March 3, 2023
How will the US counter cyber threats? Our experts mark up the National Cybersecurity Strategy
On March 2, the Biden administration released its 2023 National Cybersecurity Strategy (NCS), an attempt to chart a course through the stormy waters of cyberspace, where the private sector, peer-competitor states, and nonstate actors navigate around and with each other in ways growing more complex—and dangerous—by the day. The Atlantic Council’s Cyber Statecraft Initiative (CSI), which is housed within the Digital Forensic Research Lab, gathered a group of experts from government and private-sector cyber backgrounds to dive into the document and offer context, commentary, and concerns to help decipher the strategy. Commenters include Maia Hamin, Trey Herr, Danielle Jablanski, Amelie Koran, Will Loomis, Jeff Moss, Katie Nickels, Marc Rogers, Stewart Scott, and Chris Wysopal.
CSI’s key takeaways from the strategy
- The strategy offers the much-needed beginnings of an ambitious shift in US cybersecurity policy, but it often falls short on implementation details and addressing past failures. The actionable outputs it does identify are fundamentally cautious.
- The strategy’s greatest virtues might be its focus on the pressing need to grapple with market incentives driving insecurity and to reallocate responsibility for security.
- By deferring rigorous treatment of allied and partner states’ role in its strategic vision for cybersecurity, the strategy gives short shrift to cybersecurity’s fundamentally global nature across all pillars.
NCS table of contents
PILLAR ONE | DEFEND CRITICAL INFRASTRUCTURE
PILLAR ONE | DEFEND CRITICAL INFRASTRUCTURE
Strategic Objective 1.1: Establish Cybersecurity Requirements to Support National Security and Public Safety
Strategic Objective 1.2: Scale Public-Private Collaboration
Strategic Objective 1.3: Integrate Federal Cybersecurity Centers
Strategic Objective 1.4: Update Federal Incident Response Plans
Strategic Objective 1.5: Modernize Federal Defenses
PILLAR TWO | DISRUPT AND DISMANTLE THREAT ACTORS
PILLAR TWO | DISRUPT AND DISMANTLE THREAT ACTORS
Strategic Objective 2.1: Integrate Federal Disruption Activities
Strategic Objective 2.2: Enhance Public-Private Operational Collaboration to Disrupt Adversaries
Strategic Objective 2.3: Increase the Speed and Scale of Intelligence Sharing and Victim Notification
Strategic Objective 2.4: Prevent Abuse of US-based Infrastructure
Strategic Objective 2.5: Counter Cybercrime, Defeat Ransomeware
PILLAR THREE | SHAPE MARKET FORCES TO DRIVE SECURITY AND RESILIENCE
PILLAR THREE | SHAPE MARKET FORCES TO DRIVE SECURITY AND RESILIENCE
Strategic Objective 3.1: Hold the Stewards of Our Data Accountable
Strategic Objective 3.2: Drive the Development of Secure IoT Devices
Strategic Objective 3.3: Shift Liability for Insecure Software Products and Services
Strategic Objective 3.4: Use Federal Grants And Other Incentives To Build In Security
Strategic Objective 3.5: Leverage Federal Procurement to Improve Accountability
Strategic Objective 3.6: Explore a Federal Cyber Insurance Backstop
PILLAR FOUR | INVEST IN A RESLIENT FUTURE
PILLAR FOUR | INVEST IN A RESLIENT FUTURE
Strategic Objective 4.1: Secure the Technical Foundation of the Internet
Strategic Objective 4.2: Reinvigorate Federal Research and Development for Cybersecurity
Strategic Objective 4.3: Prepare for Our Post-Quantum Future
Strategic Objective 4.4: Secure Our Clean-Energy Future
Strategic Objective 4.5: Support Development of a Digital Identity Ecosystem
Strategic Objective 4.6: Develop a National Strategy to Strengthen Our Cyber Workforce
PILLAR FIVE | FORGE INTERNATIONAL PARTNERSHIPS
PILLAR FIVE | FORGE INTERNATIONAL PARTNERSHIPS TO PURSUE SHARED GOALS
Strategic Objective 5.1: Build Coalitions to Counter Threats to Our Digital Ecosystem
Strategic Objective 5.2: Strengthen International Partner Capacity
Strategic Objective 5.3: Expand US Ability to Assist Allies and Partners
Strategic Objective 5.4: Build Coalition to Reinforce Global Norms of Responsible State Behavior
Strategic Objective 5.5: Secure Global Supply Chains for Information, Communications, and Operational Technology Products and Services
A steady course in stormy seas: How to read the Biden administration’s new cyber strategy
Far before the age of steam, in the earliest days of sailing ships, captains knew to keep their vessels close to shore. Out in deeper water lay the vicissitudes of storms and faithless winds. Safety lay in the often more arduous, lengthier voyages hugging the coastline. Trading speed for the safety of their ship, crew, and cargo, captains steered carefully through the rocks on a conservative course to their destination. Sailors might tell tales of the exotic lands they planned to visit, but reliable routes close to shore kept them far from the perils of such journeys.
The 2023 National Cybersecurity Strategy (NCS), released March 2, reflects this cautious reality in the actual commitments it makes under a bolder vision to “rebalance the responsibility to defend cyberspace” and “realign incentives to favor long-term investments.” The strategy’s greatest contribution in years to come will likely hinge on its success reframing cyber policy toward explicit discussion of the market—and its failure to adequately distribute responsibility and risk while still clinging to weak incentives for good security practices. This will serve future policy efforts well and open discussions about material changes in the complexity and defensibility of digital technologies. A market lens for cyber policy also serves to integrate privacy into mainstream cybersecurity discussions and heartily embraces the notion that it is more than just defense against external compromise that determines the security of users and data. The strategy also charts out new horizons in its acknowledgement of the need to address software product liability while protecting open-source developers.
But in its discussion of a liability regime, and throughout, the strategy often hews close to safe harbors, steering away from the specific actions and policies that would implement the thornier parts of its vision. The document’s focus on the market, for instance, is weakened by the absence of efforts to trace the source of market failings. Missing too are efforts to further unpack barriers to federal information-technology modernization or the complex web of cyber authorities that have left security requirements fragmented and inconsistent across sectors. The document also does little to integrate the international perspective across its discussion of threats or technologies, leaving the topic largely in a single, final pillar (the strategy is organized into five such pillars).
This was a singular opportunity to better address the global business environment in which technology vendors and consumers operate, and the geopolitical significance attached to questions of technology design and security. One need only look through the rapid expansion of activity in the Committee on Foreign Investment in the United States or the recent flurry of debate around TikTok to see the deeply international nature of the market in which the strategy seeks to drive “security and resilience.” The isolation of international issues ignores the reality of global US security partnerships and insufficiently addresses the reality of defense cooperation in cyberspace with both foreign states and private companies.
The Office of the National Cyber Director was handed a mammoth task in drafting this administration’s NCS. The young office could easily have foundered, beset by the interagency demons of the deep. Instead, it seems this captain and crew chose to remain in sight of land while charting in florid prose what could be in these grand adventures. The result is an important framework with some novel and useful policy activities, but also with questions that the cyber policy community must work to answer in the years to come. Important ideas, such as an affirmative statement about what the balance of responsibility for security should look like across the technology ecosystem, are here established in principle—flags left to be carried forward by others. In light of the fraught political winds the drafting team navigated, the result is commendable, but a frank recognition of how much work remains is also important. This text may serve to fire the imaginations of a generation of sailors yet to leave port, but we must ensure they do indeed set sail for distant shores and capture some of the promise presented here.
Authors and contributors
Maia Hamin is an associate director with the Atlantic Council’s Cyber Statecraft Initiative under the Digital Forensic Research Lab (DFRLab). She works on the Initiative’s Systems Security portfolio, which focuses on policy for open-source software, cloud, and other technologies with important systemic security effects.
Trey Herr is the director of the Atlantic Council’s Cyber Statecraft Initiative. His team works on cybersecurity and geopolitics including cloud computing, the security of the internet, supply chain policy, cyber effects on the battlefield, and growing a more capable cybersecurity policy workforce.
Danielle Jablanski is a nonresident fellow at the Cyber Statecraft Initiative and an operational technology (OT) cybersecurity strategist at Nozomi Networks, responsible for researching global cybersecurity topics and promoting OT and industrial control systems (ICS) cybersecurity awareness throughout the industry. Jablanski serves as a staff and advisory board member of the nonprofit organization Building Cyber Security, leading cyber-physical standards development, education, certifications, and labeling authority to advance physical security, safety, and privacy in the public and private sectors. Since January 2022, Jablanski has also served as the president of the North Texas Section of the International Society of Automation, organizing monthly member meetings, training, and community engagements.
Amelie Koran is a nonresident senior fellow at the Cyber Statecraft Initiative and the current director of external technology partnerships for Electronic Arts, Inc. Koran has a wide and varied background of nearly thirty years of professional experience in technology and leadership in the public and private sectors. During her career, she has supported work across various government agencies and programs including the US Department of the Interior, Treasury Department, and the Office of the Inspector General in the Department of Health and Human Services. In the private sector, she has held various roles including those at the Walt Disney Company, Splunk, Constellation Energy (now Exelon), Mandiant, and Xerox.
Will Loomis is an associate director with the Cyber Statecraft Initiative. In this role, he manages a wide range of projects at the nexus of geopolitics and national security with cyberspace.
Jeff Moss is a nonresident senior fellow with the Cyber Statecraft Initiative. He is also the founder and creator of both the Black Hat Briefings and DEF CON, two of the most influential information security conferences in the world, attracting over ten thousand people from around the world to learn the latest in security technology from those researchers who create it. DEF CON just had its thirtieth anniversary.
Katie Nickels is the director of intelligence for Red Canary as well as a SANS certified instructor for FOR578: Cyber Threat Intelligence and a nonresident senior fellow for the Cyber Statecraft Initiative. She has worked on cyber threat intelligence (CTI), network defense, and incident response for over a decade for the US Department of Defense, MITRE, Raytheon, and ManTech.
Marc Rogers is currently CSO for Qnetsecurity. He formerly worked at Okta, Cloudflare, Lookout, and Vectra. Rogers is a well-known security researcher (Tesla Model S, TouchID, Google Glass), senior advisor to IST, a member of the Ransomware Taskforce, and co-founder of the CTI League.
Emma Schroeder is an associate director with the Cyber Statecraft Initiative. Her focus in this role is on developing statecraft and strategy for cyberspace that is useful for both policymakers and practitioners.
Stewart Scott is an associate director with the Cyber Statecraft Initiative. He works on the Initiative’s systems security portfolio, which focuses on software supply chain risk management and open source software security policy.
Chris Wysopal is the co-founder and CTO of Veracode, an application security technology provider for software developers. He was one of the original software vulnerability researchers in the 1990’s. He has testified in Congress on the topic of government cybersecurity.