In our first installment of expert reaction to the new National Cyber Strategy announced last Thursday, The Cipher Brief tapped a number of our experts, including former senior leaders from DHS, NSA, DoD, and the NSA’s UK counterpart, GCHQ as well as private sector partners, to get their take on the 26-page document and the Administration’s plan forward.
In part two, we bring expert insight from former leaders at Cyber Command, DoD, the NSA and the private sector.
A reminder that the new plan buckets U.S. strategy around four main pillars: the first pillar includes securing federal networks and information, securing critical infrastructure, fighting cybercrime and seeking improved incident reporting. The second pillar outlines efforts to promote a digital economy, bolstering the protection of U.S. ingenuity, and focusing on building a more robust cybersecurity workforce. Pillar three focuses on efforts to encourage cyber norms and to both attribute and deter bad behavior. And the final pillar promises to work with ‘like-minded’ countries and to build international cyber capacity.
The plan follows the Pentagon’s new cyber strategy also released last week.
Lieutenant General Kevin McLaughlin (ret.), Former Deputy Director, U.S. Cyber Command
“I believe one of the issues of our time is figuring out how we secure our critical infrastructure from cyber attack. I like the focus on this issue in the document. The two greatest opportunities here are: The direction to refine roles and responsibilities between the federal government and the private sector and identifying ICT providers as enablers in this space.”
“I like the up front discussion on deterrence and the emergence of more direct language about imposing costs on those that attack us in cyber.
Despite a few positive signs, the strategy falls short in four key areas:
It does not adequately provide DHS with the needed directive authority and contains no language that indicates DHS will be given the resources needed to “own” the federal cyber security mission. Each of the executive branch CIOs still has the ability to chart their own course and DHS remains a facilitator, collaborator, information sharer, etc.
The document mentions the cybersecurity of space as focus area, but it missed an opportunity to identify space as national critical infrastructure and did not mention space as an area requiring prioritized actions.
In Pillar III, the section on deterrence, while important has two key flaws. First, it should have discussed cyber as an area that plays a key role in deterrence broadly, instead of in the context of “cyber deterrence” which is a flawed concept. China and Russia understand this and they use all instruments of national power, including cyberspace, to deter the US. It’s a powerful tool because we have no effective way to secure critical infrastructure or way to counter effective information operations aimed at undermining our democracy. Second, and even more important, the document in this section should have placed primary importance on linking the need to ensure cyber resilience in our overall critical infrastructure as a way to deny adversary benefit from cyber attacks. Instead, the document focuses on imposing costs on our adversaries when they attack us in cyber. Cost imposition is important, but only when balanced against being resilient and when we are willing to use cyber to impose costs in scenarios much broad than just when we are attacked in cyber.
Last, I don’t see sufficient priority in key areas to indicate the needed resources (dollars and people) will be applied to solving problems here. This areas needs to be closely watched to determine whether there are any real “teeth” in this strategy,” said McLaughlin.
Kate Charlet, Fmr. Deputy Asst. Secretary of Defense for Cyber Policy
“I see significant continuity in this strategy, but there are notable additions. The strategy emphasizes cybersecurity in space, which gives new focus to increasingly worrisome cyber threats to capabilities like position, navigation, and timing (PNT). (Fellow Cipher Brief expert Lt General (ret) Kevin McLaughlin has commented thoughtfully on the need to examine whether space should be considered its own critical infrastructure sector.) The boost given to maritime and transportation cybersecurity, likewise, will reinforce the Pentagon’s need to better assure its vulnerable logistics networks. Finally, the only new program in the strategy–the Cyber Deterrence Initiative—gives needed momentum to coordinate responses to malicious activity among allies and partners; this strengthens both deterrence and norm-setting. I saw one major missed opportunity, which was the need to increasingly focus federal cybersecurity initiatives around identifying and prioritizing critical federal functions and missions, similar to the approach used for broader critical infrastructure initiatives.”
Rhea Siers, Former Deputy Associate Director for Policy, NSA
“Good to see that this strategy builds upon our previous policy. As always, the devil’s in the execution and in closing long-standing gaps – especially in assigning lanes to Federal Agency and the private sector on incident response and risk management.
“A few items worth noting — the discussion of “modernizing electronic surveillance and computer crime laws” – is obviously badly needed, and the Computer Fraud and Abuse Act (CFAA) should be first on that list for review and revision. The Cyber Deterrence Initiative aspires to building a coalition to confront bad cyber actors. Once again, it sounds laudable but it has to be more than joint attribution of attacks. We don’t know what the replacement for PPD 20 says about offensive cyber operations, but we should be concerned about this process, how intelligence agencies are involved, and how the uses of cyber and non-cyber power are integrated.” says Siers.
Dmitri Alperovitch, Co-Founder & CTO, Crowdstrike
“I am very pleased to see the new National Cyber Strategy formally establish the precedent to make routine the ‘work with like-minded partners to attribute and deter malicious cyber activities’. This is a key and necessary step that has been lacking in US cyber policy for many years.”
Randy Sabett, Special Counsel, Cooley
“The National Cyber Strategy (appropriately) places a significant focus on governmental actions and activity, particularly related to reactive types of activity. The Strategy starts out on a very positive note by stating that the “Government, private industry, and the public must each take immediate and decisive actions to strengthen cybersecurity” (my emphasis added). The Strategy clearly recognizes the Government’s role in securing critical infrastructure and deterring (and, if necessary, punishing) malicious cyber actors. It seemed, however, that the Strategy could have gone further in terms of recognizing that cybersecurity is an “all-of-society” effort and providing more than just aspirational statements about private sector issues.”
“For example, it would have been helpful to see more details about where and when governance levers (including regulatory) might be used to help, not hinder, the aspirational goals for the private sector.
The Strategy has several good points to it. It focuses on four pillars that encompass most of the cyberspace needs that exist today. Since the Government plays a primary role in protecting critical infrastructure, there is really good detail on the various elements over which the Government has authority. Because I believe the topic has not been fully vetted at a national dialog level, I think the Strategy’s statement that the Government will use “[a]ll instruments of national power” in its cyber mission, including “military (both kinetic and cyber)…capabilities” was helpful. This echoes the more direct elements in the DoD’s strategy about offensive cyber capabilities. More dialog is needed on the topic of offensive cybersecurity, particularly related to the ability for the private sector to avail itself of such offensive capabilities.
While there are a few broad statements in the Strategy about public/private interactions and encouragement of certain behaviors, a successful cyber strategy requires a governance model where all entities are aligned in working toward a common goal. It would have been helpful, for example, to see more specifics around how to incentivize behavior by both private industry and citizens. In a section entitled “Incentivize Cybersecurity Investments”, the Strategy simply states that the Government will work with non-Government entities “to promote understanding of cybersecurity risk so they make more informed risk-management decisions, invest in appropriate security measures, and realize benefit from those investments.” While a strategy document can’t get into specifics, simply working with the private sector to promote understanding of risk has not been successful over the past 20+ years. It would have been more compelling to say, for example, that the Government would provide tangible incentives to those companies who demonstrate a commitment to cybersecurity. What forms those incentives take or how commitment could be demonstrated would be left for Congress or the agencies to work through, but could include, for example, tax breaks for companies that achieve certain levels of cybersecurity (and go beyond just “continuous updating of standards and best practices”),” says Sabett.
Randy Sabett, Special Counsel, Cooley
“Lastly, the section on improving incident reporting and response states only that the Government “will continue to encourage reporting of intrusions and theft of data by all victims.” Where is there any mention of incentivizing such reporting? Why not make at least a high level commitment to provide tangible incentives to entities that report cybersecurity incidents? This could take the form of certain liability limitations and/or enabling of non-attribution for reporting of cyber incidents.”