In March this year, the White House released its National Cybersecurity Strategy, updating U.S. policy for the first time since 2018. The strategy’s principal function is to guide members of U.S. federal departments and agencies in the implementation of the Biden administration’s cybersecurity objectives. These organisations range from the Environmental Protection Agency and Transportation Security Administration, which have responsibility for setting cybersecurity requirements for industries in their sectors, to the Departments of Homeland Security, Defense, and Justice, which are additionally assigned many of the United States’ overarching cybersecurity responsibilities.
The strategy’s aspiration is to create “… a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”
Though the strategy’s direct influence falls on the U.S. executive branch, it will shape the future of cyberspace and the use of information technology for many other entities. Framed across broad, interdependent interest areas, strategic objectives are categorised under five pillars:
- Defend Critical Infrastructure
- Disrupt and Dismantle Threat Actors
- Shape Market Forces to Drive Security and Resilience
- Invest in a Resilient Future
- Forge International Partnerships to Pursue Shared Goals.
The strategy is worthy of attention by many more than its intended primary audience, especially the private sector. Below are three critical takeaways found throughout the strategy that highlight the most important developments that will likely affect private sector organisations.
1.Public-Private Partnership on Operational Matters:
The strategy is a distinct step forward from its predecessors. It is not the first U.S. cyber strategy to acknowledge the private sector’s importance to cybersecurity, but it is the first that recognises the importance of the private sector as a partner to the U.S. Government rather than a mere contributor. This is perhaps a recognition of private control over most portions of the domain’s infrastructure, the software that runs it, and the individuals who use it.
Cyberspace’s terrain is redesigned, technically and cognitively, by hundreds of millions of users daily, most of whom are not under the control of or employed by any government. The time for governments to recognise that the domain is governed by forces they need to partner with is past due, but it appears that time has arrived.
The strategy states that facing adversaries, “… will require greater collaboration by public and private sector partners to improve intelligence sharing, execute disruption campaigns at scale, deny adversaries use of U.S.-based infrastructure, and thwart global ransomware campaigns.”
Many of the discussed practices are already in place, and most are administrative in nature, but the phrase ‘execute disruption campaigns’ is particularly remarkable. It contemplates asking the private sector to participate in operational activities. While cyberspace operations rarely lead to traditional military operations’ most serious consequences, they do require similar levels of focus and dedication to process.
Despite inherent challenges, integration is essential to disrupting criminal and nation-state threat actors because, “The private sector has growing visibility into adversary activity. This body of insight is often broader and more detailed than that of the Federal Government, due in part to the sheer scale of the private sector and its threat hunting operations….”. Private sector organisations will need to interface with the U.S. federal government to share information and take actions that support cyberspace operations at the scale and pace required for effective operations.
2.Regulatory Development:
While free market advocates may not admit it, the strategy aptly states that, “market forces alone have not been enough to drive broad adoption of best practices.” The absence of regulatory requirements and consequences for failing to meet them has led to software vulnerabilities, under protected information technology systems and the physical components they’re attached to – to include critical infrastructure. Regulatory regimes must be leveraged to improve behaviours and practices.
While greater responsibilities and associated costs may be imposed on the private sector, there is nevertheless hope for free marketers. The industry has been invited by the regulators to help develop the relevant rules: “A collaborative process between industry and regulators will produce regulatory requirements that are operationally and commercially viable and will ensure the safe and resilient operation of critical infrastructure.”
The strategy acknowledges that not all are well-resourced to implement cybersecurity measures: “Different critical infrastructure sectors have varying capacities to absorb the costs of cybersecurity.” The same could be said of all sectors. Hopefully this acknowledgement will lead to appropriate levels of government support as well as proportional accountability measures.
3.Liability for Software Vulnerabilities:
Specific to software development, there is a particular motivation for reform: “To build the secure and resilient future we want, we must shape market forces to place responsibility on those within our digital ecosystem that are best positioned to reduce risk.”
In most cases to date, software developers have prioritised functionality over security, asking licensees to hold them harmless in exchange for the use of their products. The strategy states, “We will shift the consequences of poor cybersecurity away from the most vulnerable, making our digital ecosystem more worthy of trust. In this effort, we will not replace or diminish the role of the market, but channel market forces productively toward keeping our country resilient and secure.”
The strategy elaborates, “Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers. Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software….”
The strategy’s consistent references to market forces and regulation reflects the delicate balance between innovation and security that is necessary to create an effective information technology environment.
The private sector, to include international organisations, should look for opportunities to participate in executing the U.S. National Cybersecurity Strategy, as the Biden administration encourages. This is an unprecedented opportunity, and hopefully one that will be emulated by other democracies.
Teamwork between the private and public sectors is essential to securing cyberspace. Now, as enshrined in the strategy, that concept is not only wise, but also policy.
