The Biden Administration’s ambitious new National Cybersecurity Strategy will significantly improve cyber defence. Written for cyberspace as it exists and operates now, it abandons the previous emphasis on deterrence, which has not worked, and focuses on resilience and regulation. It also shifts important security responsibilities to developers and providers of IT services and products, and creates new opportunities for close cooperation with European partners.
Strategies can often be tedious collections of platitudes. The new National Cybersecurity Strategy is not one of those. Released on 2 March, the Biden Administration’s new cybersecurity strategy, prepared by the White House Office of the National Cyber Director, departs from previous cyber strategies in significant ways. It confronts hard problems: liability for IT products, the importance of third-party services, the need to reduce systematic vulnerabilities in foundational internet technologies and the need to act against the de facto immunity of cyber criminals. This is an ambitious strategy that, when implemented, will significantly improve cyber defence.
The strategy has five ‘pillars’: (1) defending critical infrastructure, (2) disrupting and dismantling threat actors, (3) using market forces to shift responsibility for cybersecurity, (4) investment in R&D and workforce and (5) forging international partnerships. The attention to regulation reflects the domestic focus of the strategy (Congress has ordered the State Department to issue a diplomatic strategy by 2024). This new strategy is written for cyberspace as it exists today, not as it existed 30 years ago, and builds for future need by promoting research, building workforce and creating incentives for companies.
One major departure from past thinking is that the Strategy does not mention deterrence at all. Deterrence has been something of a fetish for American strategy and in the discussion of cybersecurity, but the dilemma is that deterrence does not work in cyberspace. The authors of the Strategy shared this belief from the moment they took office for the simple reason that we have deterred nothing. This starts the United States on a new path for cybersecurity.
Another major departure is that the Strategy uses the word ‘regulation’. In the past, the US had relied on a voluntary approach to cybersecurity. This voluntary approach did not work any better than deterrence, and the Biden Administration was confronted by significant and immediate failures when it took office, such as Solar Winds, the Microsoft Exchange hack by China and the Colonial Pipeline incident. These incidents shaped the thinking behind the Strategy.
Unlike in Europe, regulation has been something of a radioactive topic in the discussion of cybersecurity policy in the US. The preference among legislators and policymakers for a voluntary approach, where companies would choose to improve their cybersecurity defences. The result was market failure – voluntary efforts did not deliver adequate cybersecurity and things have gotten worse, not better. Hence the acceptance of the need for some regulation, which the strategy sometimes calls mandatory ‘cybersecurity requirements’. These will be developed collaboratively with companies, based on the work of the National Institutes of Standards and Technology (NIST) and on private sector best practices. The Strategy continues the ‘sector specific approach’ developed in the Obama Administration for critical infrastructure.
These issues of responsibility and liability have been present since the initial commercialisation of the internet. The commercial internet arrived in a different, less challenging but many of the rules that still apply to its use date from this era of happy millennialism. Taxes were waived, privacy ignored and voluntary governance was held to be adequate. The Strategy has the goal of shifting responsibility (and liability) from users to providers of IT services and products. It proposes ways to rebuild the edifice of security and responsibility in ways that move away from the 1990s, such as accelerating the adoption of upgraded BGP and IPv6, and ending the ‘shrink wrap’ rule, whereby, once a user opens a software product (back when software came in boxes wrapped in plastic film), all liability for any programming errors transfers to them. Software is the only product where this rule exists. Light regulation was meant to encourage internet adoption. It has succeeded and it is time to move on. The Strategy’s authors were aware of the challenge of a laisse-faire inheritance and sought to address it in ways that avoid both market failure and over-regulation.
Increased responsibility includes mandating the use of secure development practices. This builds on Executive Order (EO) 14028 from May 2021, which was issued in part in response to Solar Winds. One of the findings of the Solar Winds incident was that commercial software can sometimes include basic coding errors that practically invite hackers to intrude. EO 14208 uses the power of Federal acquisitions to require the use of security coding practices (developed by NIST) by those who wish to sell to the government in the belief that these more secure products will populate the larger market for software.
Pillar 2, disrupting and dismantling threat actors, is another recognition of the new environment. Close study of ransomware attacks showed that cyber criminals, even if located in Russia, depend on Western cyber and financial infrastructures and that there is often a lag of a few days after the crime but before the payment has been distributed when it is possible for Western law enforcement agencies to claw back funds. Pillar 2 calls for new responsibilities for cloud service providers (building on earlier EOs) that will improve customer identification, including gathering identifying information for all customers and verifying the identity of foreign customers, while safeguarding privacy.
The strategy is ambitious, with details and proposals that a short blog entry cannot address. Implementation is the next task. It will be challenging, working with a divided Congress (although cybersecurity remains nonpartisan) and with many private and foreign partners. The Administration has consulted widely and frequently with the many interested parties and this provides a degree of acceptance that could ease implementation. Some of the proposals require no new funding or new authorities. This makes them relatively easy to accomplish. Others will require legislation. New regulations or the creation of market incentives will require careful policymaking to minimise unintended effects. Most importantly, the strategy creates new opportunities for close cooperation with European partners on standards, common rules and increased collaboration against cyber adversaries. Working together with other key allies, the Strategy points to a path to rebuild a more secure cyber environment.
