Where the New National Cybersecurity Strategy Differs From Past Practice
On March 2, the Office of the National Cyber Director released the public version of the long-awaited National Cybersecurity Strategy. This document is intended to provide strategic guidance for how the United States should protect its digital ecosystem against malicious criminal and nation-state actors. The document is a welcome and sharp break from a few past practices and principles. If fully implemented, it has the potential to change the U.S. cybersecurity posture significantly for the better.
The scope of the document is limited to cybersecurity, as its title is “National Cybersecurity Strategy” rather than “National Cyber Strategy.” Many press reports (e.g., here and here) on the strategy’s release have conflated the two, but they are not identical in scope. The U.S. government generally operates from a definition of “cybersecurity” promulgated in 2008 under NSPD-54 and HSPD-23:
"cybersecurity'' means prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communication services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation.
Two omissions from this definition are noteworthy—the lack of reference to information or influence operations and to the use of offensive operations in cyberspace to advance any national goals other than the one explicitly noted. Both of these topics would naturally be included in a National Cyber Strategy, but that is not what this document is—and it should not be criticized for those omissions. The strategy document is also silent on cybersecurity for national security systems, such as those operated by the Department of Defense and the intelligence community.
Although the strategy builds on cybersecurity efforts from the previous three administrations, its most important characteristic is its departure from past perspectives and practices.
Rebalancing the Cybersecurity Burden
If there was once a time when it was reasonable to expect end users (people who are not technical wizards) to manage their own cybersecurity, that time has long since passed. At long last, the strategy acknowledges that:
end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, yet these actors' choices can have a significant impact on our national cybersecurity. A single person's momentary lapse in judgment, use of an outdated password, or errant click on a suspicious link should not have national security consequences. Our collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual citizens.
In arguing for a rebalancing of the responsibility for cybersecurity, the strategy does not absolve end users of all security responsibilities. It does, however, indicate that we as a nation must “ask more of the most capable and best-positioned actors” in society. The strategy states that cybersecurity “must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.” The strategy also recognizes that the U.S. government’s role in providing cybersecurity has distinct boundaries including protecting its own systems and networks, ensuring that the private sector does its part to protect itself in cyberspace, and carrying out core governmental functions that support cybersecurity.
One key element of the strategy for holding the vendors and providers of information technology-based products and services accountable is its embrace of regulation. Rather than the traditional, voluntary, “enlightened self-interest” approach to encourage cybersecurity in the private sector, the strategy notes that, while such an approach has sometimes improved cybersecurity postures in the private sector, such improvements have not, taken as a whole, been sufficient to meet the national needs for cybersecurity. Indeed, the strategy notes that “today’s marketplace insufficiently rewards—and often disadvantages—the owners and operators of critical infrastructure who invest in proactive measures to prevent or mitigate the effects of cyber incidents.”
Thus, the strategy argues that:
Regulation can level the playing field, enabling healthy competition without sacrificing cybersecurity or operational resilience. Our strategic environment requires modern and nimble regulatory frameworks for cybersecurity tailored for each sector's risk profile, harmonized to reduce duplication, complementary to public-private collaboration, and cognizant of the cost of implementation. New and updated cybersecurity regulations must be calibrated to meet the needs of national security and public safety, in addition to the security and safety of individuals, regulated entities, and their employees, customers, operations, and data.
Leveling the playing field is a reference to the proposition that regulation applied to all actors in a given sector (actors who can be presumed to be competitors) will reduce the incentives for vendors and suppliers to underinvest in cybersecurity as a way to gain competitive advantage in a price-driven marketplace.
Perhaps the most important aspect of that paragraph is the idea that the strength of cybersecurity cannot be left simply to individual private-sector actors to decide based solely on their business needs. For public safety and national security needs, the nation needs a more robust cybersecurity posture than that which would result if left up to these individual actors. This has been apparent for some time, and it is therefore encouraging that the strategy emphasizes that “regulations will define minimum expected cybersecurity practices or outcomes.
Undoubtedly, the emphasis on regulation will encounter resistance from the actors who would be affected. Experience suggests that those actors should bear the burden of proof to develop plans that demonstrate how they will achieve adequately robust cybersecurity postures in the absence of regulation. If they can indeed develop such plans, it should then be possible for regulators and legislators to embrace those plans, to hold the actors accountable for implementing those plans, and to penalize them for cybersecurity failures that occur because of defects in either the plans themselves or their implementation.
Liability for Insecure Software Products and Services
The strategy recognizes explicitly that, left to its own devices, the software market all too often rewards vendors that underinvest in security with greater market share and reduced time-to-market. It notes that:
Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance. Software makers are able to leverage their market position to fully disclaim liability by contract, further reducing their incentive to follow secure-by-design principles or perform pre-release testing.
Thus, because “markets impose inadequate costs on—and often reward—those entities that introduce vulnerable products or services into our digital ecosystem,” the U.S. must:
begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities. Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers.
Many cybersecurity analysts have, for years, advocated liability as a way of incentivizing vendors to pay more attention to cybersecurity. But for the first time, a document with the full endorsement of the executive branch has done the same.
The strategy notes that legislation enabling liability:
should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios. To begin to shape standards of care for secure software development, the Administration will drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.
This is remarkably similar to Action Item 1.4.5 in the 2016 report from the Obama Commission on Enhancing National Cybersecurity, so I have a hard time disagreeing with it in any way.
Disrupting and Dismantling Threat Actors
The strategy also endorses a highly assertive approach to disrupting threat actors in cyberspace. For example, it says that “[d]isruption campaigns must become so sustained and targeted that criminal cyber activity is rendered unprofitable and foreign government actors engaging in malicious cyber activity no longer see it as an effective means of achieving their goals.”
Moreover, the strategy does not shy away from the use of military power for such disruption where appropriate:
Informed by lessons learned and the rapidly-evolving threat environment, [the Department of Defense (DoD)] will develop an updated departmental cyber strategy aligned with the National Security Strategy, National Defense Strategy, and this National Cybersecurity Strategy. DoD’s new strategy will clarify how U.S. Cyber Command and other DoD components will integrate cyberspace operations into their efforts to defend against state and non-state actors capable of posing strategic-level threats to U.S. interests, while continuing to strengthen their integration and coordination of operations with civilian, law enforcement, and intelligence partners to disrupt malicious activity at scale.
The increased public emphasis on the use of military forces to disrupt threat actors is already apparent in offensive cyber operations taken by U.S. Cyber Command to disrupt the activities of foreign ransomware actors. With the promulgation of the Biden National Cybersecurity Strategy, we should expect to see a greater military role in the U.S. cybersecurity posture—one that goes beyond what might be termed “passive defense activities” to active involvement.
A notable omission from the strategy document is the word “deterrence.” Nowhere in the document do the words “deter” or “deterrence” appear. This can’t be by accident, and it points to the failure of deterrence as a policy for promoting cybersecurity. This isn’t exactly surprising. Deterrence by punishment relies on an ability to impose costs on an attacker that matter to the attacker, and no one has figured out a reliable and certain way to do that systematically for malicious actors in cyberspace. Thus, malicious actors choose to ignore U.S. threats of retaliation and ply their trade with relative impunity. Deterrence by denial—an approach based on reducing the relative benefits that a malicious actor can obtain—has been unsuccessful to date as more and more value has come to reside in cyberspace.
The new strategy is a significant departure from past practices and precedent, and I applaud it. But its public calls for regulation, the imposition of liability for insecure software products and services, and the increased involvement of the U.S. military in support of private-sector cybersecurity will be controversial.
To its credit, the strategy does acknowledge the gathering storm, at least implicitly. For example, on regulation, the strategy acknowledges the responsibility to minimize the harm from regulations that may be in conflict, duplicative, or overly burdensome and notes the need to harmonize regulations and rules as well as assessments and audits of regulated entities. It understands that different critical infrastructure sectors have varying capacities to absorb the costs of cybersecurity and points to the need for regulatory agility “to adapt as adversaries increase their capabilities and change their tactics.”
On liability, the strategy proposes safe harbors to shield companies from liability if they securely develop and maintain their software products and services. Still, the nature, scope, and extent of such liability all remain to be established. What evidence should count as mitigating the extent of liability? How should liability for cybersecurity breaches resulting from the actions of multiple parties be allocated? Should liability be capped at certain levels, and, if so, on what basis? What is the role of insurers in a world of software liability? Should class action lawsuits be prohibited? Many such questions remain to be answered.
And on the involvement of the U.S. military in cybersecurity, the strategy promises that the Department of Defense and the intelligence community will work within their (legally established) roles to disrupt the activities of malicious cyber actors. But an effective defensive effort of civilian infrastructure by the Defense Department and the intelligence community will inevitably mean closer relationships between these national security authorities and the owners and operators of civilian infrastructure assets. For example, the need for effective attack assessment across a broad range of civilian assets will require technical, legal, and policy coordination between the private sector and the U.S. government. For example, it may entail a significant Defense Department presence on privately owned networks. How the American people will react to such coordination remains to be seen.
A very interesting debate over cybersecurity policy is about to begin. Given the fundamental shifts from previous strategies, it promises to be more vigorous and hard fought. It’s about time.