March 21, 2023

Markets & Free EnterprisePolicy

Highlights From The National Cybersecurity Strategy

By: Caleb Larson

Without a sound strategy for defending itself from cyber threats, America would be unable to protect its citizens, infrastructure, and data from foreign enemies and criminal organizations. That is why it is profoundly important that the new 2023 National Cybersecurity Strategy be evaluated on its merits. A proper foundation is needed for any endeavors seeking to improve the nation’s cybersecurity posture lest they be ineffective and costly. The recently announced strategy contains promising developments in our nation’s approach to cybersecurity and with proper implementation, it may chart an accurate path forward.

Broken up into five pillars, the strategy aims to identify key areas of focus for winning the battle in cyberspace. The first pillar is to defend critical infrastructure. America has seen increasing attacks on critical infrastructure that it relies on to operate everything from oil pipelines to water treatment facilities. These systems are often insecure and vulnerable, allowing dedicated threat actors to compromise at will. If critical infrastructure is not secured properly, America risks allowing cyberattacks that could debilitate the energy grid or poison the water supply. The strategy outlines plans for regulations that will stop the current piecemeal approach that relies on voluntary adoption. It also describes ways to increase the collaboration between critical infrastructure operators and the federal government through scaling existing relationships and clarifying roles for government agencies.

Threat actors are dealt with specifically in pillar two. Disruption efforts against threats can pay off as seen in the disruption of botnets, malicious infrastructure, and data leak sites. However, to be truly effective these campaigns must be frequent and continual as those who wish to take us downare adaptive. It is encouraging to see the strategy call this out directly by saying these disruption campaigns should be “sustained and targeted.” Alongside this acknowledgment are commitments to improve “technological and organizational platforms” and an expansion of the National Cyber Investigative Joint Task Force’s  (NCIJTF) capacity to coordinate it all. It is also nice to see ransomware get called out specifically with emphasis on international collaboration to combat it.

Pillar three is particularly noteworthy because it contains a shift in perspective relating to who is responsible for cybersecurity. The implementation of security in cyberspace is usually after the applications and services are deployed. Security controls are often put in place to deal with vulnerabilities and bugs in software. The strategy rightly identifies the issues that come with bolting on security after the fact and outlines work to help provide security from the start. The main drivers of this will come from the IOT security labeling program, holding software makers liable for insecure products, and using federal contracts to promote security standards.

The foundational technologies of the internet were not built with security in mind. Pillar four seeks to remedy this through setting an example in the federal government by adopting the secure versions of the most insecure technologies. It is hard to see this coming to fruition as it is typically the federal government that is lagging the private sector in innovation, but it is encouraging to see that the strategy takes the issue seriously. Investments in electric grid security and quantum-resistant cryptography are spot on, but pillar four also contains worrisome references to government sponsored digital identity solutions. There should be resistance to the development of digital identity by the federal government as such a system is ripe for totalitarian abuse as has been seen in China with their social credit score system. It is also concerning that the important issue of unfilled cybersecurity positions is being used to promote the divisive equity agenda that seems to pervade everything the Biden Administration does.

The last pillar focuses on the unavoidable international nature of the internet. Partnerships with other nations to promote a safe and open internet are crucial in combating the malfeasance and abuse of adversarial nations. Countering the influence of China in cyberspace will take center stage in the coming years as it seeks to become the chief rival of the United States. Information sharing between the four nations of the Quadrilateral Security Dialogue (United States, India, Japan, Australia) will play an important role in the strategy alongside the cyber coordination of the AUKUS pact between the U.S., Australia, and the United Kingdom.

The lives of Americans are becoming increasingly digitized alongside the systems and infrastructure they rely on for peace and prosperity. A clear vision on how to coordinate and plan for the future is required if America is going to thrive in the internet age. The 2023 National Cybersecurity Strategy builds upon existing efforts to improve America’s cybersecurity and promises to lay out how the nation can advance in such a complex domain. Through its five pillars, the strategy contains plenty of reassurance that the federal government realizes the significance of its role in protecting the nation and its citizens.