Cybersecurity and Deterrence

Building From the 2023 National Cybersecurity Strategy: Reshaping the Terrain of Cyberspace

By Trey Herr, Jenny Jun, Emma Schroeder, Stewart Scott
Monday, March 13, 2023, 8:16 AM

Previous U.S. approaches to cyber strategy have treated technology security largely as fixed in nature—working under the assumption that the relative vulnerability of software products, hardware devices, and systems is predetermined, something for policymakers to maneuver around rather than to shape. This comes from a recognition of the difficulties inherent in cybersecurity: Patching vulnerabilities is reliably slow and incomplete, companies face incentives to prioritize time to market over security, and vulnerabilities are uniformly inevitable, no matter the precautions taken. But approaching cybersecurity as competition over a static terrain is a mistake—and strategies that merely accept the given circumstances of cyberspace compound that error. 

The new 2023 National Cybersecurity Strategy (NCS) departs from the previous 2018 National Cyber Strategy in two important ways. First, the new strategy calls to “rebalance the responsibility” of defending cyberspace, moving away from end users and toward the “most capable and best-positioned actors,” including owners and operators of key technologies and infrastructures. Second, it seeks to “realign incentives” through various regulatory, grantmaking, and budgetary measures. 

The good news: These are welcome changes. The opening tenets of the NCS question the immutability of and outcomes from current roles, responsibilities, and rewards in cybersecurity, with the document’s introduction noting that the U.S. “must make fundamental changes to the underlying dynamics of the digital ecosystem.” Indeed, the strategy seems to be guided by a vision indicating that the U.S. government better recognizes the importance of actively shaping the cyber terrain into something more secure and resilient to begin with—signaling progress beyond past thinking about competing within cyberspace. Physical terrain is malleable to an extent—tunnels and bridges may alter landscapes, but mountains move only on geologic timescales, and the prayers of commanders through the centuries have done little to dissuade oncoming storms. The terrain of cyberspace is not subject to these limits. As cyberspace is made of and by people, the new strategy’s pivot toward reshaping the digital environment, or at least considering it, is encouraging.

Unfortunately, the strategy doesn’t fully realize this early promise. It questions the status quo but avoids rigorous discussion of altering the cyber terrain. It laments what the markets have produced—all of which approaches, but falls notably short of, developing a plan to influence how technology and terrain look. For example, the phrase “inherently resilient and defensible” (p. 5) and close variations of it, such as “more defensible and resilient” (p. 13) and “more inherently resilient and defensible” (p. 29), recur frequently but without much specificity. How defensibility or resilience might be measured, the acceptable threshold for each, which model technologies appear to have achieved this threshold, or how to measure either current gaps or future progress all remain unaddressed. Market inefficiencies and failures have challenged national approaches to cybersecurity, but the government has long known that policy gives it the power to reshape markets and often makes efforts to do so. The new strategy’s overarching vision is welcome, but it’s not clear from much of the document what exactly should look different tomorrow. 

The document’s section on liability offers another example of this thinking. Strategic objective 3.3 hopes to “shift liability for insecure software products and services,” in recognition that “markets impose inadequate costs on—and often reward—those entities that introduce vulnerable products or services into our digital ecosystem.” There are whispers of a “duty of care” and a soon-to-be-developed liability regime, but before any precise definition is provided, the section veers into discussing “an adaptable safe harbor framework” to offer protection from legal liability when certain conditions are met. Again, the pivot of policy toward the study and shaping of incentives is commendable, but the vagueness surrounding key definitional principles is troubling. In this case, liability for methods rather than outcomes makes a solid foundation, but such quick consideration of developing safe harbor from a nonexistent regime reveals a missed opportunity and deferred responsibility. In other words, yes—liability for software products is likely a valuable way to shape behavior toward greater security. But the reader would benefit far more from understanding what the government considers would constitute a reasonable duty of care than from hearing about its plans to provide a pathway to exemption. Notably, the word “Congress” appears 13 times in the 2023 strategy, a noticeable increase from just two times in the 2018 strategy, suggesting grander hopes for shouldering the responsibility of implementation than past efforts.

The NCS’s market lens offers an important new view on defending cyberspace. Yet, as above, the document falls short of realizing its admirable vision by omitting tangible commitments to action. In place of addressing meaningful changes in the technology ecosystem, the NCS suffers many familiar pitfalls and assumptions. Defensibility is emphasized but rarely defined. The cyber workforce is presented as only chronically undersupplied, rather than also overburdened by an unmitigated workload. The incentives motivating threat actors, alongside the digital circumstances enabling them, remain largely underexamined by the strategy. 

There are also conspicuous areas of disconnect between the document’s discussion of technology markets and its treatment of the security of the internet. These discrepancies emphasize the distance between its views of incentives and of technologies. The discussion of “shifting the burden” of responsibility for security is absent from the strategy’s fifth pillar (“Forge International Partnerships to Pursue Shared Goals”) and from Objective 4.1 (“secure the technical foundations of the internet”). Objective 4.1 also is missing any mention of resilience or investment, despite both terms being found in the title of the section and referenced extensively throughout the discussion of technology markets. The framing of internet security is one of the only in the document focused on “standards” rather than product security and “architecture.” The internet is, again, treated as a thing separate from the technology that constitutes and runs on it. 

One of the most important aspects of the terrain of cyberspace is the layout and security of the internet, as determined by the overlapping national and global networks that comprise it. As this layout continues to evolve, the role of private technology firms—especially cloud service providers in running it—has grown considerably. The strategy correctly connects greater cybersecurity with the openness of online networks, but it stops short of making that connection meaningful. Tangible progress toward a more open, secure, interoperable internet would combat the structural influence of prolific cyber threats and better enable the open market of Western security researchers to identify and combat these harms. Operational goals about the cybersecurity of internet technologies can and should flow from normative debates about the future of the internet. Openness and integrity aren’t just values: Purely through a security lens, they create space for independent researchers, small companies, and civil society groups to play outsized roles in rapidly detecting and mitigating threats to networks and users. Preserving openness and placing power in the hands of users rather than institutions has enabled community-led security efforts like the Shadowserver Foundation and the monitoring and open-source intelligence work of the Digital Forensic Research Lab and Bellingcat. Protecting the open internet is in America’s national interest and advances its core cybersecurity goals as much as, if not more than, prioritizing operational superiority over its adversaries.

The new strategy’s approach engages on a deep level with symptoms—namely bad incentives, autocrats, and broken markets—but with causes on a more shallow one. What would the alternative have looked like in the context of the national cybersecurity strategy? For one, such a strategy would identify important areas to shift responsibility to and realign investment with. It would explicitly discuss plans for action instead of passing mentions. It would commit to press Congress for serious investments in the security of widely used digital infrastructure, including open-source software, rather than just pledging to move an ill-defined burden. Rather than stopping at lamenting and studying the malicious co-opting of U.S.-based cloud infrastructure, such a strategy would explore how to use government procurement authority, executive convening power, and existing market regulatory tools together to push cloud service providers to address recurring sources of insecurity and poor design. Further, it would address the considerable influence of cloud service and social media platform providers on the layout and security of the internet now, much more so than a decade ago. And it would leverage several of the authorities called upon to stimulate the development of better digital-identity services and fund more secure digital technologies to push wider use of memory-safe languages and close off entire avenues of malicious activity. 

The NCS teases many of these approaches but fully realizes few, resulting in an earnest list of operational objectives and priorities. To be clear, the NCS is a productive document, provoking important discussions about reforming the current market for digital technologies. The strategy is by turns thoughtful and prosaic, but readers should not take the text as theologically complete. Rather, it contains bold statements of vision that lean hard on the public’s faith that such a vision can and will be executed. This scarcity of detail with respect to implementation and the uneven application of the drafting team’s core principles in sections seemingly generated elsewhere leave the current document an incremental step toward a more mature and complete future strategy. Many will point out, rightly so, that the strategy’s success or failure will lie in how it is executed, with forthcoming implementation details proving decisive. If done well, the strategy will serve as a strong pivot into a better vision for U.S. policy in cyberspace; if not, it will be a mournful half-step with more promise than punch. And maybe that standard is the best summary of the document—not bad, and potentially groundbreaking, but not quite ready yet to stand on its own.