Eric Haupt

Happy Sunday Friends!

Welcome back to another Sunday Friends! I’m glad you’re here. Here is your Sunday Musings, dedicated to exploring and sharing thoughts and insights on productivity, technology, and life. If you find it useful, please feel free to forward this along to friends!

Pillar III: Shape Market Forces to Drive Security and Resilience

The administration’s third pillar discusses how to create the desired secure and resilient future, emphasizing that the responsibility for reducing cybersecurity risks should be placed on those within the digital ecosystem who are best positioned to do so. The strategy uses six objectives aimed at shaping market forces to drive security and resilience.

The first objective calls for establishing accountability for the stewards of “our data”. Implementing privacy-focused legislation incorporating guidelines developed by the National Institute of Standards and Technology (NIST). This legislation would impose strict limits on the ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data such as geolocation and health information.

The second objective aims to improve Internet of Things (IoT) device security through federal research and development (R&D), acquisition, and risk management endeavors. This is in line with the IoT Cybersecurity Improvement Act of 2020. Additionally, the administration is exploring the implementation of a national cybersecurity labeling program for consumer IoT devices.

The third objective targets shifting liability for insecure software products and services away from the shoulders of end users and small businesses to the creating entities that fail to take reasonable precautions to secure their software. This has, historically, been a non-starter and I expect the industry to attempt to push back initially. So does the administration; However, it believes that imposing legal consequences for failing to take reasonable steps to secure software and products is necessary to prevent the cascading, harmful effects of insecure software and services over the long term. This is, perhaps, the most controversial topic. While imposing consequences for insecure software and products is necessary to prevent the cascading effects of such vulnerabilities, the administration must recognize that even the most advanced software security programs cannot prevent all future vulnerabilities via sister software and product integrations.

The fourth objective is about investing in critical infrastructure with cybersecurity and “all hazards resilience” in mind. The federal government will collaborate with state and local partners as well as the private sector to “balance cybersecurity requirements for grant applicants with technical assistance and other forms of support.” The promise to work with Congress in developing additional incentives to drive improved cybersecurity practices will be something to watch.

The fifth objective focuses on leveraging federal procurement to achieve accountability. The U.S. government will only purchase software that is developed securely, and the Office of Management and Budget is working with the private sector to implement vendor attestation of secure software development. The Department of Justice has also initiated a civil cyber-fraud initiative to pursue government contractors who fail to follow required cybersecurity standards.

The last objective involves exploring a federal cyber insurance safety net for aid. This would see the U.S. Treasury take on responsibility for financial exposure risks that insurers and reinsurers face from future catastrophic cyber incidents affecting their clients. While not a novel idea, it has gained traction and the administration will have to obtain buy-in from many stakeholders from industry, local governments, up through state and federal regulators as well as Congress.

Pillar IV: Invest in a Resilient Future

The fourth pillar in the National Cybersecurity Strategy focuses on preparation for future threats and infrastructure investments.

The first objective is to secure the technical foundation of the internet by identifying and reducing systemic risks. Harkening to the inherently vulnerable foundations of the internet and our digital ecosystem, the administration acknowledges the need to take steps to mitigate the new vulnerabilities and increased collective risks inherent in using this old framework. Specifically those created by Border Gateway Protocol, unencrypted DNS requests, and the resistance to IPv6 adoption despite the lack of IPv4 addressing. The administration aims to drive the adoption of security and control mechanisms and adopting modern solutions aimed at improving the security of the digital ecosystem.

The second objective focuses on supporting research and development for “defensible and resilient architectures”. Particularly in the areas of computing-related technologies like quantum information systems and AI, biotechnologies, and clean energy technologies. The government aims to shape market forces through investment mechanisms, purchasing power, and regulatory powers. The effort aims to resource a larger industrial and innovation strategy for trustworthy products and services by “leveraging Federal investment vehicles, purchasing power, and regulations.

The third objective addresses concerns about the postquantum future and the risks posed to current cryptographic systems. The government is focused on standardizing quantum-resistant, public key cryptographic algorithms and recognizes the outsized impact quantum computing can have in breaking even the most “ubiquitous encryption standards” we have today. To ensure U.S. leadership in quantum applications and reduce risks to government agencies, the administration aims to prioritize transitioning vulnerable public infrastructure and encourages the private sector to follow the government’s model.

Objective four emphasizes securing new clean energy infrastructure and coordinating with stakeholders to deploy a secure, interoperable network of electric vehicle chargers, zero-emission fueling infrastructure, and zero-emission transit and school buses. The Department of Energy is leading these efforts through initiatives like the Clean Energy Cybersecurity Accelerator and the Energy Cyber Sense program.

The fifth objective outlines the need for “secure and verifiable digital identity solutions that promote accessibility, interoperability, financial and social inclusion, consumer privacy, and economic growth.” While recognizing that insecure solutions have led to online fraud and other harms, causing individual distress and financial difficulties, the cyber strategy does not introduce new initiatives or efforts. Instead, highlights NIST’s ongoing efforts and outlines principles such as privacy, security, civil liberties, equity, accessibility, and interoperability that the administration will encourage in identity management.

Lastly, the sixth objective focuses on developing a national strategy for the cyber workforce. The strategy aims to build upon existing and past programs such as the National Initiative for Cybersecurity Education Framework to recruit and train the next generations of cybersecurity professionals and establish a comprehensive approach to a diverse and expanded cyber workforce.

Pillar V: Forge International Partnerships to Pursue Shared Goals

This last pillar has five strategic objectives aimed at countering threats to the digital ecosystem and building coalitions to strengthen international partnerships.

The first objective is to build coalitions to counter threats to our digital ecosystem. The President’s administration has made strengthening international partnerships a priority. These coalitions take various forms to build a coalition of like-minded countries, such as the Declaration for the Future of the Internet and the Freedom Online Coalition. The U.S. government regularly discusses cooperation in cybersecurity in security dialogues, to combat malicious cyber activity targeting the U.S. from foreign countries and/or infrastructures. Strengthening the “mechanisms we have to collaborate with our allies and partners” to counter adversarial evasion of the rule of law.

The second objective is to strengthen international partner capacity by promoting a common vision. Strengthening partner capacity allows our allies and partners

“…to secure critical infrastructure networks, build effective incident detection and response capabilities, share cyber threat information, pursue diplomatic collaboration, build law enforcement capacity and effectiveness through operational collaboration, and support shared interests in cyberspace by adhering to international law and reinforcing norms of responsible state behavior”

The administration will lean on the departments of Justice, Defense, and State lead these efforts towards a whole-of-government approach that strategically aligns and furthers “U.S., allied, and partner interests”.

The third objective sees the administration aiming to establish policies to identify support for allies and partners who become victims of “significant” cyberattacks. It seeks to develop the mechanisms that identify and action U.S. entities best able to support those affected countries and populations in the most effective and efficient manner.

The fourth objective is to build coalitions to reinforce global norms of responsible state behavior. Identifying that the growing influence of “responsible state behavior in cyberspace” from the United Nations has led to coordinated activity to call out malicious actors and support the voluntary norms of responsible behavior. The intent to to hold those states that fail to uphold their commitments accountable and constrain adversaries below the threshold of armed conflict.

The last and final objective focuses on global supply chains and the increasingly globalization of information, communications, and operational technologies that the United States depends on from foreign suppliers. Highlighting the growing systemic risk from a dependency on foreign products and services and the required risk mitigation that must come from a public and private sector partnership. The strategy expands on the National Strategy to Secure 5G and existing policies such as the mandate of the Bipartisan Infrastructure Law and Executive Orders 13873 and 14034 provide a framework for supply chain protection. Through this domestic approach, the U.S. government aims to improve national cybersecurity and attract other countries to support the shared vision of an open, free, global, interoperable, reliable, and secure internet.

Wrap Up

Realigning roles and responsibilities for securing systems and software to those entities in the best position to do so, as well as promote incentives for long-term investment in cybersecurity will be a challenge. The success of the strategy will require collaboration between the government, private sector, cybersecurity community, and international partners.

The Colonial Pipeline attack in 2021 is a prime example of the importance of collaboration. It highlighted the need for proactive regulatory frameworks created with input from regulated private sector organizations. The first attempt at such a framework failed, but a reengagement with the private sector resulted in a more effective and successful second iteration.

Implementing the National Cybersecurity Strategy will be challenging, especially where new authorities need to be granted by Congress. However, the administration's aggressive approach sets a high bar for cybersecurity that future administrations will find difficult to ignore. To reach success, the government must work closely with the private sector and the cybersecurity community. Creating strong partnerships between the government and the private sector, is the best way to counter cyber threats. Investing in cybersecurity research and development, and incentives for companies to prioritize cybersecurity goes a long way towards holistic improvement.

Overall, the National Cybersecurity Strategy is a step in the right direction, but success will depend on effective collaboration, investment in research and development, and prioritization of cybersecurity. The government must also be prepared to adapt to new threats and challenges as they arise, sometimes taking a supporting role.

I would love your feedback!

Which musing is your favorite? What else do you want to see or what should I eliminate? Any other suggestions? Just send a tweet to @erichaupt on Twitter and put #SundayMusings at the end so I can find it. Or, eric@erichaupt.com for long form email.

Have a wonderful week, I’ll see you Sunday.
-e