking U.S. targets.
Strategic Objective 5.2: Strengthen International Partner Capacity
In support of the previous objective of international coalitions for a secure digital ecosystem, the U.S. plans to coordinate international cyber capacity-building and collaboration.
This includes bilateral and multilateral engagement and agreements and cooperation. Another example cited is military-to-military relationships to leverage partners and allies unique skills and provide our support in kind.
Strategic Objective 5.3: Expand U.S. Ability to Assist Allies and Partners
The U.S. must stand ready to assist its allies in cyberspace and this objective points to examples of cyberattacks against nations such as Costa Rica, Albania, and Montenegro as partners falling victim to malicious actors.
These partners and allies may and often do seek U.S. support to investigate, respond and recover from cyberattacks. This objective is ultimately aimed at demonstrating solidarity in the face of digital cyberattacks.
Strategic Objective 5.4: Build Coalitions to Reinforce Global Norms of Responsible State Behavior
This objective points to agreements that United Nations (UN) members have made regarding peacetime norms for behavior in cyberspace. These include avoiding activities in cyberspace that intentionally damage critical infrastructure.
The strategy states that the U.S. plans to hold irresponsible states accountable if they fail to uphold their commitments. Responses cited include pair statements of condemnation and imposition of “meaningful consequences”, including diplomacy, economic costs, counter-cyber efforts and legal sanctions among others.
Strategic Objective 5.5: Secure Global Supply Chains for Information, Communications and Operational Technology Products and Services
This last objective acknowledges the complexity of our globally interconnected supply chains for technology products and services, many of which now power the modern U.S. economy.
In a sign towards bolstering domestic production of critical inputs, components and systems it states these items “must be developed at home, or in close coordination with allies and partners who share our vision of an open, free, global, interoperable, reliable and secure Internet”. Specific examples cited include 5G, wireless networks and the Bipartisan Infrastructure Law which states “Build America, Buy America" for Federally-funded projects, which of course includes digital infrastructure.
The objective cites several other EO’s aimed at bolstering domestic production of supplies and components, as well as strategic production with key allies and partners, aimed at protecting Americans sensitive data and insulating the U.S. from the risk of systemic dependence on nations with whom which we have an adversarial relationship.
Implementation
As the now famous quote from Morris Chang goes:
“Without Strategy, execution is aimless. Without Execution, strategy is useless”
The 2023 National Cybersecurity Strategy certainly lays out a compelling vision and strategy for the future of a secure, resilient digital ecosystem for not just the U.S. but also its partners and allies.
However, as with most audacious Government initiatives, its success, or lack thereof, will come down to actual execution.
The strategy closes out focusing on implementation. It says the NSF staff will be working with OMB and ONCD to coordinate the implementation of the strategy. This includes assessing the effectiveness, using a data-driven approach and subsequent annual report to the President and others on the effectiveness of the strategy and follow-on actions to achieve its goals.
There’s also an emphasis on incorporating lessons learned from sources such as the CSRB which we previously mentioned, which will provide deep analysis and insights of significant cyber incidents.
Finally, in an acknowledgement of the required investment, not just by industry but also the Government to support this strategy, it states that ONCD and OMB will be issuing annual guidance to Federal agencies on cybersecurity budget priorities.
Closing
Well, there you have my analysis and coverage of the newly released 2023 National Cybersecurity Strategy. Like so many of you working in IT/Cyber I deeply understand how important it is for the various aspects of this strategy to materialize into successful implementation.
I am excited to do my part in my professional endeavors to try and contribute to that success and look forward to being on this journey that we are on as a “whole-of-society”, as technology, software and cybersecurity now touch nearly every aspect of our modern society, for better, or worse - and where we go from here will determine how much of the former or latter that is.