The Biden administration today released its 2023 National Cybersecurity Strategy, which marks the culmination of a monumental effort to draft a comprehensive approach to cybersecurity with the input of experts from the private sector, civil society, and regulatory agencies. The strategy highlights key threats to national security posed by cyber actors and acknowledges that ransomware continues to harm our society, economy, and interests.
At IST, we have been eagerly awaiting the strategy’s release. In our work on the frontlines of cybersecurity, including through the Ransomware Task Force, we have been actively involved in the fight to tackle ransomware and other cyber crime, bringing together public and private partners, and conducting research and taking action to mitigate cyber threats.
Below, we note 3 key priorities from the strategy that have the potential to directly affect our work. Above all, we emphasize that implementation is critical, and success will require resources, collaboration, and consultation with partners across the private sector, international arena, and cybersecurity community.
Improving and deepening operational collaboration between government and the private sector cybersecurity community:
The focus on improving and deepening operational collaboration between the government and the private sector–beyond just consultations and information sharing–is a long overdue development. This focus draws on the United States’s most substantial strength in cyberspace: the breadth, expertise, and capacity of its private sector and technical community. Real collaboration goes beyond information exchange to establish regular, reciprocal engagement to tackle both specific vulnerabilities and general threats to the nation’s digital ecosystem. To achieve the strategy’s Strategic Objective 2.5 to defeat ransomware, it is imperative that the cybersecurity community build a rhythm of information exchange, partnership, and reciprocity between the government, the private sector, and the technical community. Scaling operational collaboration possible will require trust and flexibility from both the government and the private sector. We are confident that all stakeholders involved want to make tangible progress. IST will continue to collaborate to fulfill this objective.
Bringing all levers of national power and international partnership to bear when seeking to globally disrupt cybersecurity threats:
We commend the strategy’s emphasis on leveraging all instruments of national power in order to disrupt and dismantle cybersecurity threats globally. While it is a trope that cybersecurity threats “know no borders,” in reality, people in specific countries launch these threats using computer infrastructure across the globe—including those in the United States. DOD and other agencies’ cyber operations are most effective when they are tightly synced with the use of other tools of national power. Diplomatic engagement, collaboration with law enforcement to take domestic action, as well as cooperation with the private sector, can act as a multiplying effect on cyber operations if and when they are necessary.
International collaboration, based on affirming a rules based international order and the globally-affirmed framework for responsible state behavior in cyberspace, offers tremendous opportunities for disrupting malicious actors including ransomware criminals. The strategy’s goal of expanding the United States’ ability to assist partners and allies during a significant cyber incident is a huge step to strengthen the global coalition of partners and allies that stand firmly on the side of an open, free, global interoperable, secure, reliable Internet. When combined with the strategy’s commitment to enhance multi stakeholder operational collaboration, and the affirmation of the value of partnerships like the Freedom Online Coalition, these approaches offer a holistic vision that will empower partners acting in good faith and rally the majority of the world to defend an open and secure Internet.
Reshaping the market, including by shifting responsibility for security, realigning incentives, and continuing to leverage procurement power to enhance cybersecurity, especially through securing open-source software:
Building on past efforts by the Biden Administration to move away from a purely voluntary approach to cybersecurity implementation, the strategy outlines a new approach to incentivising stronger cybersecurity. It takes a dual approach: first, it calls for entities that fail to undertake basic security precautions to bear liability, while affording those that do safe harbor. Second, to assess whether current Sector Risk Management Agencies have the resources and capabilities to adequately oversee cybersecurity efforts. Without proper oversight and resourcing, establishing effective cybersecurity is a losing battle. By ensuring that companies understand their cybersecurity obligations and providing the necessary support to incentivise implementation, the strategy is creating the conditions necessary to successfully elevate the cybersecurity posture of the United States.
Building security from the ground up is both more secure and less costly in the long run than trying to do so retroactively. Given that software forms an essential foundation in the cybersecurity ecosystem, we commend the strategy’s focus on its security.. Together with other tools, a software bill of materials (SBOMs) can aid in establishing software provenance and serve as an important tool in preventing, assessing, and mitigating software vulnerabilities. Further, as indicated by research on the Log4j vulnerability, SBOMs can help increase the speed of response when vulnerabilities arise. At IST, we are undertaking a new line of effort on securing the open-source software ecosystem. As part of this work, we are calling for a redoubling of support to existing software development frameworks and policies, including the integration of SBOMs.
IST is also glad to see the strategy’s emphasis on cyber resilience as part of maintaining American leadership in next-generation technologies and ensuring a global digital ecosystem that aligns with democratic values. Advanced technologies with security built into them from the start will ensure privacy and data integrity while solving some of the biggest problems facing the international community, including climate change, inequalities in education and income, unsustainable livelihoods, and more. In the increasingly competitive techno-industrial future, approaches like this national strategy will underwrite an open and creative world, where everyone is safe to use digital tools without fear of theft, repression, or physical harm.
A final note on implementation:
Now that the strategy is complete, the hard part begins: implementation. To achieve success, implementation must be collaborative. For example, the first attempt at extending regulatory frameworks in the wake of the 2021 Colonial Pipeline attack failed because the frameworks were reactive, created without consulting regulated companies, and overly prescriptive. In working with companies and others in the private sector to develop the second iteration of the regulatory framework, the government developed a considerably more effective and ultimately successful framework. Likewise, successful implementation of this National Cybersecurity Strategy will require close collaboration with the private sector, the cybersecurity community, and international partners.
At IST, we will continue to play our part in ensuring a more sustainable and secure Internet ecosystem. Our ongoing work within the Ransomware Task Force, as well as our efforts to develop a framework for a secure open source software ecosystem, are actively furthering this strategy. We look forward to supporting the Biden administration as they implement this strategy.