Late last week the White House released its National Cyber Strategy, setting forth its approach to protecting U.S. critical infrastructure from global cyber threats. The National Cyber Strategy builds off of Executive Order 13800 “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” the cyber elements of the National Security Strategy, and the findings and recommendations in the Botnet Report released by the Department of Homeland Security and the Commerce Department.
The release of the National Cyber Strategy, just before the start of Cybersecurity Awareness Month in October, signifies a renewed focus on patching America’s cyber vulnerabilities and galvanizing cyber capabilities to achieve national security objectives. The Strategy outlines an overarching, “whole of government” approach that will guide agencies as they carry out their cybersecurity responsibilities and functions. The Strategy also signals the Administration’s key priorities and responsibilities for the private sector, particularly government contractors and providers of critical infrastructure, along with the ecosystem of vendors and suppliers that provide them equipment and services. Partnerships with industry to meet the objectives of the report are a theme throughout the Strategy, signaling both increased opportunities for engagement as well as added responsibilities for the private sector. Further, although the strategy itself does not specifically mention offensive cyber operations, it emphasizes that the Administration is adopting a more offensive posture, enabling the use of “[a]ll instruments of national power . . . available to prevent, respond to, and deter malicious cyber activity against the United States.”
The Strategy is organized around four key pillars: protecting government networks and critical infrastructure, developing an innovation and cyber workforce, deterring malicious cyber activity by enhancing U.S. attribution capabilities, and exporting open and free Internet values abroad.
Pillar I: Protect the American People, the Homeland, and the American Way of Life
The objective of this pillar is to protect American public and private information networks through increased resiliency and cyber risk management. The report calls on “[t]he United States Government, private industry, and the public [to] each take immediate and decisive actions to strengthen cybersecurity, with each working on securing the networks under their control and supporting each other as appropriate.”
Priorities include centralizing management and oversight over federal agency cybersecurity, aligning risk management and information technology, and improving federal supply chain risk management to be consistent with industry best practices. The Strategy states that the Administration “will integrate supply chain risk management into agency procurement and risk management processes,” make greater efforts to review and assess contractor risk management practices, and use the purchasing power of the Federal Government to encourage private sector adoption of cybersecurity best practices and standards.
A key part of this pillar is devoted to securing critical infrastructure. The Administration will prioritize risk-reduction activities across seven key areas: national security, energy and power, banking and finance, health and safety, communications, information technology, and transportation. The Strategy highlights the importance of information and communications technology (ICT) providers, due to the enabling function they provide across sectors. The Administration commits to strengthening information sharing with ICT providers, including sharing of classified threat and vulnerability information with cleared ICT operators. The Strategy encourages industry-driven certification regimes to enable strong and nimble cybersecurity solutions for communications technologies. The Strategy also aims to combat cybercrime through improved incident reporting, which, the report says, will involve working with private industry to address challenges presented by technological barriers such as anonymization and encryption to obtain time-sensitive information.
Pillar II: Promote American Prosperity
The second pillar aims to preserve U.S. influence in the technological ecosystem by “developing cyberspace as an open engine of economic growth, innovation, and efficiency.” Here, the Administration plans to incentivize an adaptable and secure technological marketplace, which prioritizes innovation, invests in next generation infrastructure, maintains U.S. leadership on emerging technology, and promotes full-lifecycle cybersecurity. The Administration plans to eliminate policy barriers to information sharing. It will also work with international counterparts to promote industry-driven, risk-based approaches to cybersecurity worldwide. Another part of this pillar is protecting U.S. ingenuity through maintaining strong and balanced intellectual property protections, and protecting the confidentiality and integrity of American ideas. The Strategy also focuses on developing a strong cybersecurity workforce by building and sustaining the talent pipeline, retraining workers and expanding educational opportunities, and enhancing the federal cybersecurity workforce.
Pillar III: Preserve Peace through Strength
This pillar highlights a more forward-leaning posture, aiming to promote a “framework of responsible state behavior in cyberspace” and to enhance efforts to attribute and deter malicious cyber activities with integrated strategies that “impose swift, costly, and transparent consequences” on malicious actors that harm the U.S. and its partners. The United States will promote responsible behavior in cyberspace built on adherence to international law and cyber norms. It will focus on leading objective, collaborative intelligence efforts aimed at attributing and deterring malicious behavior in cyberspace. One concrete new action described in the report is the creation of a Cyber Deterrence Initiative, wherein the “United States will work with like-minded states to coordinate and support each other’s responses to significant malicious cyber incidents, including through intelligence sharing, buttressing of attribution claims, public statements of support for responsive actions taken, and joint imposition of consequences against malign actors.”
Pillar IV: Advance American Influence
The goal of the Strategy’s final pillar is to preserve the long-term openness and interoperability of the Internet, which in turn advances American interests. The Administration will continue to work with like-minded countries, industry, and civil society to advance human rights and Internet freedom globally. It will also promote interoperable and reliable communications infrastructure and Internet connectivity through the application of industry-led standards based on sound technological principles, and will work to build cyber capacity worldwide.