The US Needs A Cybersecurity Strategy Sooner, not Later

By Javed Ali

Javed Ali has over twenty years professional experience in Washington, DC on national security issues, to include senior roles at the Federal Bureau of Investigation, Office of the Director of National Intelligence, and National Security Council focused on counterterrorism. He is an Associate Professor of Practice at the University of Michigan’s Gerald R. Ford School of Public Policy.

By Georgia Wood

Georgia Wood is a Program Manager and Research Associate with the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS)

OPINION –  The United States is under attack.  U.S. organizations and businesses are being targeted with cyberattacks from nation states and criminal organizations on a daily basis.

Over the past few years, we’ve seen the scope, scale, and sophistication of how a diverse group of adversaries uses a full range of cyber tools. They range from more “low-tech” tactics like distributed denial of service attacks (DDoS) that impair website operations to higher skilled tactics including sophisticated ransomware operations that hold critical data hostage , intelligence collection efforts designed to siphon sensitive corporate or government information, or wiper malware attacks that attempt to delete data and impact the operational networks for critical infrastructure systems. 

Russia’s invasion of Ukraine further exemplified the global cyber threat – new strains of wiper malware were created and deployed, and hackers targeted critical infrastructure operations including satellites, telecommunication services, and energy facilities.

As the list of cyber threats facing the United States and other countries around the world only seems to be increasing, what the country needs urgently is a new cyber strategy from the White House that lays out a unified framework for how the government will tackle these different threats, the new approaches that will be utilized to do so, and clear and transparent expectations that industry and other key stakeholders will need to follow with respect to new regulations to enhance cyber preparedness.

The Biden administration recently released its National Security Strategy, which was likewise long overdue. A National Security Strategy is required annually by Section 603 of the Goldwater-Nichols Department of Defense Reorganization Act of 1986, but is frequently delayed or does not come in at all.

The Biden administration strategy, which follows up from the Trump administration’s 2018 strategy, sets forth the numerous national security challenges that the United States and its allies must confront, with great power competition and climate change accentuated even more so than from the Trump-era document. 

Cybersecurity is referenced as well in the Biden strategy, but curiously, there is very little standalone text on the primacy of this topic until deep within the body of the paper—and then only gets about a paragraph titled “Securing Cyberspace” which describes how the United States “will work with allies and partners to . . . define standards for critical infrastructure to rapidly increase our cyber resilience,” amongst other lofty objectives.  But beyond this paragraph halfway through the document, cybersecurity is not given much more attention.

Register for The Cyber Initiatives Group Virtual Winter Summit on December 13 to stay ahead of what’s coming in cyber.  Registration is free for this master class in public-private collaboration on cyber issues.  Register today

A good way to bridge the gap in focus on cybersecurity in the National Security Strategy and a more cyber-focused document is to release the administration’s Cyber Strategy. The last such US cyber strategy was published by the Trump administration in 2018 , and while the Cybersecurity and Infrastructure Security Agency (CISA) already released the agency’s first strategic plan in September—it is not a national strategy.   A cohesive, government-wide document that outlines the Biden Administration’s approach to cybersecurity is critical, especially amidst confusion over newly established cyber roles.  Media reporting and statements from the senior officials like Chris Inglis, the country’s first-ever National Cyber Director, suggest that the Biden administration’s cyber strategy has been under development for some time.  Recently, Director Inglis stated that the strategy will spell out some of the “tough” measures like new cyber-related standards or expanded regulations for the private sector in line with NCD’s cyber social contract. Other reporting suggests that he and his team have for months been consulting with a range of potentially effected stakeholders to solicit their feedback and get their buy-in, which is a good government approach and senior officials have stated the “industry feedback has been really good.”. 

But the strategy is still under review and may not be released for months.

Going forward, the White House must balance the demands of getting full buy-in from a diverse range of government and industry partners on something as important as a new strategy, while acknowledging that the velocity, scope, and pace of the cyber threats remains persistent and is projected to grow in the future.  As a result, releasing the new strategy is more urgent than ever.

The Cipher Brief is committed to publishing a range of diverse expert views on national security issues. Cipher Brief Opinions columns represent the views of the authors and not The Cipher Brief. Have an expert-cased view to share? Shoot us an email at [email protected]

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief

Related Articles