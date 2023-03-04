Tech at the Leading Edge How will the US counter cyber threats? Our experts mark up the National Cybersecurity Strategy. By Maia Hamin, Trey Herr, Will Loomis, Emma Schroeder, and Stewart Scott

On March 2, the Biden administration released its 2023 National Cybersecurity Strategy, an attempt to chart a course through the stormy waters of cyberspace, where the private sector, peer-competitor states, and nonstate actors navigate around and with each other in ways growing more complex—and dangerous—by the day. The Atlantic Council’s Cyber Statecraft Initiative (CSI), which is housed within the Digital Forensic Research Lab, gathered a group of experts from government and private-sector cyber backgrounds to dive into the document and leave their comments to help decipher what the administration is really saying.

CSI’s key takeaways from the strategy

The strategy offers the much-needed beginnings of an ambitious shift in US cybersecurity policy, but it often falls short on implementation details and addressing past failures. The actionable outputs it does identify are fundamentally cautious. The strategy’s greatest virtues might be its focus on the pressing need to grapple with market incentives driving insecurity and to reallocate responsibility for security. By deferring rigorous treatment of allied and partner states’ role in its strategic vision for cybersecurity, the strategy gives short shrift to cybersecurity’s fundamentally global nature across all pillars.

A steady course in stormy seas: How to read the Biden administration’s new cyber strategy

Far before the age of steam, in the earliest days of sailing ships, captains knew to keep their vessels close to shore. Out in deeper water lay the vicissitudes of storms and faithless winds. Safety lay in the often more arduous, lengthier voyages hugging the coastline. Trading speed for the safety of their ship, crew, and cargo, captains steered carefully through the rocks on a conservative course to their destination. Sailors might tell tales of the exotic lands they planned to visit, but reliable routes close to shore kept them far from the perils of such journeys.

The 2023 National Cybersecurity Strategy (NCS), released March 2, reflects this cautious reality in the actual commitments it makes under a bolder vision to “rebalance the responsibility to defend cyberspace” and “realign incentives to favor long-term investments.” The strategy’s greatest contribution in years to come will likely hinge on its success reframing cyber policy toward explicit discussion of the market—and its failure to adequately distribute responsibility and risk while still clinging to weak incentives for good security practices. This will serve future policy efforts well and open discussions about material changes in the complexity and defensibility of digital technologies. A market lens for cyber policy also serves to integrate privacy into mainstream cybersecurity discussions and heartily embraces the notion that it is more than just defense against external compromise that determines the security of users and data. The strategy also charts out new horizons in its acknowledgement of the need to address software product liability while protecting open-source developers.

But in its discussion of a liability regime, and throughout, the strategy often hews close to safe harbors, steering away from the specific actions and policies that would implement the thornier parts of its vision. The document’s focus on the market, for instance, is weakened by the absence of efforts to trace the source of market failings. Missing too are efforts to further unpack barriers to federal information-technology modernization or the complex web of cyber authorities that have left security requirements fragmented and inconsistent across sectors. The document also does little to integrate the international perspective across its discussion of threats or technologies, leaving the topic largely in a single, final pillar (the strategy is organized into five such pillars).

This was a singular opportunity to better address the global business environment in which technology vendors and consumers operate, and the geopolitical significance attached to questions of technology design and security. One need only look through the rapid expansion of activity in the Committee on Foreign Investment in the United States or the recent flurry of debate around TikTok to see the deeply international nature of the market in which the strategy seeks to drive “security and resilience.” The isolation of international issues ignores the reality of global US security partnerships and insufficiently addresses the reality of defense cooperation in cyberspace with both foreign states and private companies.

The Office of the National Cyber Director was handed a mammoth task in drafting this administration’s NCS. The young office could easily have foundered, beset by the interagency demons of the deep. Instead, it seems this captain and crew chose to remain in sight of land while charting in florid prose what could be in these grand adventures. The result is an important framework with some novel and useful policy activities, but also with questions that the cyber policy community must work to answer in the years to come. Important ideas, such as an affirmative statement about what the balance of responsibility for security should look like across the technology ecosystem, are here established in principle—flags left to be carried forward by others. In light of the fraught political winds the drafting team navigated, the result is commendable, but a frank recognition of how much work remains is also important. This text may serve to fire the imaginations of a generation of sailors yet to leave port, but we must ensure they do indeed set sail for distant shores and capture some of the promise presented here.