With two administrations in a row releasing a National Cybersecurity Strategy, it appears our national leaders may finally understand the threat posed by not securing our national interests in cyberspace.
The latest strategy shared by the Biden administration is encouraging, as is the administration’s commitment to making substantive changes through increased executive orders, national security memorandums, elevated and increased cybersecurity staffing, and emergency and binding directives by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
San Antonio is well-positioned when it comes to implementing the National Cybersecurity Strategy. However, like many national strategies, it’s mired with intentions, light on substantive strategy and has a disturbingly short implementation plan.
In the preamble to the National Cybersecurity Strategy released last month, the administration states, “We must make fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace.” By shifts, they mean changes from past approaches and perspectives.
The first change is defining who holds primary responsibility for our nation’s cybersecurity. Past federal cybersecurity strategies have placed a large emphasis on how everyone plays a role in cybersecurity. They reminded individuals and the private sector that a significant portion of our national cyber infrastructure is privately owned and not controlled by the government. They emphasized our nation is only as strong as the “weakest link” and that everyone had to play their part in securing our nation.
The Biden-Harris strategy specifically alters the strategic approach to defense saying we need to “rebalance the responsibility to defend cyberspace,” calling on “the most capable and best-positioned actors to make our digital ecosystem secure and resilient.”
San Antonio is well-positioned as home to the 16th Air Force known as Cyber Command. The National Security Agency, U.S. Secret Service and the Federal Bureau of Investigation all have specific missions, cyber squads and task forces here dedicated to cyber defense and investigations.
The second change is the recognition that if we don’t stop focusing solely on immediate, reactive defense against current threats, our failure to make long-term investments in “strategically planning for and investing in a resilient future” will have dire consequences in the not-so-distant future.
San Antonio is well-positioned as home to UTSA, which is in the top tier of research universities in the nation, with cybersecurity as one of our biggest research strengths. The city is also leading the way with the Joint Base San Antonio Electromagnetic Defense Initiative.
The Biden-Harris strategy has five pillars:
- defend critical infrastructure
- disrupt and dismantle threat actors
- shape market forces to drive security and resilience
- invest in a resilient future
- forge international partnerships to pursue shared goals
The first two pillars focus on increasing government regulation, requirements and policy while further modernizing federal defenses, public-private collaboration and information sharing, and the federal response to cyber events and threat actors.
These are great aims but the strategy is concerningly reactionary in nature. Instead of responding more quickly to catastrophic cyber events, we need to prevent them and/or lessen their fundamental impact, not through remediation and containment but through fundamental resilience. True resilience isn’t getting back on one’s feet quickly; it is not getting knocked out to begin with despite being hit.
The third pillar recognizes the role the market must play in securing our nation and the longstanding call that the market has not fully answered: security by design. It specifically calls out three key challenges: data security and privacy, Internet of Things (IoT) security and secure software design. I could not be happier to see this pillar in the federal strategy, which calls for increased accountability and acknowledges the role the federal government can play in supply chain security through federal grant and procurement programs.
However, much more is needed. The government’s ability to drive the market is limited, and government attempts to control the market are risky at best. How many more cyber “fires” will be needed before our nation goes beyond treating cybersecurity as a nutrition label and instead makes it a standard like UL certification for electronic hardware products?
The fourth pillar’s commitment to investing in a resilient future is also exciting to see. Here, we begin to see a bit more specificity, which is promising. It calls out specific Internet technologies vulnerable to compromise that need to be fixed and promises investment in specific federal cybersecurity research and development programs to prepare for our future.
However, fundamentally insecure internet protocols and technologies have been known to be insecure for decades. What exactly is the strategy to truly and comprehensively fix them? The call for increased investment in our future is promising, but what about investing in research and development to accomplish pillars one, two, and three of this strategy?