With two administrations in a row releasing a National Cybersecurity Strategy, it appears our national leaders may finally understand the threat posed by not securing our national interests in cyberspace.
The latest strategy shared by the Biden administration is encouraging, as is the administration’s commitment to making substantive changes through increased executive orders, national security memorandums, elevated and increased cybersecurity staffing, and emergency and binding directives by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
San Antonio is well-positioned when it comes to implementing the National Cybersecurity Strategy. However, like many national strategies, it’s mired with intentions, light on substantive strategy and has a disturbingly short implementation plan.
In the preamble to the National Cybersecurity Strategy released last month, the administration states, “We must make fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace.” By shifts, they mean changes from past approaches and perspectives.
The first change is defining who holds primary responsibility for our nation’s cybersecurity. Past federal cybersecurity strategies have placed a large emphasis on how everyone plays a role in cybersecurity. They reminded individuals and the private sector that a significant portion of our national cyber infrastructure is privately owned and not controlled by the government. They emphasized our nation is only as strong as the “weakest link” and that everyone had to play their part in securing our nation.
The Biden-Harris strategy specifically alters the strategic approach to defense saying we need to “rebalance the responsibility to defend cyberspace,” calling on “the most capable and best-positioned actors to make our digital ecosystem secure and resilient.”
San Antonio is well-positioned as home to the 16th Air Force known as Cyber Command. The National Security Agency, U.S. Secret Service and the Federal Bureau of Investigation all have specific missions, cyber squads and task forces here dedicated to cyber defense and investigations.
The second change is the recognition that if we don’t stop focusing solely on immediate, reactive defense against current threats, our failure to make long-term investments in “strategically planning for and investing in a resilient future” will have dire consequences in the not-so-distant future.
San Antonio is well-positioned as home to UTSA, which is in the top tier of research universities in the nation, with cybersecurity as one of our biggest research strengths. The city is also leading the way with the Joint Base San Antonio Electromagnetic Defense Initiative.
The Biden-Harris strategy has five pillars:
- defend critical infrastructure
- disrupt and dismantle threat actors
- shape market forces to drive security and resilience
- invest in a resilient future
- forge international partnerships to pursue shared goals
The first two pillars focus on increasing government regulation, requirements and policy while further modernizing federal defenses, public-private collaboration and information sharing, and the federal response to cyber events and threat actors.
These are great aims but the strategy is concerningly reactionary in nature. Instead of responding more quickly to catastrophic cyber events, we need to prevent them and/or lessen their fundamental impact, not through remediation and containment but through fundamental resilience. True resilience isn’t getting back on one’s feet quickly; it is not getting knocked out to begin with despite being hit.
The third pillar recognizes the role the market must play in securing our nation and the longstanding call that the market has not fully answered: security by design. It specifically calls out three key challenges: data security and privacy, Internet of Things (IoT) security and secure software design. I could not be happier to see this pillar in the federal strategy, which calls for increased accountability and acknowledges the role the federal government can play in supply chain security through federal grant and procurement programs.
However, much more is needed. The government’s ability to drive the market is limited, and government attempts to control the market are risky at best. How many more cyber “fires” will be needed before our nation goes beyond treating cybersecurity as a nutrition label and instead makes it a standard like UL certification for electronic hardware products?
The fourth pillar’s commitment to investing in a resilient future is also exciting to see. Here, we begin to see a bit more specificity, which is promising. It calls out specific Internet technologies vulnerable to compromise that need to be fixed and promises investment in specific federal cybersecurity research and development programs to prepare for our future.
However, fundamentally insecure internet protocols and technologies have been known to be insecure for decades. What exactly is the strategy to truly and comprehensively fix them? The call for increased investment in our future is promising, but what about investing in research and development to accomplish pillars one, two, and three of this strategy?
The fourth pillar also commits to cybersecurity research and development and cybersecurity workforce development, but it is very brief. It needs more strategy, but it’s a start.
San Antonio is one of the best places to be for cybersecurity workforce development. We have magnet schools and dual degree programs devoted to cybersecurity workforce development and the highest concentration of Cyber Patriot teams in the nation. We have one of the largest and strongest cybersecurity programs in the nation in the Carlos Alvarez College of Business at UTSA. And, we just launched an applied cyber analytics degree to truly bring artificial intelligence and data science to the cybersecurity fight.
The fifth pillar’s aim to forge international partnerships and pursue shared goals signals the government’s realization that cyberspace is an inherently more complex battleground than territorial conflicts and combat wars. Strong coalitions will be vital as the concept of collateral damage becomes increasingly hard to define in cyberspace.
With the intertwined public-private nature of cyberspace, the transnational nature of data movement and storage, and adversaries that do not always follow the Law of Armed Conflict, we have a long road ahead. Forging strong international partnerships must be a priority.
It was good to see the cloud recognized as critical infrastructure in the National Cybersecurity Strategy. It was a relief to hear a call to arms, so to speak, about the vulnerabilities the billions of IoT devices are unleashing on our digital ecosystem. It was great to hear the federal government’s commitment to research and education.
However, the real value of the strategy will only be known as we begin to see action and movement. Intent will not suffice. Reaction, regulation and response will not be enough. We need to fundamentally change our approach to true resilience, advanced prevention and artificial intelligence-informed defenses.
