With every president since George W. Bush, there’s been an updated National Cybersecurity Strategy. It just goes with the territory, and usually doesn’t change much.
But the Biden administration’s plan, unleashed in March with the goal of issuing a follow-up implementation plan by early summer, breaks the mold with its proactive, “defending forward” approach.
Unlike previous approaches that were more reactive in nature, the latest White House plan addresses high-profile data breaches and ransomware attacks launched from hostile nation-states through a blend of offensive and defensive measures. The document is intended to serve as general policy for federal cybersecurity efforts and would also provide strong guidelines for private businesses to follow.
Specifically, the strategy breaks down into five pillars:
- Defend critical infrastructure.
- Disrupt and dismantle threat actors.
- Shape market forces to drive security and resilience.
- Invest in a resilient future.
- Forge international partnerships to pursue shared goals.
While the words may seem vanilla, the concepts within them are far from it.
Most notably, the notion of government working to disrupt and dismantle threat actors builds on several years of talk—controversial, game-changing discussions—from the Department of Defense’s U.S. Cyber Command. Here, experts debated a new strategy to seize the initiative from hackers and go after them around the world through “persistent engagement” and partnership activities. The DOD defines persistent engagement as “defending forward” to disrupt malicious cyber activity at its source, including activity falling below the level of armed conflict. So, if a device, network, organization, or adversary nation is identified as a threat to U.S. networks and institutions or is actively attacking them in or through cyberspace, “it can expect the United States to impose costs in response,” states a U.S. Cyber Command factsheet.
In addition to such disruption and dismantlement, the White House strategy also seeks to change the cybersecurity game by overtly suggesting the tech sector needs to do more to fortify its products and services. Beyond the pillars, the plan also stands out by including an entire section on ways to implement it.
[Biden’s new cybersecurity plan] is far more detailed, has some more advanced policy ideas in it, and is poised to become actionable.
Elements of the strategy—especially those suggesting the private sector could face stiffer regulations if it doesn’t hop aboard the cybersecurity train—would require federal legislation to pack any punch. That could be challenging in this era of political divisiveness. But overall, many industry observers believe events like the Colonial Pipeline and SolarWinds hacks have sounded the alarm on rising cyberthreats so that both sides of the aisle are now motivated to act. As such, this latest national security plan could lead to some level of real change.
“It is far more detailed, has some more advanced policy ideas in it, and is poised to become actionable,” says Glenn Gerstell, a former general counsel for the National Security Agency (NSA). “Prior administrations issued strategies that weren’t set up to be implemented. This one was.”
The rise of persistent engagement
In some ways, implementation began well before the White House published its plan. For example, three months before Russian tanks rolled into Ukraine last February, U.S. forces conducted cyber operations alongside Ukrainian Cyber Command personnel in one of the first “hunt forward” operations on record.
Such persistent-engagement partnerships have since taken place at least 44 times in 22 countries, including Estonia, Lithuania, Croatia, Montenegro, and North Macedonia.
Little detail has been provided on the outcomes of these campaigns or if they ever went beyond fact-finding missions and sought to disrupt or destroy specific hacking gangs or networks. But a prepared statement from Army Maj. Gen. William Hartman, after U.S. cyber specialists spent three months in Albania responding to alleged Iranian cyberattacks against government systems, suggests they have.
“When we are invited to hunt on a partner nation’s networks, we are able to find an adversary’s insidious activity in cyberspace and share it with our partner to take action on,” Hartman said. “We can then impose costs on our adversaries by exposing their tools, tactics, and procedures, and improve the cybersecurity posture of our partners and allies.”
These partnerships are not merely a boon for governments. Private enterprise can also benefit. In the case of the Albanian operation, the hunt forward team reportedly shared information it uncovered with both the Albanian government and private companies that play critical roles in the digital infrastructure of both Albania and the U.S.
Shifting responsibility to the tech sector
Aside from becoming more proactive, the White House’s cybersecurity strategy also seeks to set minimum standards that tech companies should follow when developing and releasing products.
A voluntary approach to securing [critical infrastructure and networks] is inadequate.
Some high-tech hardware and software vendors have certainly paid some attention to cybersecurity during product development. But the Biden administration plan envisions a more aggressive, industrywide effort than the way it’s been—because traditional approaches haven’t been doing the trick.
“The fundamental recognition in the strategy is that a voluntary approach to securing [critical infrastructure and networks] is inadequate,” Anne Neuberger, deputy national security adviser for cyber and emerging technologies, said during a Center for Strategic & International Studies event.
Without directly saying so, the strategy appears to threaten imposing cybersecurity regulations to raise the security posture of the nation’s digital environments—something previous White Houses were hesitant to do, according to Gerstell. But the threat landscape has intensified so much, he says, that uttering the “R” word is no longer the political hot potato it once was.
“Three or four years ago, all of these companies that were hit with big ransomware or other cyberattacks could have done more about cybersecurity, and they haven’t for a variety of reasons, including the fact it can be cost-prohibitive to do so,” Gerstell says. “So, for the first time, we have the federal executive branch saying as a matter of official policy, ‘We need to change the liability, we need to change the economic system, and we need more regulation.’”
Why a Biden-business partnership can work
Matt Hayden, vice president of General Dynamics Information Technology and former senior adviser to the director at the Cybersecurity and Infrastructure Security Agency (CISA), notes the White House strategy does not precisely specify minimum standards for product cybersecurity readiness. Rather, he says, the policy suggests government and businesses will need to partner to determine what needs to be done to avoid the imposition of regulations or legal liability.
To be successful, this will require the powers that be, both on Capitol Hill and in industry…, to reach some middle ground.
“There’s no existing partnership model that allows for that,” Hayden says. “To be successful, this will require the powers that be, both on Capitol Hill and in industry, to work with regulatory regimes across government to reach some middle ground where they can get some things enacted.”
Hayden adds that business and IT leaders can cite the White House policy to hammer home the need for cybersecurity to be front-and-center in all product development and marketing activities.
“This strategy can serve as a real cheerleading effort to get more people into this fight,” he says.
Gerstell agrees and says businesses should skip the boilerplate complaints about potential regulation and, instead, get involved in addressing cyber threats.
“Don’t just issue a press release saying you are disappointed in the calls for more regulation and that the private sector is perfectly capable of handling this on its own,” he says. “Work with government and start helping to shape regulations. You will find that CISA is all ears and wants your suggestions.”
The time is ripe
Moving the national cybersecurity strategy forward could easily stumble and stall. Recognizing that possibility, the National Security Council (NSC) has been put in charge of implementation, working in tandem with the Office of Management and Budget (OMB) and Office of the National Cyber Director (ONCD). Those agencies would also be responsible for guiding targeted public and private sector investment “to keep pace with the speed of change inherent within the cyber ecosystem,” the strategy concludes.
Gerstell says such outreach to lawmakers could meet with surprisingly positive responses.
“This is a thoughtful, meaningful strategy hitting at exactly the right time because there’s a receptive audience,” he says. “Ten years ago, everyone would have looked at this document, shrugged their shoulders, and said, ‘That doesn’t look right. We don’t need that.’ But the cyber landscape has changed. Timing is everything, right?”