Rampant malicious activity in cyberspace hurts individuals, companies, and government agencies, while threatening US national security. The expected release of a new National Cybersecurity Strategy by the Biden Administration is an occasion for us to learn lessons from past efforts to reduce cyber risk, and to decide what further steps we might take.
The United States has issued such strategies in the past. Before my tenure leading cyber security official at the Department of Homeland Security under President George W. Bush, I was a member of the White House team that crafted the National Strategy to Secure Cyberspace published in 2003. A cyber-related Executive Order by President Trump was released in 2018. In May 2021, President Joe Biden signed an Executive Order (EO) on cybersecurity requiring, among other things, that the federal government work with private companies and the NIST to develop standards based on a zero-trust model of cyber risk management.
The new strategy under President Joe Biden is expected to place more emphasis on regulation and incentives to drive progress. The cybersecurity workforce gap will get greater attention, and there will be somewhat greater emphasis on the use of proactive, offensive measures to disrupt attackers’ operations, or at least raise their costs, building on some of the steps laid out in the Trump Executive Order of 2018. The long-standing efforts to use cyber insurance to incentivize action by companies will be tweaked.
According to the Washington Post, the strategy “for the first time calls for comprehensive cybersecurity regulation of the nation’s critical infrastructure,” which is made up of 16 sectors, only five of which are currently regulated. Glenn Gerstell, former General Counsel for the National Security Agency, in an op-ed characterizes the new strategy as an acknowledgement that we can no longer rely exclusively on free-market forces to protect America’s CNI.
Accountability is also key to better results, whether it is based on conformance to regulation, incentives, or contractual obligations. Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), says what’s needed is “a model in which cyber security risks are an equal organizational priority with financial, operational, or market risk” and are “ultimately the responsibility of every CEO and every Board.”
More progress is needed
The new strategy will likely reflect the hard lessons learned from attacks such as those on SolarWinds in 2020 and Colonial Pipeline in 2021, which made it clear that America’s government systems and CNI are all too vulnerable.
But it is equally clear that not enough concrete steps have been taken to provide adequate protection and there has not been enough meaningful accountability for nonconformance to prior requirements and objectives.
Following publication of the 2018 executive order, in 2021 the US General Accountability Office (GAO) made 145 recommendations to 23 federal agencies of what it described as “foundational practices” for managing ICT [information and communications technologies] cyber security supply chain risk. Two years later, the GAO reported that none of the 23 agencies had fully implemented its recommendations, adding that “critical risks remain on supply chains, workforce management, and emerging technologies.”
As the regulatory details of the new strategy are revealed in the coming months, we should give more thought to how industry sectors and organizations can get better prepared without prescriptive regulation. Government should influence the duty-of-care requirements of companies and their boards of directors (who in fact legally “own” all risk) to develop and implement risk-informed cybersecurity and privacy programs that use risk-analytic tools like the NIST Cyber Security Framework (CSF).
Such programs, in turn, should be overseen within the organization by an enterprise-wide governance entity that reports to the C-level and the board of directors. That entity should use a tool like the NIST Cyber Security Framework (CSF) to create a risk profile and develop a plan to move toward an appropriate risk posture given the business objectives and risk environment of that organization.
The long-repeated call for cybersecurity expertise on boards alone is not the answer. Third-party expertise should give the board independent guidance on the use of the CSF, what risk profile is best, how and when the organization should get to that better risk posture, and about what regular and special reporting to the board should look like.
The internal process should use principle of separation of duties — i.e., the people who have to meet requirements are different than those who report up the hierarchy about whether the requirements are met. The requirements should be incorporated into key performance indicators for individuals, teams, departments, business groups, and aligned across the entire enterprise to incentivize conformance and accountability.
Whatever the shape of the new strategy, collaborative implementation will be key. So will the acknowledgement that cyber security is a broadly shared responsibility and that meaningful penalties are essential for those entities that fail to take the steps necessary to appropriately manage the risk “to their networks and the U.S. ICT infrastructure.
