In March, the Biden-Harris Administration released the National Cybersecurity Strategy, a reimagining of the responsibilities and actions necessary to support the country’s cyber defense. The strategy is divided into five pillars: defend critical infrastructure; disrupt and dismantle threat actors; shape market forces to drive security and resilience; invest in a resilient future; and forge international partnerships to pursue shared goals.
This ambitious strategy hinges on shifting responsibility for cybersecurity and leveraging incentives to drive implementation. Several experts in cybersecurity weighed in on the new strategy and how it could improve the national cybersecurity posture.
Right now, the burden of cybersecurity falls to the end users of technology: small businesses, local governments, and individuals. “Software companies, and those that produce hardware, and the telecom industry as a whole, are all economic participants in the fruits of the greater use of technology but are largely not held accountable for making it safe,” says Tony Scott, a former federal CIO and president and CEO of cybersecurity and network monitoring company Intrusion.
The new strategy seeks to change that. Stacy O’Mara, senior leader of global government strategy, policy, and partnerships at cybersecurity company and Google subsidiary Mandiant, points out that the current administration has done a good job engaging various stakeholders in sharing cyber threat information, but that isn’t enough. “There’s no mechanism for real accountability, which is what I think the strategy is seeking to inject,” she says. “I see a desire from the government to shift responsibility from the users to large stakeholders who manage concentrated risk and can more easily shoulder the burden from a resource perspective.”
Making that shift a reality is going to mean creating incentives. “We must shift incentives so that when entities across the public and private sectors are faced with the trade-offs between easy but temporary fixes and durable, long-term solutions, they have the resources, capabilities, and incentives to consistently choose the latter,” an Office of the National Cyber Director (ONCD) spokesperson said in a statement to InformationWeek.
Regulation will be a necessary element in incentivizing this fundamental shift in responsibility. “Our strategy reflects the reality that voluntary measures will not be enough to deliver the cybersecurity posture we need to enable our digital society,” according to the ONCD spokesperson.
While new regulation certainly has a role to play, so do other forms of incentive. “Simply adding mandates and regulation could have detrimental economic impacts, promote a ‘bare minimum’ approach to compliance and pass costs downstream. Standard federal incentives such as procurement preferences, tax credits, and grant funding, will go a long way,” explains David Aaron, a privacy and security law attorney at international law firm Perkins Coie.
New enforcement and regulations that do come into play could be more effective if they are more rooted in remediation than penalties, according to Aaron. “Safe harbors and regulatory efforts that focus more on remediation than penalties are important,” he says. “Enforcement and remediation efforts should be risk-based and should not rely on simple check-the-box compliance requirements.”
Public and Private Collaboration
Public and private stakeholder collaboration is essential to realizing this national strategy. “I suspect many entities are worried about additional regulations. This is why it’s important for the private sector to stay engaged with the Administration (and vice versa) to help think through creative, sustainable and flexible solutions to some of the challenges we’re facing as a nation around cybersecurity,” O’Mara says.
While that collaboration is vital, the sheer number and variety of stakeholders involved present a significant logistical challenge. “Each critical infrastructure sector is unique, and cybersecurity solutions aren’t one size fits all,” says Aaron Faulkner, managing director of Accenture Federal Services cybersecurity practice at IT services and consulting company Accenture. “As the administration reviews current authorities and looks for gaps in federal and critical private defenses, we encourage policymakers and industry to work collaboratively to analyze how current standards or potential changes may impact their systems and find solutions that increase cyber resilience.”
Collaboration between the Administration and Congress is essential to realizing the National Cybersecurity Strategy. It is also likely a roadblock. “As a former General Counsel of the White House Office of Management and Budget, I see everything through the lens of the budget. In a divided Congress with narrow majorities, the legislative process for funding these priorities will be cumbersome,” Ilona Cohen, chief legal and policy officer at cybersecurity company HackerOne, anticipates. “Legislation may move slowly, but cyber threats and criminal groups will continue to proliferate rapidly.”
Adding to the challenges, any initiatives that do emerge to support this new strategy will need to be nuanced. A one-size-fits-all approach will not work. Different sectors face different risks, have more or less access to resources and have varying levels of familiarity with cybersecurity.
Time remains on the side of threat actors. As threats evolve, the National Cybersecurity Strategy will need to be flexible — a tall order considering the complexities of the collaboration required and the legislative process. “Every regulation and incentive has potential unintended and unpredictable consequences. The system has to retain flexibility to incorporate corrections in near-real time,” Aaron says.
Legislation, funding, incentives, and collaboration, each with inherent challenges, are all vital in realizing the National Cybersecurity Strategy. “The National Cybersecurity Strategy has big, bold objectives across a comprehensive set of cybersecurity issues we face today. It is not meant to be a detailed accounting of every challenge or opportunity, but to focus our combined efforts on the ways we can make our digital ecosystem more defensible and resilient,” according to the ONCD.
What to Read Next:
Looking at the Dole Cyberattack and the Future of Critical Infrastructure Cybersecurity
The DDoS Attack on German Airport Websites and What IT Leaders Can Learn
Royal Mail Posts Progress on Deliveries Following Cyber Incident Disruption