Continuity and Change within the New National Cyber Strategy
The release of the National Cyber Strategy (NCS) yesterday marks the culmination of multiple new cyber policy directives and strategic documents. From the continuous engagement described in the Command Vision for US Cyber Command to rescinding Presidential Policy Directive 20 to the Department of Homeland Security Cybersecurity Strategy, there is obvious momentum for the modernization of cyber strategy. The NCS is notable both for its continuity with previous strategies as well as for some significant pivots. As is true with all strategies, the key to modernizing cyber policy now relies on implementation.
Reasserting American Leadership to Preserve a Free and Open Internet
At a time when malicious cyber-enabled activity is targeting democracies across the globe, the NCS reaffirms not only American commitment to a free and open internet, but also American global leadership “ to ensure that our approach to an open Internet is the international standard.” In this regard, the NCS reflects continuity with previous strategies with the focus on international cooperation and the promotion of the multi-stakeholder model for a free and open internet that protects privacy and civil liberties. It also is a counterpunch to China’s global push for cyber sovereignty and China Standards 2035, including technical standards across industries.
Elevating the Private Sector
The NCS also provides meaningful distinction from other strategic documents. First, this strategy arguably has as much focus on the private sector as the public. This is most evident in the frequent discussion of collaboration with like-minded entities, including information sharing as well as protecting critical infrastructure. However, a key priority within the strategy is to “clarify the roles and responsibilities of Federal agencies and the expectations on the private sector related to cybersecurity risk management and incident response.” Instead of the current patchwork policies – such as different breach notification laws for each state – this may mean a more coherent and transparent approach to private/public sector protections and responses.
The NCS also addresses the need to incentivize robust cybersecurity investments, greater adaptability within infrastructure, and more secure supply chains. Discussions on fostering incentives for improved security usually allude to tax incentives. As more details on implementation become clear, it is notable to see a broader approach and new strategy that may offer ‘carrots’ for responsible cybersecurity.
Also of note for the private sector is a modernization of laws and infrastructure. The NCS prioritizes the modernization of electronic surveillance and computer crime laws, the latter of which may allude to the long overdue updating of the thirty-year old Computer Fraud and Abuse Act. The NCS also highlights the role of automation and data analytics, including leveraging commercial-off-the-shelf capabilities. Each of these areas may also present opportunities for the private sector.
Much Ado About Offense?
Finally, following the rescinding of PPD-20 and the release of this week’s Department of Defense Cyber Strategy, there has been much consternation over a potential green light for unconstrained offensive cyber. It certainly is true that the administration is transitioning from a reactive to a proactive approach to counter malicious cyber activity. However, claiming unfettered offensive cyber authorities is an oversimplification of an extremely complex challenge in the same way that ‘pew pew maps’ (i.e., a hodgepodge of directed laser beams scattered across a global map) oversimplify the cyber threat landscape. It makes for great eye candy and sound bites but distracts from the core message.
The NCS is definitely stronger in a focus on actively countering malicious cyber activity than previous strategies, but it balances cost imposition and deterrence. That is, it balances offense and defense, while focusing on peace through strength. In fact, the NCS places much of this discussion largely within the norms framework. Offensive cyber is not even referenced within the NCS. Instead, the NCS focuses on the integration of cyber with all instruments of national power to counter the threats. It definitely is a stronger, more proactive approach, but it also is a strong counter to concerns of unfettered offensive cyber authorities.
Of course, with every strategy, the key is implementation. The NCS, and other recent strategic documents, lay a solid foundation for strengthening democracy and preserving a free and open internet through collaboration with allies and the private sector, while countering and imposing costs on adversaries. However, their efficacy rests largely on the implementation of these core priorities. For example, there has been a handful of proposed, bipartisan election security legislation that simply has not progressed in Congress. If the NCS and other strategic documents are truly going to instigate greater protection, deterrence, and building resilience, the same sense of urgency must now resonate across the government and within the private sector to structure a viable roadmap to achieve the vision.