What Tech Wants to See in the Upcoming U.S. National Cyber Strategy

As the Biden Administration develops its National Security Strategy (NSS), the Office of the National Cyber Director (ONCD) is also undertaking an effort to develop a National Cybersecurity Strategy (NCS) to be housed under the NSS. The NCS will be instrumental to ensuring that America’s cybersecurity posture is fit-for-purpose, reflects the constantly evolving threat landscape, and can help build upon and advance the coherent federal agenda outlined in the Executive Order on Improving the Nation’s Cybersecurity (Executive Order 14028).

The NCS will be a critical document for the ONCD, given the new and unique role bestowed upon it to “cultivat[e] unity of purpose and efforts across agencies and sectors” by ensuring federal coherence, improving public-private partnerships, aligning resources to aspirations, and increasing present and future resilience. Below, we outline key areas that we hope to see in the forthcoming NCS, and which we believe will help the ONCD achieve its stated objectives.

Set clear and measurable goals with specific timelines. These goals should be accompanied by a specific identification of the federal entities charged with completing these strategic activities. Prior federal cybersecurity strategic documents have lacked specificity, materially undermining their successful implementation and inhibiting stakeholder engagement. At the same time, the NCS should not be overly specific about particular products or technologies, as it then runs the risk of quickly becoming outdated.

Articulate a comprehensive future vision for public-private collaboration, including the role of international standards bodies. Public-private partnerships and other multistakeholder approaches are essential to addressing our shared security challenges. We believe that the ONCD should continue to stress the importance of public-private collaboration in the NCS, particularly as government and industry often have access to unique information sets that only when taken together provide a complete picture of the threat landscape. In articulating such a vision, the ONCD should include a thorough catalog of existing public private partnerships, clearly define roles for the Joint Cyber Defense Collaborative (JCDC), the NSA Cybersecurity Collaboration Center, and other relevant entities, and laying out a plan to comprehend real-time sharing of actionable intelligence by the government while advancing more effective operational collaboration.

Explain how the administration will bolster the U.S. cybersecurity workforce. ONCD is forced to consider the implications of the cybersecurity workforce as it cultivates the NCS. As of today, there are about 700,000 unfilled cybersecurity jobs. This is a growing number, and it is critical that there are efforts in place to address such a concern. Maintaining the nation’s security through cybersecurity is pivotal to protecting and defending the digital and traditional economy, software vulnerabilities, and infrastructure. National Cyber Director Chris Inglis recently held the National Cyber Workforce and Education Summit at the White House with Secretary of Labor Martin J. Walsh, Secretary of Homeland Security Alejandro N. Mayorkas and several other federal government representatives, private sector executives, and leaders in the cybersecurity field. This summit was an important step that highlighted the need for the government and private sector to jointly focus on rejuvenating skills-based pathways of opportunity for cybersecurity specific jobs. We encourage the administration to continue to explore alternative pathways, apprenticeship training programs, and private-public collaboration to meet evolving cybersecurity workforce needs while also working to build new pipelines for “historically untapped talent, including underserved and diverse communities.” Advancing these initiatives and having a prepared cybersecurity workforce is essential to the U.S.’ efforts to maintain national security.

Outline how the ONCD will undertake streamlining approaches to cybersecurity policymaking, including articulating its plan for driving tighter federal coordination. There has been a breadth of policymaking activity related to cybersecurity since the administration took office, most notably EO 14028, but also the Cybersecurity Performance Goals, the regulations stemming from the Cyber Incident Reporting for Critical Infrastructure Act of 2022, and efforts to further develop the concept of Software Bill of Materials (SBOM), among others. It would be beneficial for the NCS to articulate a vision for how these activities relate to each other, as well as how they can best be streamlined and/or made to complement each other. In particular, it would be useful to include a discrete section explaining how cyber supply chain risk management activities are related to the broader set of supply chain security and resiliency policies that have also been promulgated.

Emphasize the importance of taking a risk-based, outcomes-focused approach to cybersecurity policy and practice. In articulating a vision for the future of cybersecurity in the United States, the ONCD should continue to emphasize this as a foundational principle throughout the NCS, as this will ensure that efforts are appropriately targeted and will help to preclude the creation of a prescriptive cybersecurity regime that is not fit-for-purpose. It should reference the National Institute of Standards and Technology Cybersecurity Framework (and forthcoming revision) as a baseline tool to facilitate such an approach both across the government and around the world.

Convey the administration’s approach to international cybersecurity collaboration. Cybersecurity is a global imperative, and it will require engagement of countries around the world in order to ensure that cyber risks and threats are addressed in a unified fashion. The NCS should explain how the government will engage on cybersecurity across borders, including offering ideas around how it will work to harmonize or streamline regulations not only in the United States, but also in other nations. As a part of this, the NCS should delineate how the international bureaus and/or arms of various relevant agencies – such as the Bureau of Cyberspace and Digital Policy of the State Department, the internationally focused aspects of CISA and the Department of Homeland Security’s Office of Strategy, Policy, and Plans, as well as the FBI, will work together to advance international cyber objectives.

Public Policy Tags: Cybersecurity

Related