From Maybe-Secure to Responsible Security: The New National Cybersecurity Strategy

The new National Cybersecurity Strategy will face an onslaught of criticism on one particular front: allegations that this is regulation and red tape by another name, and that the administration does not care about innovation or business interests. These critiques are wrong.   

Imagine you bought a new car. It’s the first of its kind: sleek modern design, a new generation of hybrid, and it comes with all the navigational and communications gadgets you could want.  You plan to use it to drive your kids to school, go to the bank, and deliver packages for your small business. You’re taking it on a road trip in a week, and the family can’t wait.  

Then, a package arrives in the mail. It’s the airbags, accompanied by a perfunctory note: update to your new car now available! The manufacturer was so focused on meeting the public launch date they ran out of time to engineer new airbags. But they are here now, with only one small problem: you have to install the airbags yourself.

In the car industry, that level of security lapse would be unforgivable, and likely criminal. But that’s how too many developers have treated security for software—as an afterthought. The new cybersecurity strategy states it plainly: “Too often, we are layering new functionality and technology onto already intricate and brittle systems at the expense of security and resilience.” In other words, the focus has been on features and functions, not defense and resilience.

When computers were a novelty, or largely owned by computer scientists who enjoyed building and programming them, depending on users for security was an acceptable approach. But now, most Americans—most people around the world, even—carry computers in their pockets that are responsible for running critical aspects of our daily lives. They have become banks, healthcare, businesses, livelihoods, news, and entertainment. Smartphones know more about people’s lives than their closest friends and families.

Ideally, every American would completely understand how those devices work, including how social media apps like TikTok hoover up and export data, why quickly installing updates is important, and why location data can be dangerous. They would instantly recognize a malicious email or a text with a link to malware. In other words, they would know how to install the airbags in the car.

The new cybersecurity strategy recognizes that ideal is unrealistic. In her remarks at a CSIS event, acting cyber director Kemba Walden spoke about her mom, saying that her mother—and everyone’s mothers and fathers and kids—should not be responsible for security when those who created the tools are not taking responsibility themselves. Cybercrime cost older Americans nearly $3 billion dollars in 2021, according to the FBI’s 2021 Elderly Fraud Report. Small businesses are also a target for exploitation, although estimates of the scope of the problem vary widely; one upper estimate suggested 61 percent of small businesses were the target of cyberattacks in 2021. Ransomware is only one such type of cyberattack, with one cybersecurity firm estimating 623 million attempted attacks worldwide in 2021.

The new cyber strategy is a first step toward shifting the advantage back to the user, rather than the attacker. It states what should be obvious: the people who build the products should also ensure those products are secure. In no other product would consumers accept a standard of maybe-safe. It would be an outrage if home appliances, elevators, airplanes, or medicine had gone through only perfunctory safety testing before deployment.

The old ethos of software development could be described with Mark Zuckerberg’s now infamous phrase: move fast and break things. Discovery and innovation were the priorities; security was a distant concern. Adherents to this mindset are true optimists, not stopping to ponder how a bad actor might use their invention. Those who have come to the sad realization that bad guys ruin everything have taken the necessary steps to create security for their customers, but with no standard or labeling regime, those improvements get lost, and that product is more expensive for no clear reason. Responsible companies should be able to demonstrate their commitment to security clearly to their customers—and be rewarded for it.

The strategy also acknowledges that the entire burden should not be on industry. In her press conference, Walden said “The President’s strategy fundamentally reimagines America’s cyber social contract.” This is key—previous strategies have not clearly spelled out the division of labor between government and industry when it comes to cybersecurity. This one does not go far enough, but it does make a solid start. It draws the line at government protecting its own systems. On page 5, the strategy says the government's role is “[ensuring] that private entities, particularly critical infrastructure, are protecting their systems,” and other core functions like diplomacy, intelligence, imposing sanctions, and “conducting disruptive actions to counter cyber threats.” While the strategy is not explicit on the counterpart activities for industry, the implication is “everything else.”

The new social contract is that industry does its part to build secure and the government creates big-picture defense and shares information about threats. The government also finds ways to limit liability for businesses that prioritize security and creates some version of catastrophic attack insurance, akin to government assistance available for natural disasters. The strategy highlights one more critical piece: the government aims to put its own house in order with significant upgrades and budget proposals that align with creating real security for government systems.

The hardest part of any government strategy is not writing it, vetting it through the interagency processes, or even getting the president to sign it. It is translating it into action. The shift this strategy articulates will be trickier than most. Policymakers will need to be sure that they do not go too far down the road of stifling regulation and that they create guardrails, not roadblocks. A stated intent to focus on outcomes-based policy rather than required steps could be helpful, if articulated clearly. Getting buy-in from those critical to success will require a continued push of deft diplomacy; in particular, the Office of the National Cyber Director and its partners will need to accelerate the good work they have already done collaborating with industry leaders.

Optimism is not a policy, and naivete is no longer acceptable. Too much of modern life depends on these products working, and working well. The new strategy’s focus on demanding more from those who have the power to make us safe is well-placed.  

Emily Harding is the deputy director and senior fellow with the International Security Program at the Center for Strategic and International Studies in Washington, D.C.

Image
Emily Harding
Director, Intelligence, National Security, and Technology Program and Deputy Director, International Security Program