A forthcoming White House cybersecurity strategy will likely project a more muscular federal government role to safeguard the nation’s digital infrastructure, taking a more aggressive approach than prior administrations to compel industry to do more to prevent U.S. adversaries from hacking critical networks.
Three sources familiar with the work on the document, which is still in the early stages of drafting, described it to CyberScoop. It would be the first national cybersecurity strategy since one drafted under the Trump administration and released in 2018.
“They’re taking a look at how to more forcefully use government power in the cyber arena,” said one source familiar with the discussions, who spoke on condition of anonymity like the other two sources because they are not authorized to speak publicly about the draft document. “The sense is that we’ve not used the full breadth and scope of U.S. power to address some of the underlying systemic cyber issues.”
The Office of the National Cyber Director (ONCD) is leading the drafting, as POLITICO first reported. Its goal is to produce something by September, but one source said the document would “nest” with broader national security strategy documents, so the cybersecurity strategy’s timing could be tied to how those documents proceed. Cyber strategy drafts have only recently begun working their way through the interagency review process and being shared with industry, the sources said.
ONCD has not presented its proposals in areas such as cybersecurity education as final versions; instead, the sources said, they have offered up ideas about what they’re considering and sought feedback. And national strategies rarely present specific courses of action, such as how regulation of a particular industry should proceed — instead, they generally present an overarching vision.
The Biden administration has already sought to use some levers of federal power to compel private sector cybersecurity improvements, a departure from past practice largely focused on voluntary measures. An executive order last year instituted more cyber requirements on federal contractors, partially under the notion that it could promote those standards to a broader extent in industry.
Several federal agencies have instituted cyber incident reporting requirements on the sectors they regulate, or are in the process of doing so. The Biden administration also pushed Congress to pass a critical infrastructure cyber incident reporting requirement, which became law earlier this year, although the associated regulations could be years away from finalization.
Two of the sources said the sentiment in the Biden administration seems to be that those measures have not gone far enough. The third suggested that interpretation might be an overreach.
“I don’t think we know how much of a turn it’s going to be from the Biden administration’s approach,” one source said. “Is it a pivot from where this administration has gone, or is it a pivot from prior administrations?”
The ONCD declined to answer a request for comment on this story.
Topics on the agenda
Six working groups are tackling the strategy, the sources said, although CyberScoop could not confirm what each working group was addressing. A team under Rob Knake, deputy national cyber director for strategy and budget, is leading the work along with Harry Krejsa, acting assistant national cyber director for strategy and research, and Matthew Ferren, cyber policy adviser for that office.
National Cyber Director Chris Inglis has already floated much of what he hopes the strategy will address in speeches and policy writings, the sources said, most especially in a February Foreign Affairs piece he penned with Krejsa that called for a “social contract” to “redistribute risk.”
That piece also spelled out concerns about Russia and China making in-roads with the rest of the world about the fundamental nature of the internet.
“They’re trying to set out a vision for what free open and secure internet looks like, as opposed to the vision set out by China and Russia,” the source said. “They’re trying to counter digital authoritarianism.”
Some of the other major topics the document is likely to address, the sources said, are strengthening the U.S. cybersecurity workforce, which government officials and industry leaders say suffers from significant hiring gaps; the shared responsibility of the tech industry and government to bolster cybersecurity; information sharing, including a look at models like the relatively new Joint Cyber Defense Collaborative housed in the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency; and the federal government’s effort to defend its own IT.
What should be on the agenda
Josephine Wolff, associate professor of cybersecurity policy at the Fletcher School of Law and Diplomacy at Tufts University, wrote critically of the last national cybersecurity strategy. That document, she contended, placed too much emphasis on going on offense in cyberspace.
“The things I would like to see are a real focus on defensive efforts, which is something that the administration has been working on a lot in the past year or so — thinking through how are we strengthening security for critical infrastructure, security for non-critical infrastructure, private sector partners?” she said. “What does that look like concretely in terms of both incentives to implement stronger security and also, potentially penalties for not doing that?”
Furthermore, “I’d like to see a real emphasis on figuring out what can be done domestically because the international cooperation efforts have been so unproductive thus far,” she said. “And I think there’s there’s a real need to focus at least for the short term on what kind of progress can we make, even without the cooperation of countries like Russia and China.”
Wolff also said cryptocurrency would be a productive area to pursue in the strategy, given the role it plays in enabling cybercrime.
The strategy needs to take a close look at how some industry sectors, such as financial services, are heavily regulated while at the same time sectors that are arguably just as important encounter few rules, said Mark Montgomery, senior director of the Center on Cyber and Technology Innovation’s Foundation for Defense of Democracies, a think tank.
“I think it’s going to be very forward-leaning,” said Montgomery, who has served as executive director of the Cyberspace Solarium Commission on which Inglis served before returning to government work. “I would hope it says, ‘Establish the conditions to harmonize security across multiple infrastructures.'”
Montgomery said he also hoped that officials would better integrate the strategy with the Defense Department’s own cyber strategies.
Timing-wise, Montgomery said, it would be helpful for the strategy to be wrapped up before the start of the next fiscal year — Oct. 1. That way, it could help agencies propose fiscal 2024 budgets that align with it.
One source familiar with the discussions said the timing was up to the president.
“We’re trying to get a product together quickly so we have something that is there for the president to review and for the rest of the senior levels of interagency to review,” the source said. “The timeline of when do I expect it to be signed by the president is, ‘When the president is good and ready.'”
Regardless, “We’re not looking to dictate,” said the source. “We’re looking to coordinate.”
Suzanne Smalley contributed to this story.