In response to increasingly emboldened and brazen adversaries, the White House came out swinging today with the release of its long-awaited National Cybersecurity Strategy.
The strategy outlines how the Executive Branch will approach protecting our nation’s interests and its increasingly hyper-connected critical infrastructure.
I’ve had the privilege to engage in its formation and changes over time. There will be many initial takes and follow-ups, but I’ll give you a few here.
The strategy is organized across five pillars:
Defending our critical infrastructure
Disrupting threat actors
Shaping market forces
Investing in our future
Forging international partnerships
For those concerned with cyber-physical systems security, Pillars 1 and 3 (and bits of Pillar 4) will be of highest relevance for your attention.
The choice to put critical infrastructure at the forefront is an important—and deliberate—one. The strategy offers a keen recognition of how IT/OT convergence and digital transformation are increasingly exposing us to accidents and adversaries. It’s doing so in ways that affect our way of life, public safety, national and economic security, and could ultimately undermine the confidence of the public in government institutions.
It’s crucial as the strategy is implemented, that we begin to finally stratify our critical infrastructure functions. With increasing connectivity and increasingly brazen adversaries, we have seen successful cyber-disruptions of basic, life-line human needs: the water we drink, the food we put on our table, the oil & gas that fuels our cars/homes/supply chains, the schools our children attend, the municipalities that run our towns and our cities, and the timely access to patient care in our hospitals - with mortal consequences. Do not mess with Maslow! (or the base of his hierarchy of needs).
In analyses I’ve shared with Congress, the White House, CISA, and other parts of government, I’ve encouraged that we focus on the most critical of the 55 National Critical Functions—the lifeline, latency-sensitive functions that if disrupted for 24-to-48 hours could contribute to losses of life and/or a crisis of confidence in the public. These include: supply water, provide medical care, generate electricity, produce and provide food, etc. Many of the owners and operators of these lifeline functions happen to also be what I’ve called: target rich, but cyber poor (and often specifically resource poor).
In what is likely to be the most controversial pillar, the strategy acknowledges market failures and that voluntary free market forces only get you so far (something I’ve told Congress and the last several administrations). To protect the public good, there is a time and place for the use of government power. The White House intends to use a “light touch, but no lighter than is required” approach.
Where the federal government has existing authorities to regulate and incentivize better cybersecurity and resilience of the nation’s critical infrastructure, it intends to use it. Where it lacks sufficient statutory authorities, it intends to ask Congress for new authorities.
On the table: software liability (with the promise of crafting safe harbor). This is an area I have spent significant time and work on—and expect to be engaged in. Especially in critical infrastructure, risk is a shared responsibility between the final goods assemblers who sell equipment into the operational environments, and the safe/secure operations of those goods. Part of the White House strategy is to rebalance some of the cost burden on those in the best position to identify and remove elective weaknesses from the ecosystems.
Other economic carrots, sticks, and instruments will be in the mix. From the importance of expanding security labels for IoT products, to the continued development of software bills of materials (SBOM), to insurance backstops, organizations must be incentivized and supported for building secure solutions and products, and the consequences of poor cybersecurity must not fall on those most vulnerable.
Among the areas for future investment referenced in the strategy, the acknowledgment of clean energy technology as a top priority for cybersecurity investment is an important step. So many of our critical infrastructure challenges come down to the limitations inherent in “legacy technology” where security was an afterthought—if any.
With fresh territory like clean energy, we have a blank slate to build-in security, resilience, and future-proofing from day one. Consequence-driven Cyber-informed Engineering (CCE), secure by design, and secure by default–can better balance the promise and the peril of these promising innovations. As we make a historic investment in clean energy technology and modernize and update our energy infrastructure, we can move beyond fighting the last war. You cannot defend the infrastructure of the future with the tactics of the past. We see this area as exciting.
Finally, while the strategy does discuss the critical need to develop the cyber workforce, we’re hoping the initial critical infrastructure focus of this strategy casts the often-tired topic in a novel, more urgent light. A greater focus should be paid to the requirements and constraints of the OT/ICS workforce. OT has unique hiring and training challenges. For example, it’s not merely finding OT cybersecurity talent, but finding and farming talent to work where our nation’s OT lives. As the strategy is implemented, we hope to help bring fresh thinking and results to this topic.
The release of this National Cyber Strategy lays out a bold agenda in prioritizing our nation’s cybersecurity and understanding the steps that must be taken to defend our critical infrastructure. We look forward to the implementation phase–and to engaging and assisting where we can—partnering with the federal government and Congress on these efforts.