Deconstructing the National Cybersecurity Strategy
All the wheat and none of the chaff.
Thanks for reading Deploying Securely! Subscribe for free to receive new posts - it lets me know my work is useful to you.
TL;DR for business leaders
The Biden Administration’s National Cybersecurity Strategy (NCS) just dropped.
It is mostly a political messaging document but makes the below key substantive points:
Lethal military action is on the table as a possible response to cyber attacks.
Software is insecure; more regulation is instrumental to fixing this problem.
A federal backstop to cyber insurance might be coming.
Consider modifying your own cybersecurity strategy accordingly.
Still with me? I’m going to use the rest of this post to elaborate on the above main points and further analyze the NCS. After a steady crescendo of Administration surrogates signaling what will be in the strategy, it is now public and ready for analysis.
Since the last one is from 2018 and is a Trump Administration document, it makes sense that the President and his team would want to issue their own. Similarly to its predecessors, this document is primarily a vehicle for communicating Administration priorities and is many steps away from implementation. With that said, understanding the core philosophical principles of the federal government when it comes to cybersecurity is key to predicting and adapting to future developments.
Even for a government report (which I have myself have written), the most recent NCS is quite repetitive and full of boilerplate and political posturing. Thus, I deem entire sections of it to be non-substantive from the perspective of Deploying Securely. By this I mean that the cyber policy related content is either obvious or non-objectionable or that it has non-cyber policy recommendations with which I don’t necessarily agree, but won’t get into the details here.
Diving into the content itself, there is an introductory section, five “pillars” (which each have several subordinate “strategic objectives”), and an implementation summary. I’ll dive into most, but not all, of these below.
Introduction, strategic environment, and approach
This is mostly non-substantive with two major exceptions.
Firstly, there is a very strong callout of the Chinese government:
The People’s Republic of China (PRC) now presents the broadest, most active, and most persistent threat to both [U.S.] government and private sector networks and is the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so.
It’s interesting to see such a strong statement on a document with the President’s name on it. And it reflects the heightening tensions between America and the PRC.
Secondly, the document states that “the Federal Government will focus on points of leverage, where minimally invasive actions will produce the greatest gains in defensibility and systemic resilience.”
While I agree this is a good approach, it feels out of place once you read the rest of the document. Suffice to say, I do not view the Biden Administration as advocating for a “light touch” regulatory posture.
1 - Defend critical infrastructure
1.1 - Establish cybersecurity requirements to support national security and public safety
This section is quite paradoxical. It argues for the introduction of new cybersecurity regulations while at the same time acknowledging there are cases where “Federal regulations are in conflict, duplicative, or overly burdensome.”
Despite this recognition and a separate commission pointing out the same problem, however, I continue to see the federal government making things worse.
President Biden’s Executive Order (EO) 14028 of May 2021 did not take any clear steps to harmonize overlapping cyber incident reporting requirements.
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of March 2022 leaves it to the Cybersecurity and Infrastructure Security Agency to define important terms in the bill, such as “covered entity” and “covered cyber incident.” Industry groups have expressed concern about the vagueness and potential breadth of these (still undefined) categorizations.
Relevant provisions in the National Defense Authorization Act (NDAA) for Fiscal Year 2023 (ultimately removed before passage) would have been essentially impossible for any software vendor to comply with.
Office of Management and Budget (OMB) guidance released in September 2022, and supposedly containing implementation details for EO 14028, was vague and widely panned inside and outside government.
Having a complex web of requirements that require overlapping and potentially even contradictory attestations, reports, and other assorted box-checking is not the way to improve cybersecurity.
Before the government proposes a single new cybersecurity regulation, an absolute prerequisite should be untangling the existing web by removing and consolidating existing rules.
1.2 - Scale public-private collaboration and 1.3 - Integrate federal cybersecurity centers
Much like for the previous section, my response here is that the government needs to reduce the number of overlapping and redundant organizations that have a cybersecurity function or conduct public-private collaboration before scaling anything.
Even just looking at the NCS alone, one can identify a dizzying area of agencies, task forces, and other initiatives that are seeking to improve national cybersecurity. I was a congressional staffer responsible for overseeing the Department of Homeland Security (of which CISA was a part) and I myself have trouble keeping track of the acronym soup.
Here is a list of government entities and sub-entities just mentioned in the NCS:
Office of the National Cyber Director (ONCD)
National Security Council (NSC)
Office of Management and Budget (OMB)
Counter-Ransomware Initiative (CRI)
Cybersecurity and Infrastructure Security Agency (CISA)
Joint Cyber Defense Collaborative (JCDC)
Sector Risk Management Agencies (SRMAs)
Cyber Safety Review Board (CSRB)
Joint Ransomware Task Force (JRTF, “co-chaired” with FBI)
Federal Bureau of Investigation (FBI)
National Cyber Investigative Joint Task Force (NCIJTF)
Joint Ransomware Task Force (“co-chaired” with CISA)
Department of Defense (DoD)
Defense Industrial Base Collaborative Information Sharing Environment (DCISE)
National Security Agency (NSA)
Cybersecurity Collaboration Center
Department of Energy (DoE)
Energy Threat Analysis Center (ETAC)
Office of the Director of National Intelligence (ODNI)
Cyber Threat Intelligence Integration Center (CTIIC)
Information sharing and analysis organizations (ISAOs)
Information sharing and analysis centers (ISACs)
These organizations have billions in dollars of budget between them. Before “scaling” anything, the government needs to reduce the number of bureaucracies striving for increased jurisdiction and funding. Especially when interacting with the private sector, where businesses have varying level of familiarity with federal organizational charts, simplicity is key.
1.4 - Update Federal Incident Response Plans and Processes
I agree with this move in general, but would say that this needs to go even further than proposed in the NCS. For example, Presidential Policy Directive 41 (PPD-41) requires a complete overhaul. I get into the reasons in these articles, but in general PPD-41 is a vague and woefully outdated document that cannot drive federal cyber incident response in any reasonable way.
This section also touts the CSRB and pushes for its codification into law. I feel that my initial skepticism regarding the CSRB, however, remains justified. Its first report amounted to basically a summary of events of the log4shell vulnerability crisis and then…you guessed it…a call for more centers of excellence, review boards, and other government panels.
While having a definitive record of notable events is helpful, it’s not clear to me this benefit makes it worth formalizing yet another federal organization. Less is often more.
1.5 - Modernize federal defenses
This is probably the most important “strategic objective” of the first “pillar” but somehow it is listed last. Bottom line: the federal government is wildly hypocritical in terms of its pronouncements regarding cybersecurity and needs to get its own house in order.
Examples that surfaced just since my last critique of federal cybersecurity hypocrisy (a month ago!) include:
CISA Executive Director Brandon Wales criticizing companies who left SolarWinds Orion appliances open to the internet merely for convenience.
He went on to boast that some “U.S. government customers of SolarWinds…had shut those permissions off and locked down that system. Even though that would have been a high-priority target for the Russian SVR operators behind SolarWinds, they were not able to get into those networks.”
This is a laughable statement considering that 7 federal departments (including CISA’s parent, the Department of Homeland Security!) were breached because of malicious code in SolarWinds software. Whether federal customers took the specific mitigation step Wales mentions is completely irrelevant if they were still breached. And while you might think Wales would have enough shame to not criticize others for something that impacted his own department….you would be wrong.
An almost threatening letter from InfraGard - an FBI program to share cybersecurity information with the private sector - to its members, lecturing them on internet security hygiene following a confirmed breach suffered by InfraGard itself in late 2022.
Despite the breach resulting in the theft of the contact information for its 80,000 members, as of late February 2023 there was no evidence InfraGard was providing the victims with credit or identify theft monitoring solutions.
As of March 2, 2023, there is no mention of the breach of the InfraGard website, nor have I been able to identify any formal U.S. government acknowledgement of it.
On top of the structural problems, incidents like these deeply undermine trust by cybersecurity practitioner in the federal government. Fixing its own issues should be federal government cybersecurity priority #1.
2. Disrupt and dismantle threat actors
This “pillar” opens with a key statement:
The United States will use all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests. These efforts may integrate diplomatic, information, military (both kinetic and cyber), financial, intelligence, and law enforcement capabilities.
This confirms previous reports suggesting everything is on the table when it comes to the United States responding to cyber attacks. Including using nuclear weapons.
While this might be an extreme case, it nonetheless makes clear that American missile strikes, covert action, and physically destructive cyber counter-attacks are things that malicious actors should not rule out when conducting attacks.
2.1 - Integrate federal disruption activities
In general I agree that we shouldn’t leave anything off the table. For example, U.S. Cyber Command launching a wiper attack against a foreign ransomware gang’s infrastructure could be an appropriate action.
With that said, I have strong reservations regarding this current Administration’s extreme bellicosity and the ease with which America has found itself embroiled in armed conflict in general. Appropriate Congressional oversight for both cyber and kinetic counter-attacks is thus vital to ensuring this strategy does not lead to unintended consequences or escalation.
As a business leader, you should also consider the fact that your organization might get caught in a potential cycle of escalation resulting from this approach. If the Russian government detects a U.S. government cyber attack launched from commercial cloud infrastructure (potentially even yours), who is to say they won’t consider it a valid target for kinetic retaliation (e.g. a missle strike)?
2.2 - Enhance public-private collaboration to disrupt adversaries and 2.3 - Increase the speed and scale of intelligence sharing and victim notification
Section 2.4 - Prevent Abuse of U.S.-based infrastructure
This is an interesting section that recognizes an important dynamic: -as-a-Service providers are not just victims of cyber attacks, they can also be launchpads (unwittingly, of course) for them too.
With easily scalable and accessible computing power, it is not surprising that threat actors themselves leverage cloud services. For example, during the SolarWinds incident the attackers used domains registered with U.S. companies to command and control the intrusion.
Section 2.5 - Counter cybercrime, defeat ransomware
3 - Shape market forces to drive security and resilience
This is the section of most interest to me, and the one with which I have the biggest concerns. While not as specific - and directionally wrong - as the recent article published by CISA Director Jen Easterly and Executive Assistant Director Eric Goldstein, it worries me.
In general, it appears that the Biden Administration believes regulation can solve the meatiest of cybersecurity problems. Specifically, it plans to
reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies.
Unfortunately I feel that the record shows whenever the government tries to do things like this, it doesn’t do a very good job.
3.1 - Hold the stewards of our data accountable
The one place where I think there is a place for federal legislation is on data privacy. By standardizing the vast array of retention and breach notification requirements in place at the state level, the government could improve people’s lives while also providing more clarity to businesses.
Instead of 50+ laws, I would strongly prefer one.
3.2 - Drive the development of secure IoT devices
3.3 - Shift liability for insecure software products and services
This section is the most worrisome of the entire report.
Implementing secure-by-design principles and performing pre-release testing are no doubt good things that software vendors should do. All other things being equal, more security is obviously better.
But all other things are rarely equal in real-world situations and tradeoffs are almost always necessary. The idea that “security should be table stakes,” which CISA Director Jen Easterly has said and which this report embodies, sounds nice but isn’t especially helpful.
Optimal risk/reward calculations require going far deeper than such vague statements.
With that said, and assuming they think in these terms, the Biden Administration appears to believe that the general level of cyber risk is too high when compared to the comparable level of technological and societal reward. Without providing evidence to support them, the report thus lays down a set of broad assumptions to justify its goal of reshaping the legislative landscape. For example, it says:
Markets impose inadequate costs on—and often reward—those entities that introduce vulnerable products or services into our digital ecosystem.
It’s not clear that the market does reward those who introduce insecure products and services. Why would it? Studies regarding consumer sentiment following data breaches and outages suggest that companies pay serious prices for cybersecurity failures. And what are “adequate” costs these organizations should suffer from these events?
And while you might say that some companies introduce software too hastily when compared to the value that it delivers - they no doubt do - the key is determining where the line is. The report continues to not answer this crucial question, claiming:
Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance.
How many vendors is “too many?”
How many known vulnerabilities are unacceptable?
How “known” must the third-party software be?
None of this is clear from the NCS. I don’t expect detailed answers in such a document, but I do expect a framework for determining how to arrive at an answer. Unfortunately the federal government doesn’t sound like it understands cyber risk management, so I may be waiting a long time.
Furthermore, this approach presumes the government is best positioned to make technical decisions regarding these risk/reward tradeoffs. By providing “safe harbor” to organizations that comply with federally-approved standards or practices, however, such an approach would further incentivize surface-level compliance efforts.
As I have frequently noted, government cybersecurity standards are vague and sometimes counterproductive. Under the NCS’ proposed regulatory regime, companies would be strongly incentivized to follow these standards regardless of how effective such frameworks are in ensuring data security.
For a detailed explanation of my views on the right way to proceed, take a look at this post. But suffice to say, the key is to focus on outputs rather than inputs. Organizations should face monetary penalties for mishandling customer data, and know what these penalties are ahead of time. With that information, they can make better decisions on how to protect their customers while at the same time delivering value to them.
I am deeply suspicious of the Administration’s philosophical perspective on software security legislation and oppose regulatory efforts along these lines.
3.4 - Use federal grants and other incentives to build in security
3.5 - Leverage federal procurement to improve accountability
3.6 - Explore a federal cyber insurance backstop
I disagree with a federal cyber insurance backstop.
While I acknowledge that the federal government needs to step in for some situations, those are rare. I have opposed previous bailouts of industries that were too reckless to identify or mitigate the risks facing them and will continue to do so.
While some in the space have said cyber risk is uninsurable, this is due to their fundamental inability (admittedly) to measure the underlying risk. I think doing so requires more effective tools and methods than we have available today but is not impossible.
But if I am wrong, then that means we need to fundamentally reconsider as a society the risk-reward tradeoff that we make by using technology. If we cannot measure cyber risk, it’s possible that some degree of technological neo-Luddism is justified (but you’ll never be sure if the risk isn’t measurable).
So if that is the case, then why should the government subsidize potentially reckless behavior (e.g. certain technological development) by backstopping cyber insurance?
If it is not the case, which I don’t believe it to be, then how will organizations ever know if they are taking the right amount of risk? The only way to let them know is through market forces, like insurance premiums. Government interventions distort these forces, creating moral hazard.
And if the national flood insurance program is any sign of what a cyber insurance backstop would look like, then we should be very concerned indeed.
4. Invest in a resilient future
5. Forge international partnerships to pursue shared goals
The report closes by stating:
In implementing this strategy, the Federal Government will take a data-driven approach. We will measure investments made, our progress toward implementation, and ultimate outcomes and effectiveness of these efforts.
I have found that people who talk about taking a “data-driven approach” without providing any examples of how they will do so is generally a symptom of underlying technical and data illiteracy. And this throw-away line, on which the report does not elaborate (aside from promising subsequent annual reports to the President), suggests a similar situation. I would be very interested to see the metrics by which the NCS’ success is measured, but suspect they will be sparse or non-existent. In any case, it doesn’t look like they will be public.
Furthermore, having both crafted (as a congressional staffer) and executed (as a Marine Corps officer) national policy, I feel like there is often a huge disconnect between the former and the latter steps. The same is often true in big companies, where “strategic” leaders provide high-level guidance without any recommendations on how to implement it (or idea how to do it themselves, for that matter).
The combination of these two phenomena - technical illiteracy and a lack of concern for implementation details - often causes grief for those required to actually put plans into force. And because “actions at the sharp end resolve all ambiguity,” outcomes can be quite different from those intended by more senior leaders.
As I mentioned, the NCS is a messaging document, but I would always appreciate seeing more of the details worked through prior to drafting recommendations for sweeping changes.
From the perspective of a business leader, if you take anything away from the NCS, it should be:
Your organization might find itself in the middle of a cyber or even kinetic (i.e. shooting) war between nation-states. While low probability, this would be high impact. Factor this risk into your decision-making. You’ll need to do your own quantitative analysis of course.
The Biden Administration wants to fundamentally change how software security is regulated by putting a bigger burden on makers and preventing them from disclaiming liability contractually. This might help if you are a software consumer but hurt if you are a software vendor. Consider the second- and n-level implications of such a move, specifically when it comes to increased complexity. Lobby and vote accordingly.
A national cyber insurance backstop is in the cards. If there are perverse incentives created by such a policy (likely), consider how you can take advantage of them (if cyber insurance is unaffordable now, you might want to test the waters again when the price comes down). But also acknowledge you are doing so and realize your behavior may be distorted if compared to how you would act otherwise. The backstop might get overwhelmed and depleted during a systemically significant event, like unemployment insurance was during COVID. So you shouldn’t count on the government bailing out your insurer immediately.
While some of the changes proposed in the NCS are not a good idea in the aggregate, there may be circumstances where they are good for individual organizations. It’s only rational to use these changes to your advantage. And while I do begrudge the government for suggesting bad policy, I won’t think less of you for taking advantage of it, should it materialize.
I hope that you find Deploying Securely useful. If so, here are some more resources that can help:
1. My free, risk-based vulnerability management (VM) email course. Use it to build the foundation for a quantitative VM program in 5 days.
2. The Deploy Securely VM SOP. A template for running a program developed from years of real-world experience, it will save you huge amounts of time and effort.
3. StackAware’s 0 → 1 vulnerability management offering, which will get you immediate assistance in building your security program.