Expert Insights on the National Cybersecurity Strategy

Since the Biden Administration released its National Cybersecurity Strategy (NCS) in March, many in the technology industry – W2 Communications’ clients included – have been sharing their reactions to the strategy, as well as outlining how federal agencies can begin to implement the mandates it set forth.  

At the recent Cyber Central event in Washington, D.C., the critical role of public-private partnership in meeting the NCS was the hot topic. There is an urgent imperative to evolve the government’s and the country’s cyber resilience, as (Retired) Colonel Candice Frost, former Joint Intelligence Operations Center Commander at the United States Cyber Command, noted that cyber-crime has reached one percent of global gross domestic product (GDP). Col. Frost sees a “blurred line between military application and commercial cyber efforts,” which is a good thing because working together as partners gets more done. That is especially important now with China leaning forward on cyber capabilities more than the U.S. currently is. On an encouraging note, she reported that the National Institute of Standards and Technology (NIST) has already developed four quantum computing-safe algorithms, an important step toward preparing for a newly evolving threat.

Strengthening Alliances and Private-Public Relationships

Tanya Simms from the White House Office of the National Cyber Director also reinforced the need to go beyond transactional public-private sector relationships, with the NCS reflecting a unified vision for cyber strategy in the U.S.

Tracy Pakulniewicz, Chief of Staff of the Office of Policy, Strategy and Plans at the Department of Homeland Security (DHS), emphasized the NCS phrasing “We will use all of the tools of national power” to increase cyber resilience – and that includes a lot of resources! The NCS provides DHS with the tools, direction and guidance needed to draft policies, operationalize and engage with the right partners to keep our homeland safe. She stressed the importance of international cooperation in fighting this global problem, especially appreciating the close working relationship the U.S. has with the Five Eyes partner nations.

CISOs’ Role with the National Cybersecurity Strategy

Simms noted that those with the most (i.e., big industry) should be able to bear more of the burden, and that Chief Information Security Officers (CISOs) should be investing now in their own thought leadership for implementation.

Amy Hamilton of the Department of Energy doesn’t think that CISOs will have to do much differently towards meeting the NCS than they already are doing. Rather, the NCS amplifies cybersecurity to a national strategic level. She explained, “This is no longer a cyber problem, it is a national security problem,” as evidenced by recent attacks on healthcare infrastructure and the Colonial Pipeline. And, emphasizing the importance of people in addressing the cyber imperative, she encouraged that nationally we must start ingraining the idea of technological security into children “as soon as they pick up the device.” She strongly recommended that government agencies “move out of the compliance mindset” and focus on protecting data according to the needs of the different mission sets in any given organization.

Clear Cybersecurity Strategy and Actionable Guidance

The NCS also builds on the 2021 Biden Administration Cyber Executive Order, providing a clear strategy and actionable policy guidance for civilian agencies. Matt House, Continuous Diagnostics and Mitigation (CDM) Program Manager at the Cybersecurity and Infrastructure Security Agency (CISA), commented that CISA wants to work with civilian agencies to give clear guidance on initiatives like implementing Zero Trust, so that agencies can confidently invest in and align to CISA’s broader efforts. Rather than a one-size-fits-all approach, he explained that the level of cyber and Zero Trust maturity will look different across agencies, which is completely appropriate per the unique requirements of each. That is also true within the Department of Defense, which has thousands of systems. Approaches like Zero Trust may not apply equally across all of them. Michael Parrish, Chief Acquisition Officer at the Department of Veterans Affairs, encouraged industry to make cybersecurity an integral part of all upfront product development, so that companies automatically bring cyber-safe offerings to the government.

Roadblocks to Information Sharing

Interestingly, Wayne Lloyd, Federal Chief Technology Officer and Vice President of U.S. Sales Engineering at RedSeal, stated that industry is not going to share threat information with the government because of the fear of lawsuits. This is the case despite repeated calls for and executive orders to improve private sector information-sharing with the government, going back for over 30 years. He explained that Congress would need to pass legislation to indemnify companies in order to get them to share more. He also noted that what threat intelligence industry gets from government is lower value, because the real value is in classified information that cannot be shared. There is a more positive outlook, however, in that Mr. Lloyd sees artificial intelligence as being integral to evolving better threat intelligence that can be broadly used by the public and private sectors.

The NCS is the biggest leap forward to date in strengthening U.S. cyber defense and resilience policy. It’s been a long time coming, but the government and industry now have clear direction on the strategic steps that should be taken to preserve national security. As the many experts at Cyber Central each pointed out, we are in this together and public-private partnerships are essential to meeting the challenge. The insights these experts shared are very valuable in helping industry chart the path forward in partnership with the government. We are excited to continue collaborating with our clients to help drive this strategy to implementation.