Implications of the 2023 U.S. National Cybersecurity Strategy

To underscore how critical cybersecurity concerns have become, after a 15-year gap between 2003 and 2018, as of March 2 2023, the U.S. now has its second National Cybersecurity Strategy in less than 5 years.

The Highlights

The 2018 version, under the last Administration, took a decisive turn by directly calling out cyber-attacks as threats to national security, public safety, and economic prosperity.

The 2023 Strategy  (https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf) doubles down on the linkage but goes a step further in publicly calling out 2 of the biggest self-inflicted systemic flaws that allow the rapid spread of insecure technologies and create easy targets for adversaries:

• The unfair burden placed on groups least able to protect themselves (e.g., citizens, local jurisdictions, infrastructure operators with limited resources) instead of the developers, manufacturers, or assemblers of technology who should embed security by design/default into what they produce at every step of the development lifecycle. It is very clear that the current approach of allowing speed to market to take precedence over safety, security and trustworthiness is not sustainable.
• The imbalance of economic incentives that allows a lack of security focus and a short-term defensive mentality to take precedence over longer-term resilience-oriented technology research, development, and deployment.

How these longstanding flaws will be fixed is unclear, however.

To its credit, the Administration has been very active in issuing Executive Orders, OMB memos, DHS binding directives, and directives to operators of critical infrastructure where clear agency authorities exist*.

But the flaws above are not within the sole power of the Administration to solve. Currently, beyond the power of the federal purse (which is being used in the SBOM domain for instance), where would authorities come from to compel a shift to secure by design/secure by default for private industry technology providers? Either Congress would have to legislate, regulators would have to invoke authorities granted to them (as in new authorities for the FDA and medical devices) or [likely] decades-long lawsuits would have to establish corporate failures such as duty of care.

In the March 2, 2023 webinar aligned to the release of the Strategy, Acting National Cyber Director Kemba Walden and Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger pointed to harmonization of OMB, NIST and CISA activities, reliance on existing federal agency authorities, and hopeful partnerships between the Executive branch, Congress, private industry and international partners will win the day. History tells us this will not happen overnight, as evidenced by the current lack of federal privacy laws after decades of trying. There is a lot of work ahead for this Strategy to become reality.

The Details

Let’s look at the details. The 2023 National Cybersecurity Strategy aligns to 5 pillars – my notes for each are captured below:

“Defend Critical Infrastructure” (pillar 1)

• “Establish cybersecurity requirements to support national security and public safety”
  • We have already seen directives issued from TSA to pipeline operators, rail operators, and airport operators. EPA is doing the same for water utilities. The initial pipeline directive was a rushed debacle and had to course correct with inputs from industry. This is a key lesson learned.
  • Congress will need to create missing authorities for other critical infrastructure sectors like critical manufacturing and education.
  • Important: This section specifically calls out cloud services as critical infrastructure!
• “Harmonize and streamline new and existing regulations”
  • This whole section is about statements of intent, not specific strategies.
• “Enable regulated entities to afford security”
  • “In setting new cybersecurity requirements, regulators are encouraged to consult with regulated entities to understand how those requirements will be resourced.”
  • “In seeking new regulatory authority, the Administration will work with Congress to develop regulatory frameworks that take into account the resources necessary to implement them.”
  • Again, statements of intent, not specific strategies.
• “Scale public-private collaboration”
  • Reiterates the roles of CISA, sector risk management agencies (SRMAs), ISAOs, ISAC.
  • Signals intent to work with private sector to automate sharing.
• “Integrate federal Cybersecurity centers”
  • Calls out to various efforts (JCDC, NCIJTF, DoE ETAC, DoD DCISE) and shows intent to “further efforts”.
• “Update federal incident response plans and processes”
  • Covers what CISA “will” do under the authorities granted by the CIRCIA Act of 2022, but we are still awaiting CISA’s roadmap, definitions, processes under this authority granted by Congress last year.
• “Modernize federal defenses”
  • This section is deceptively light on details. It points to efforts that have followed the release of Executive Order 14028 and have in fact been followed by an avalanche of memos and binding directives for federal agencies to follow*.
• “Collectively defend federal civilian agencies”
  • Continued focus on shared services, SBOMs, open-source software security. We are still awaiting details related to M-22-18 (see Quick Answer: What the New Software Supply Chain Security Mandates Mean for U.S. Federal Agencies).
• “Modernize federal systems”
  • “replace or mitigate IT and OT systems that are not defensible against sophisticated cyber threats (…) the plan will identify milestones to remove all legacy systems incapable of implementing our zero trust architecture strategy within a decade, or otherwise mitigate risks to those that cannot be replaced in that timeframe” this is very ambitious, especially when dealing with cyber-physical systems (CPS) in operational technology environments where zero trust approaches do not easily translate (see Predicts 2023: Cyber-Physical Systems Security — Beyond Asset Discovery). Wholesale replacement of CPS in production or mission-critical environments is a costly proposition, as manufacturing lines or building management systems routinely cost $ millions.
• “Defend national security systems”
  • NSA will work with OMB to roll out the requirements of NSM-8 to national security systems within civilian agencies. This acknowledges that not all national security systems are in defense or intelligence agencies, and they warrant different security scrutiny. This alone will be a heavy lift.

Of note, the Strategy does not mention important new powers granted to CYBERCOM in the 2023 NDAA to conduct offensive digital operations, with Presidential approval, in response to an “active, systemic and ongoing” attack against the U.S or its critical infrastructure.

“Disrupt and Dismantle Threat Actors” (pillar 2)

The Strategy states that “all instruments of national power” will be used, to include “diplomatic, information, military (both kinetic and cyber), financial, intelligence and law enforcement”.

• “Integrate federal disruption activities”
  • Gives a nod to successful DoJ and DoD “defend forward” efforts and signals that they will continue.
  • DoD will update its own Cyber strategy, and the NCIJTF will expand – this will likely be reflected in the upcoming budget request.
• “Enhance public-private operational collaboration to disrupt adversaries”
  • Puts forward the notion of “nimble, temporary cells” coming together in a “hub’ concept. While the Strategy states that the government would “overcome barriers” such as “security requirements and records management policy”, it is unclear how concerns such as private industry engaging in a geopolitical fight and shareholder views, or even anti-trust implications would be handled. A lot more detail is needed here.
• “Increase the speed and scale of intelligence sharing and victim notification”
  • The number and velocity of information sharing has dramatically increased over the last couple of years, and the strategy is to double down.
  • CISA cooperation with the critical infrastructure agency sector leads will increase vertical-industry specific threat intelligence sharing as well.
  • A huge barrier to sharing has historically been declassification policies, and a review will take place to see how to increase clearances and access for owners and operators of critical infrastructure.
• “Prevent abuse of US-based infrastructure”
  • Specifically calls out the abuse of US-based “cloud infrastructure, domain registrars, hosting and email providers”, often leased through foreign resellers.
  • Important: the government is shifting to proactive engagement with service providers (specifically calling out IaaS providers), and implementation of EO 13984 “Taking additional steps to address the national emergency with respect to significant malicious cyber-enabled activities”, now over 2 years old, might be around the corner. This EO called for verification of identity of IaaS customers and prohibition of providing service to certain entities.
• “Counter cybercrime, defeat ransomware”
  • Doubles down on efforts by the Counter-Ransomware Initiative (CRI), the Joint Ransomware Task Force (JRTF), anti-money laundering rules for crypto exchanges, and implementation of EO 14067 “Ensuring responsible development of digital assets”.
  • States that the government “strongly discourages the payment of ransoms” but stops shy of prohibiting them.

 “Shape Market Forces to Drive Security and Resilience” (pillar 3)

This pillar is a departure from prior strategies, as it tackles the perennial problem of how to incentivize and enforce secure by design and secure by default practices on technology producers.

• “Hold the stewards of our data accountable”
  • This section punts to Congress to develop national level legislation to protect personal data and consumer privacy.
• “Drive the development of secure IoT devices”
  • Points to existing efforts under IoT Cybersecurity Improvement Act of 2020 and IoT labeling section of EO 14028.
• “Shift liability for insecure software products and service”
  • Calls out the failure of market forces that allows technology vendors to release insecure products and services, and even sometimes benefit from ignoring security and putting the burden on users ill-equipped to deal with the issue.
  • States that the Administration will work with Congress and the private sector on legislation to establish liability for software products and services.
  • Will include a safe harbor if companies follow best practices such as the NIST Secure Software Development Framework.
  • While this is a worthy goal, it remains to be seen whether industry and Congress will lean in. The Cyberspace Solarium commission has advocated the creation of Federal tort liability for final goods assemblers in case of a cyber-attack resulting from failure to meet standard of care, but we have seen no traction to date on this front.
• “Use federal grants and other incentives to build in security”
  • Calls out that security requirements will be tightly coupled with grants related to Infrastructure or CHIPS and Science Act funds.
• Leverage federal procurement to improve accountability”
  • Points to existing federal contractual mandates and False Claim Act enforcement; nothing new here.
• “Explore a federal cyber insurance backstop”
  • Tees up a study.

“Invest in a Resilient Future” (pillar 4)

This pillar highlights key technology areas of focus for the next few years:

• “Secure the technical Foundation of the internet”
  • Statements of intent to continue shoring up BGP, DNS, IPv6 and standards; nothing new here.
• “Reinvigorate federal research and development for cybersecurity”
  • Statements of intent to ensure R&D funds are spent on cybersecurity.
• “Prepare for our post-quantum future”
  • Statement of intent to follow NSM10 “Promoting United States leadership in quantum computing while mitigating risks to vulnerable cryptographic systems” and advice to private industry to do the same.
• “Secure our clean energy future”
  • Commitment to National Cyber-Informed Engineering Strategy and other programs led by the Department of Energy to build security into new energy infrastructure.
• “Support development of a digital identity ecosystem”
  • This topic remains a quagmire of “digital identity will protect you” versus “digital identity will enable a Big Brother authoritarian state and after the OPM breach why would anyone put their trust into “trust us we’re the government” digital protection”. This section leans toward the former but does not articulate specific actions.
• “Develop a national strategy to strengthen our cyber workforce”
  • Statement of intent to create an inclusive workforce strategy.
  • This is a missed opportunity imho to call out specifics such as changes in hiring authorities for example.

“Forge International Partnerships to Pursue Shared Goals” (pillar 5)

I highly recommend reading the preamble for its lyrical prose!

• “Build coalitions to counter threats to our digital ecosystem”
  • Lists various forums that focus on cybersecurity with other countries. I was personally unaware there is a “Quad” between the US, India, Japan, and Australia, for instance. Stands for “Quadrilateral Security Dialogue”.
  • States intent to continue those multi-country engagements.
• “Strengthen international capacity”
  • Statements of intent to continue engagements to train and equip other countries.
• “Expand US ability to assist allies and partners”
  • This is a significant recent shift in helping entire countries under attack, such as Ukraine, Albania, Montenegro or Costa Rica. Such help has been reactive, and this Strategy sets the groundwork to define a policy for when this help should be invoked and what form it should take.
• “Build coalitions to reinforce global norms of responsible state behavior”
  • This section is about shining the light on nations who pledge to behave and do not, and putting them on notice that the US and allies intend to wield consequences.
• “Secure global supply chains for information, communications, and operational technology products and services”
  • Reiterates and support existing supply chain security efforts for critical and emerging technologies.

“Implementation”

• The implementation section is just 1 page out of 39, so short on details. It gives the mandate to ONCD to implement this Strategy. At currently 80 employees (expected to grow to 100), that’s a lot of work for a relatively small team!

Implications of the 2023 U.S. National Cybersecurity Strategy

Cyber Threat Intelligence wächst aus den Kinderschuhen