Cybersecurity National Security Security & Defense

Tech at the Leading Edge

March 16, 2023

Building a shared lexicon for the National Cybersecurity Strategy

By the Cyber Statecraft Initiative

The 2023 National Cybersecurity Strategy, released on March 3, represents the ambitions of the Biden Administration to chart a course within and through the cyber domain, staking out a critical set of questions and themes. These ambitions are reflected within the strategy’s pillars and titled sections, but also key words and phrases scattered throughout the document. As we and others have said, the success of this strategy will hinge largely on the practical implementation of its boldest ideas. The details of that implementation will depend on how the administration chooses to interpret or define many of the key terms found within the strategy.

To begin the creation of a shared lexicon to interpret these terms and the policy questions and implications that flow from each, this series identifies seven terms used throughout the strategy that represent pivotal ideas and priorities of this administration: “best-positioned actors,” “realign incentives,” “shift liability,” “build in security,” “modernize federal systems,” “privacy,” and “norms of responsible state behavior.” This article digs into the meaning behind these phrases and how they serve as waypoints in debates over the future of cybersecurity policy.

Strategy terms

“Best-positioned actors”

Throughout the National Cybersecurity Strategy, there are various iterations of the idea of “best-positioned actors” to describe and delineate the private actors expected, or at the least encouraged, to play a larger role in building and reinforcing a secure cyberspace. The repetition of this term represents a larger trend within the 2023 NCS: the central role of the private sector. The prior strategy certainly represented a step in this process, but its successor signals a more fundamental move toward addressing the significant role of private sector players in shaping cybersecurity.

According to this strategy, a keystone in this effort will be increased responsibility by the “best positioned actors” within the private sector. But what does this term mean? At its most basic level, a best-positioned company is one whose product(s) or service(s) represents a considerable portion of a key structural point identified within a pillar of US cyber strategy and, therefore, a company whose manner of operation will be decisive in determining cybersecurity outcomes for a large number of users. The strategy explains that “protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.” Though specific sectors or companies are not tied to this category in the strategy, the definition appears to include primarily the owners and operators of both traditional physical infrastructure, especially critical infrastructure, as well as digital infrastructure, like cloud computing services. It may also point to entities who operate as crucial intermediary nodes in the software stack or software development life cycle, whose privileged positions allow the implementation of security protections for downstream resources at scale, such as operating systems, app stores, browsers, and code-hosting platforms.

The strategy appears to distinguish these best-positioned actors as a sub-set within the category of actors whose action, or inaction, has the greatest potential consequences. The strategy further stipulates that a company’s resourcing partially determines its designation as best-positioned. This distinction reflects an issue throughout the digital ecosystem, where an entity responsible for a critical product or service might have insufficient resources, might fall under what Cyber Statecraft Initiative Senior Fellow Wendy Nather terms the “cyber poverty line,” to act as a best-positioned actor. Such entities may not be “best positioned,” but are important to the security and resilience if the products or services they are responsible for are depended on by a significant proportion of technology users or would, if compromised, create a large blast radius of effect because they play a connecting role within a large number of other products and services.

The strategy’s emphasis on shifting responsibility is crucial to reducing the impact of security failures on users and serves to support many of the other concepts around “build-in security,” “privacy,” and “realign incentives.” As a result, who that responsibility shifts to, the “best-positioned actors,” will have material influence on the outcomes of these policies. Establishing a common understanding of what companies fall within that category is imperative.

“Realign incentives”

Another term found throughout the National Cybersecurity Strategy—particularly within Pillar Three (Shape Market Forces)—is various iterations of “incentivizing responsibility.” It describes how the US government can shape the security ecosystem by motivating actors—chiefly the private sector owners, producers, and operators of critical technologies—toward a sense of heightened responsibility in securing US digital infrastructure. The previous strategy discussed incentives at a very high level—how to incentivize investments, innovation, and so on—but lacked a coherent sense of objective. The 2023 strategy moves closer to stating a goal but still falls short of actualizing a plan to achieve it. The repetition of this term represents a larger trend within the 2023 strategy: the desire to shift the onus of security failures away from users and onto the private sector. This term is a major driver to achieve the strategic objectives of the National Cyber Security Strategy.

These incentives are primarily divided into four categories: investment, procurement, regulation, and liability (discussed in Shifting Liability). Investment sits at the heart of Pillar Four (Invest in a Resilience Future), but this approach is common across the pillars. Using investment as an incentive includes creating or building upon existing funds and grant programs for critical and innovative technologies, especially those secure- and resilient-by-design (discussed further in Build in Security). Bridging investment and regulation is the strategy’s emphasis on using federal purchasing power to create positive incentives within the market to adopt stricter cybersecurity design standards.

More prominent throughout the strategy, however, is a regulatory approach that seeks to balance increased resilience with the realities of the free market. This inclusion is important—resilience investment is not maximally efficient. By design a resilient system may have multiple channels for the same information or control. Building resilience into a system may also involve costly engineering and research programs without adding new (and marketable) functionality, and they might even raise the cost of goods sold. Public policy can incentivize these less efficient investments and behaviors, but it may also need to mandate them, especially where markets are most dysfunctional or risk most concentrates. Regulatory tools are intrinsic to a properly functioning market and suffer abuse through neglect or overuse in equal measure.

The strategy hints that making security and resilience the preferred market choice requires making inadequate security approaches more difficult and costly. The strategy recognizes the critical role that private companies play in creating a secure and resilient cyber ecosystem—they are acknowledged even more frequently than allied and partner states. The various approaches to incentivizing responsibility illustrate the careful balancing act that a more robust public-private relationship will require, creating both opportunity and consequence for the private sector.

The strategy tasks the federal government with creating regulation responsibly, with “modern and nimble regulatory frameworks for cybersecurity tailored for each sector’s risk profile, harmonized to reduce duplication, complementary to public-private collaboration, and cognizant of the cost of implementation.” This specific and flexible approach is progress in the government’s approach to regulation, yet it raises questions as to the capability of the US government to create and regularly update a suite of regulatory statutes with sufficient agility. Finding specific and actionable ways to realign incentives and responsibilities will be essential to achieving the goals set by the 2023 strategy. However, to achieve this goal, it is essential to better identify both what these regulations seek to achieve and how to best design them to fit, bypassing the debate about Regulation: Friend or Foe.

“Shift liability”

The 2023 National Cybersecurity Strategy has an entire subsection dedicated to software liability—one of the strategy’s most explicit endorsements of a specific, new policy mechanism to shift responsibility and realign incentives for better cybersecurity. Creating a clear framework for software products and service liability would incentivize vendors to uphold baseline standards for secure software development and production, to protect themselves from legal action in response to damages incurred by issues with their product.

In the US legal landscape, software, by itself, is rarely considered a product (in contrast to physical goods with embedded software, such as smart TVs or smart cars). This limits the ability of a user to bring claims under traditional product-liability law against the manufacturer in the event of a security flaw or other problem with the software. In addition, many software vendors disclaim liability by contract—when a consumer clicks “I Agree” on a software license to install a program, they often agree to a contract that forfeits their right to sue the maker. Indeed, the strategy explicitly calls out this tactic.

Taken in tandem, these facts mean that software manufacturers often can insulate themselves from legal liability caused by failures of their products, removing a strong incentive that has motivated physical-goods manufacturers to put their products through rigorous safety testing. The Federal Trade Commission (FTC) retains broad enforcement powers against unfair and deceptive practices, which it has used to bring judgements against businesses for abysmal security failures, and certain authorities to regulate security practices in specific software-reliant sectors like the financial-services industry. However, a broader liability framework specific to software is conspicuously absent.

The strategy, recognizing that even the best-intentioned software manufacturers cannot anticipate all potential security vulnerabilities, leads with a safe harbor-based approach, in which software manufacturers are insulated from security-related product liability claims if they have adhered to a set of baseline secure development practices. This is a negligence liability standard—where manufacturers are held accountable only if they fail to meet an accepted baseline of adequate care—in contrast to a strict liability standard, in which manufacturers are liable for harms regardless of the precautions they took. The National Cybersecurity Strategy also makes explicit mention of the need to protect open-source developers from any form of liability for participating in open-source development, given that open-source software is more akin to free speech than to the offering of a final product. This recognition is both correct and important in light of the different paradigm within which open-source development operates and its incredibly common integration in most software products.

The strategy does not explicitly state whether such a standard should be enforced solely by an executive branch agency, such as the FTC, or whether the intent of the framework would be to allow individuals to directly sue software manufacturers whose products harmed them through a private right of action. The acknowledgement of the need to refine the software liability framework is a crucial step toward the strategy’s goals of realigning public-private incentives for security and resilience. The strategy is silent on whether existing federal authorities would be sufficient, through the FTC or even the Department of Justice’s Civil Cyber Fraud Initiative, or if a private right of action is still necessary (see here for more context on this distinction and liability as a cybersecurity policy issue). This could be a defining question, especially where it may involve congressional action to back up such a program versus merely sustain it.

“Build in security”

While discussing ways to shape market forces for improved security and resilience, the National Cybersecurity Strategy dedicates two sections of Pillar Three (Shape Market Forces) to adapt federal grants and other incentives to “build in security” throughout the cyber ecosystem. This is one of the more mature interpretations of the document’s focus on reshaping incentives and responsibilities to improve security. As far as individual technologies and products are concerned, vendor incentives to rush to market can leave security features as an afterthought or add on—worse, they can remove security considerations from design processes entirely. The implementation of secure-by-design technology is especially important in light of the interconnectedness of this space, as the integration of new technology alongside old systems can create points of weakness and transitive risk.

While much policymaking discussion considers how to punish or disincentivize poor practices, rewarding security incorporated at the outset of design is as useful. Software which is built to be difficult to compromise (versus layered with post-facto security features) can be easier, and sometimes cheaper, to defend in daily use and offer vendors and users both a more defensible product. These benefits are manifold when such standards are in place early in the development of an industry, as seen in the administration’s desire to implement a National Cyber-Informed Engineering Strategy for the new generation of clean energy infrastructure. The challenge will lie in whether the administration can define what it means to build in security (i.e., is it a set of specific practices, such as using memory-safe languages? or a set of process considerations which must be accounted for and documented?) with enough specificity to build policy incentive structures such as regulation around the concept.

The next logical step is to consider how to build in security not just for granular products but for systems writ large. The ever-increasing complexity of cloud infrastructure and other large-scale networked systems is an enormous strain on vendors and service providers, which have already gone to great lengths to engineer processes and software around navigating that complexity. Unchecked, those systems and their increasing importance will put users and government on their heels, forcing them to defend an extremely sophisticated and inherently insecure landscape.

Government is well-positioned to create incentives to help industry avoid race-to-the-bottom market pressures that lead towards insecurity and unmanaged complexity, and the strategy does well to tee up that priority even if it views the cyber landscape through a somewhat narrow product lens. Moving toward incentivizing secure design, architectural review processes, and buying down risk at the systems scale can convert “building in security” from an operational feature of federal funding to a strategic reshaping of the cyber landscape.

“Modernize federal systems”

Section Five within Pillar One (Defend Critical Infrastructure) of the National Cybersecurity Strategy focuses on modernizing what it terms the federal enterprise. The recognition of the federal civilian executive branch agencies (FCEB) as a singular enterprise from a security perspective is valuable and hints at broader themes for the Office of the National Cyber Director’s (ONCD) conception of modernization: streamlined points of contact, better coordinated security posturing and policymaking, and more evenly distributed and accessible resourcing and tooling among other gains.

At the most abstract level, modernization can be considered appropriately adjusting the federal enterprise to the challenges inherent in digital security: complexity, speed, and scale. Perhaps the most important contribution of the strategy here is the simple recognition that the federal government is outmatched—with infrastructure that has so far proven inadequate. The strategy’s approach to modernization commits to alleviating the government’s dependence on legacy systems that create too porous a foundation for US cybersecurity. Specific adaptations mentioned include the implementation of zero-trust architecture, a migration to cloud-based services, and progress toward “quantum-resistant cryptography-based environments.” Notably, “zero trust” remains a phrase of the moment after it did a starring turn in Executive Order 14028 and its use as a rhetorical catch-all for “modern” security tools and approaches has only increased.

The strategy directly appoints the Office of Management and Budget (OMB), in coordination with Cybersecurity and Infrastructure Security Agency (CISA), as the lead planner for FCEB cybersecurity planning and the custodian of shared services for constituent agencies. Though direct implementation plans are not laid out within this document, the specific tasking of the OMB to lead this process, assuming that the office receives the necessary resources, does create accountability and measurability for the pillar.

Another key component of FCEB modernization is a parallel workforce modernization. Any and all plans to create a modern, resilient federal cyber environment will require fostering a talented, diverse cyber workforce. The ONCD is spearheading this effort, and work on a workforce-specific strategy is underway. The National Cyber Strategy’s treatment of the cyber workforce provides a strong foundation for ONCD’s more detailed plan to address what is a significant problem for the US government. In that strategy, there is indeed opportunity to go further, not just to build the cyber workforce necessary for the problems of today, but to ensure that workforce development is conducted in parallel with government efforts to reshape its cyber environment into one that is more secure-by-design.

Modernization of federal systems is a gargantuan challenge, and one that will never be complete. To effectuate real change, modernization must become an engrained and cyclical process. This process does not have to mean the pursuit of the most cutting-edge technology for wholesale implementation across the FCEB, but must prioritize raising the baseline of security by targeting widespread dependencies and reduce risk for the most insecure and critical system components.

“Privacy”

One of the central themes of the inaugural National Cyber Director’s tenure was that cybersecurity must amount to more than creating an absence of threats. Securing the devices and services surrounding us should enable their use toward positive social, political, and economic ends. The security of data on these devices and running through these services is as much a question of protection against its appropriation and misuse by entities to whom it was entrusted as it is a question of preventing theft by malicious adversaries.

It is only a little surprising then, and very much welcome, to see the National Cybersecurity Strategy repeatedly highlight the importance of privacy as a key component of the United States’ cyber posture. Security and privacy are tightly intermeshed, as both a practical issue, where security features can function as guarantors of some privacy policies and protections, and as a policy issue—witness certain European Union (EU) member states agita over US surveillance and intelligence collection authorities as they impact the privacy of EU data and the perceived security of US-based cloud services. The inclusion of privacy is an overdue recognition of the fact that, if we succeed at preventing adversaries from stealing data from US networks, but then allow the same data to be freely bought and sold on the open web, we have gained little protection from espionage or targeting.

The recurring inclusion of privacy also marks an overdue move to collectively wield tools of both cybersecurity policy and corporate accountability in concert—taking the efforts of entities like the FTC, the Securities and Exchange Commission (SEC), and CISA together to drive change in private sector behavior. The strategy supports “legislative efforts to impose robust, clear limits on the ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data like geolocation and health information,” but stops short of acknowledging that Congress’ ongoing failure to pass a comprehensive federal privacy law is harming US national cyber posture. Given such a law would likely include mandatory minimum-security standards for entities processing personal data, a privacy law would also provide new enforcement tools for the executive branch to penalize companies for poor security practices, going a long way towards creating incentives to fix some of the market failures identified by the administration throughout the strategy. The strategy also arrives as the intelligence community and Congress more publicly recognize the national security importance of data security and the risks posed by the widespread proliferation of surveillance tools.

Privacy has many definitions, but perhaps the most significant implied here is control over information and the right to exercise that control in the service of individual liberty. Strengthening users’ control over the data they produce, its use in digital technologies, and the integrity of those technologies against harm is a means of giving greater power back to users. These acknowledgments are fundamentally important—however, without going further, policy risks falling back into the broken “notice and choice” model of privacy, which has demonstrated its insufficiency in the proliferation of cookie banners under GDPR. The strategy would have gone further if it had acknowledged the need to preclude companies from collecting, processing, and reselling consumer data beyond the minimum required to deliver requested goods and services, which would more fundamentally limit the collection and propagation of Americans’ data.

The embrace of privacy as a key component of cyber posture is a large step, but the strategy still lacks concrete operational plans for implementing this vision. Hopefully, this is a sign of policy action still to come. Using this strategy as another important marker, policymakers should continue to address cybersecurity and privacy issues by bringing individual users back into the conversation and restoring a measure of ownership over their digital footprint along the way.

“Norms of responsible state behavior”

Within the 2023 National Cybersecurity Strategy, the drafters highlight the need for the United States and its likeminded allies and partners to work toward a free, fair, and open cyber domain aligned with US cyber norms and values. This concept, as a guiding principle for strategy, is not new, and indeed, was a central pillar of the 2018 strategy. The continued emphasis placed on norms and values-guided cyber strategy signals the ongoing importance of this conversation.

This strategy specifically calls out the Declaration of the Future of the Internet (DFI) as creating a foundation for “a common, democratic vision for an open, free, global, interoperable, reliable, and secure digital future.” The strategy also highlights the importance of international institutions and agreements in developing a framework and set of norms for this vision, including the United Nations (UN) Group of Governmental Experts and Open-Ended Working Group and the Budapest Convention on Cybercrime.

While there is agreement among the United States and allies on a set of cyber norms, these norms do not encompass all of state behavior in cyberspace. Important differences in approach might impede the level of cooperation sought by the United States and its allies. One such tension, briefly mentioned, is the question of data localization requirements. Pillar Five (Forge International Partnerships) discusses a series of goals surrounding international collaboration. These include counter-threat coalitions, partner capacity building, and supply chain security. This pillar also discusses many existing efforts toward enhancing international cooperation, yet lacks a clear, cohesive set of actions for moving the United States and the global cyber ecosystem toward an “open, free, global, interoperable, reliable, and secure Internet.” Without such a bridge, US allies and partners around the globe, especially those with immature or nonexistent relationships with the US government on cyber issues, might struggle to move toward the kind of cyber ecosystem the US government seeks to create.

As the US government builds on and operationalizes the strategy, the cyber norms and values used as its frame will require clear specification as more than just platitudes. The internet is not a topic merely of foreign policy, and there are opportunities throughout the document to better connect discussion of shifting responsibility and securing the internet together, including these important normative dimensions through domestic implementation. It is simple to claim the pursuit of a free, fair, open, and secure cyber domain. However, if norms are truly to serve as the foundation of cyber strategy, the US government must do more than allude—it must lead the way in integrating specific ideals into its strategy, operations, and tactics.

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

Related Experts: Trey Herr, Emma Schroeder, Stewart Scott, Maia Hamin, and Will Loomis

Image: The White House - Washington, D.C.