“Overall, the 2023 National Cybersecurity Strategy is the best the government has ever produced.”

Today, @POTUS released the National Cybersecurity Strategy. The Strategy sets forth a new vision for the future of cyberspace and the wider digital ecosystem. pic.twitter.com/u3gxfJXymS

— White House Office of the National Cyber Director (@ONCD) March 3, 2023

Yesterday, the White House released the highly anticipated 2023 National Cybersecurity Strategy (OODA CTO Bob Gourley was invited by leaders in the Office of the National Cyber Director (ONCD) to receive a preview of the strategy and to contribute feedback and insights, which better prepared us as we contemplated the strengths and weaknesses of this strategy). 

As we pointed out in our OODA Loop 2022 Year-end Review of Cybersecurity, last year was marked by threats, incidents, and vulnerabilities of a breathtaking and unrelenting frequency, volume, and scale – and we highlighted the vital role federal cybersecurity professionals – the Defenders – play in the successful protection of the homeland against a significant cyberattack on governmental information and communication technologies (ICT), physical security, critical infrastructure, or industrial control systems (ICS). 

We have also been effusive in our praise (and frequent in our analysis) of the collaborative efforts by the federal government and corporate IT by way of the CISA Cybersecurity Advisory Committee (CSAC) and the CISA Joint Cyber Defense Collaborative (JCDC), along with the leadership of recently departed National Cyber Director Chris Inglis, Rob Joyce and Jen Easterly at the NSA Cybersecurity Directorate and The Cybersecurity and Infrastructure Security Agency (CISA), respectively – as well as the leadership of General Paul Nakasone at the National Security Agency (NSA) and CYBERCOM.  

Overall, Bob has commented that “the 2023 National Cybersecurity Strategy is the best the government has ever produced.  It is really amazing work and the best of all the strategy documents produced over the decades – and a job well done by the leaders at the White House Office of National Cyber Director.”

However, the strategy document is not – by any means – a proclamation that the “cavalry is on its way” by the United States Government. Instead, it is a clear strategic nod toward the crucial role the private sector has always played in an industry sector (“cybersecurity”) almost exclusively led by private sector governance, innovation, market forces, platforms, and products. 

To this ends the 2023 National Cybersecurity Strategy lays out “two fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace,” stating that “in realizing these shifts, we aspired not just to improve our defenses, but to change those underlying dynamics that currently contravene our interests.  The two fundamental shifts: 

1. Rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.
    
2. Realign incentives to favor long-term investments by striking a careful balance between defending ourselves against urgent threats today and simultaneously strategically planning for and investing in a resilient future. 

This strategy recognizes that government must use all tools of national power in a coordinated manner to protect our national security, public safety, and economic prosperity.” 

Or, as summarized at Forbes.com: 

• The document classifies ransomware attacks as a “threat to national security, public safety, and economic prosperity,” adding that these attacks are being carried out by malicious actors from “safe havens like Russia, Iran, and North Korea.”
• The U.S. government will now employ “all elements of national power” to counter the threat of ransomware attacks including “disruption campaigns” directly targeting malicious actors.
• The strategy also shifts the burden of dealing with cyber threats from consumers and small businesses to tech companies that offer software, systems, and services.
• The roadmap, if adopted into law, would likely make tech firms liable for any vulnerability in their code that leads to a cyberattack.
• The White House document also calls out the governments of China, Russia, Iran, North Korea” and other autocratic states” for their “reckless disregard for the rule of law and human rights in cyberspace.” 

The OODA Network on the 2023 National Cybersecurity Strategy

We have been on the lookout for the following three items in this strategy document:

1. What it has in it (hoping for new approaches making it harder on adversaries).
2. What it does not have in it (looking for some tired old concepts to go away); and 
3. Concepts that show the government has a better understanding of when it should lead and when it should follow.

Over the course of the day yesterday, after the release of the document, we received a host of formative reactions to the new strategy from across the OODA Network.   A compilation of quick takes from the OODA Network can be found below.  

What it has in it

• The release of the cyber strategy…is a significant achievement. 
• Happy to see a big thrust on international collaboration.
• An improved regulatory environment is very welcome and important.
• The regulatory environment should be dynamic and responsive to effectively deal with these threats… glad to see that this is recognized in the strategy document.
• Emphasis on international collaboration is definitely a step in the right direction.
•  Cooperation between nations is essential in tackling the rapidly evolving threats in cyberspace. 
• “Know Your Customer” (KYC) on Cloud Infrastructure is a welcome addition. 
• Strong language on ransomware as a national security threat is a very good development.  
• USG evangelism for and implementation of a Zero Trust Architecture Strategy is strong throughout the document.   

What it does not have in it

• Good to see old concepts like cyber deterrence and norms have been dropped.
• The shift from cyber deterrence and norms, while it may seem unorthodox, it’s important to note that cyber threats have evolved, and what was once effective may not be adequate today.
• Would like to have seen even more KYC strategic perspectives, especially on KYC in the crypto marketplace and the role of anonymity generally in social media.
• Not one mention of the US National Vulnerability Database (NVD) or Vulnerabilities Equities Process (VEP).  What does this signify for these legacy database approaches?  
• “Old school”, analog, and social psychology concerns – like human targeting and social engineering – could have been included in a standalone section, however brief.  Not all cyber threats are cyber-based. The human factor is vital to understand and guard against strategically as well.  

Concepts that show the government has a better understanding (of when it should lead and when it should follow)

• USG acknowledges that it needs to lead in the development of a robust national cyber workforce strategy.  Let’s hope they stick with it.  
• Language that includes placing the burden on the computer and software industry to develop “secure by design” products that are purposefully designed, built, and tested to significantly reduce the number of exploitable flaws before they are introduced into the market.
• Requiring more incident disclosure to get the data needed to inform future strategy.
• Finally, victim notification is included. 
• Willingness to lead on zero trust through Federal Zero Trust Architecture Strategy is a strong statement throughout the document.  
• Quantum science leadership and vision of the “post-quantum future” is laudable. 
• Classifying attacks has helped Russia and China more than anything else.
• The lack of mention of the NVD and VEP – self-reporting databases without a formal mandate or enforcement from national or international agencies – may signal that the national strategy may have big plans for moving away from or a major revamp of these programs.   
• Missing from the document are easy steps to help the nation head in the right direction.
• It is essential to explore or adopt new approaches that can guarantee success in the current landscape.
• The strategy is a testament to the hard work and dedication of the professionals involved and it is my hope that it will positively impact the fight against cyber threats.

What Next?

• We are all – individual citizens, corporate entities, and government agencies – fundamentally responsible for our own cyber defenses. The 2023 National Cybersecurity Strategy is a strong strategic framework to which we can all structure implementation efforts moving forward  – and an equally as strong whole-of-government approach with strong mandates for governmental agencies. 
• When interviewed by Foreign Policy about the release of the 2023 cyber strategy, Bob offered this final forward-thinking perspective:  “‘The government is in charge of different parts of the federal enterprise, but [it’s] not in charge of the states, not in charge of business or any nonprofit organizations.’  The key will be convincing corporations and the public of the gravity of the threat:  ‘What’s going to make the biggest difference is convincing people how important this is.'”