Thoughts on the National Cybersecurity Strategy
By Ted Schlein, Chairman and General Partner
This morning the White House released its new National Cybersecurity Strategy (NCSS).
First, it’s great to have this strategy, and I want to thank Chris Inglis, our country’s first National Cyber Director, for all the work he did to pull the NCSS together and for his years of service to the U.S.
The country needs direction and the new strategy shows a commitment to the importance of cybersecurity as a key component of the United States’ national security apparatus. I believe the goal of such a strategy should be to unify the nation against cyber incursions, recognizing that 85% of the country’s infrastructure is in the private sector. We have an opportunity to stop fighting within our own system and direct all our resources in one cohesive strategy. There is much work to do.
The strategy is divided into five “pillars,” and below, I’ll give some opinions about each of the pillars. I’ll also note here that there really is no inclusion of metrics that measure how well we achieve any one of the strategies, which I think will be important to hold people accountable for their success or failure.
Pillar One: Defend Critical Infrastructure
I would refer to this Pillar as the “Kumbaya” section. It’s basically stating that all these various agencies and groups that we have in the federal government need to work more closely together. It also highlights the importance of cooperation from the private sector to work with these government agencies.
Implicit is that we will need to figure out better ways to share information, collaborate with that information and coordinate with the outcome of what the information tells us.
I agree with the overall sentiment. In fact, I can’t imagine anyone disagreeing, but the reality is that we still have far too many cooks in the kitchen, which leads to making it hard to share, collaborate, and coordinate. There is a reticence to declare this group is responsible for talking with the private sector, that this group is accountable for the defense of our government agencies, etc., and then hold each group accountable for their assignments.
Section 1.4 discusses the intention to use regulation to support national security and public safety. It alludes to creating a security hygiene standard for certain sectors of U.S. critical infrastructure and then enforcing the adherence to these standards. I think this is a great idea. Overall, the general idea should be to raise the country’s resilience by defining minimum security standards for private-sector entities and then either use a carrot or stick to incent or enforce them. I prefer a carrot, as I think it could be very effective – especially if it eliminates liability for a breach.
Section 1.5 talks about defending and modernizing the federal enterprise. It’s amazing to me that each federal agency is responsible for its own IT and cybersecurity implementations and defense. Why should the Department of State know anything about running a network? Why should the Department of Commerce know anything about how to secure its systems? This decentralized approach is just so inefficient and insecure. Thus, I hope they use this section to anoint CISA as the security architect of the federal government systems. They should be held accountable for ensuring the security of these systems and, therefore, they should have the personnel and resources to make this happen. We have precedence for this: U.S. Cyber Command defends the networks of the DoD. CISA should do the same for all other networks.
Pillar Two: Disrupt and Dismantle Threat Actors
This section to me is about answering the question: How do we overcome our bureaucratic authorities so that we can try and secure ourselves?
Again, the root of this section has to do with coordination and collaboration between various stakeholders within the federal government and from the outside. These seams in our systems and authorities are something that our adversaries prey on and take advantage of.
In order to do this, we need cooperation from our allies, which is why the Ambassador at Large for Cyberspace and Digital Policy was created in the State Department.
Section 2.2 calls for an increase in the speed and scale of intelligence sharing and victim notification. The establishment of both the CCC by NSA and JCDC by CISA has helped the interaction with the private sector quite a bit and they are a good start.
Section 2.3 is about preventing the abuse of U.S.-based infrastructure. This is a very important section, but how it gets implemented will determine if it can be effective. Adversaries know the NSA, which is the elite portion of the nation’s cyber defense, cannot monitor U.S.-based infrastructure, so they just use U.S.-based cloud infrastructure to perpetrate their attacks. We have to fix this. I believe some of this section is a bit pollyannaish, as it assumes a bad actor with a desire to do a bad thing will self-identify themselves, as the major recommendation here is around KYC (“know your customer”).
Section 2.4: Defeat ransomware. Pretty interesting this is in our NCSS. One could argue this is a crime, not a national security threat. But I agree with the White House that ransomware attacks have become a national security threat, and we should use the resources of our various government agencies to prevent it.
Pillar Three: Shape Market Forces to Drive Security and Resilience
This is, in my opinion, the most important and impactful section of the NCSS. It’s basically saying that if you make software, create infrastructure to host it, and store data, you are responsible for being a responsible security steward and you will be held liable to enforce this to happen. Why this is so revolutionary is because the entire software industry has basically been built having no liability for what they deliver, security included.
This has to happen. How it’s implemented and enforced is key to whether it will be successful. This section goes hand in hand with my previous comments about the need for hygiene standards. Much of these sections talk about creating a set of standards that technology companies will be held to. But this is pretty opaque as there are various groups that have standards today: NIST and CISA to name two. These cannot be a moving target.
They discuss penalties if a company does not adhere to these standards yet they do not discuss a benefit. If all there are are penalties, it will pit the technology vendors, the private sector, and the various regulatory bodies against one another rather than being on the same side.
I believe some version of this pillar has to happen, but the overall goal of the NCSS should be to get everyone aligned on how to best protect the United States and its infrastructure. Alignment has to be in place for standard-setting, evaluation of adherence to those standards, and enforcement and/or benefit programs. This means that various regulatory bodies (SEC, FTC, and FCC) plus Congress must align on these practices and their implementation.
Section 3.5 leverages federal procurement to improve accountability. I’m a big fan of using purchase orders to drive the behavior you want.
Pillar Four: Invest in a Resilient Future
This section is about how we can use taxpayer money to do what the private sector will probably do better. I’m being a little snarky here as I am not a fan of the federal government trying to pick technology that needs to be invested in. Overall, I’m a big fan of an increase in basic R&D to universities to work on certain areas that we believe are vital to our national security.
I’m just a little suspect of how much money would be allocated here and who would do the allocating.
Section 4.1: Secure the technical foundation of the internet. This is one of those sound bites that seems like a great thing to do with very little description on how one would go about doing it. I could see a moonshot-like project where we decide we are going to build a parallel internet that is completely authenticated.
Section 4.2: Prepare for our post-quantum future. It’s good to get attention on this. But we may need some incentives in place for the private sector to invest in this in a timely manner.
Section 4.5: Develop a National Strategy to Strengthen our Cyber Workforce. This should be a whole-of-nation goal. Everyone needs more technical talent in this area. Each federal agency will compete for it; the private sector will compete for it; demand will be insatiable for the foreseeable future.
Pillar Five: Forge International Partnerships to Pursue Shared Goals
I think this is an obvious one. Cybersecurity has no borders, so the more we can do with our allies, the safer we will all be. For this, I’m very happy for Nate Fick’s role as Cyber Ambassador.
I could see a version of NATO’s Article 5 being designed for cybersecurity so that if one of our allies suffers a cyber attack then the perpetrator is facing a response from everyone. The idea is to create significant deterrence.
Today the U.S. does not view a cyber attack in the same way it views a kinetic attack. Thus, we will encourage more cyber attacks as they are safer to execute for our adversaries and our responses, while they can be meaningful, and far less than a response for a kinetic incursion that results in the same damage.
Download the full National Cybersecurity Strategy here.