Last Thursday, the Biden-Harris administration released an aggressive strategy to tackle the nation’s most pressing cybersecurity issues. The National Cybersecurity Strategy (NCS) is a welcome development for industry advocates who’ve long encouraged the government to adopt a culture where protecting our infrastructure from digital threats isn’t a passive add-on or afterthought. Cyber protection and survivability must be a primary consideration from conception and design to implementation and deployment. Cybersecurity is national security.
At Shift5, we’re working at the speed of innovation to solve some of these challenges, and we very much welcome yesterday’s announcement. While it’s rare that any policy is perfect — and much work will need to be done to turn this one into actionable tactics — there’s a lot of promise in this strategy. Over the next few weeks, we’ll be diving into how we believe this policy impacts the operational technology (OT) space as it pertains to defense, commercial air, and industrial rail. But at first glance, several key points stand out as vital to understanding the NCS’s implications.
Takeaway 1: The strategy wastes no time in addressing Malicious Actors, calling out the People’s Republic of China (PRC) as the “broadest, most active, and most persistent threat.”
Indeed, the PRC continues to be our military pacing challenge, and they have made great strides to integrate holistic cyber and electronic warfare capabilities. As it relates to our own military, we’ve heard calls from numerous senior officials that hone in on this topic. At last year’s Reagan National Defense Forum, Secretary of the Air Force Frank Kendall noted: “We take it as a given now that anything we build has to have cyber capabilities,” and, “There’s another category of cyber risks, which is one I worry about more, which is associated with weapons.” The NCS articulates some bold new policy demands for the U.S. Department of Defense to maintain its competitive edge:
Takeaway 2: As the government implements this strategy and works with Congress to address the unique challenges posed by the PRC, it will be critical to, as the NCS states, “realign incentives to favor long-term investments.”
Successful adoption of this strategy will require the commercial sector — infrastructure, transportation, etc. — to shift away from passive technology adoption and refocus on data access and visibility for collective, collaborative defense. Leading voices in Congress have already identified this very challenge. At an event with the Council on Foreign Relations last year, Senator Ed Markey (D-Mass.) said that commercial adoption of OT cybersecurity defense tools “requires ongoing financing in order to meet with the increase in the offensive cyber capacity…we just need a policy in our country where we’re requiring all essential infrastructure to make this investment on an ongoing basis.” By realigning incentives to favor long-term investment, the administration will help the commercial sector to leverage the tools required for robust platform observability across every aspect of horizontal infrastructure:
Takeaway 3: Placing demands on the federal government and the commercial sector to overhaul their approach to cybersecurity is only one half of the problem.
For them to be successful, the cybersecurity industry must not only keep pace, but continue researching and building at the speed of innovation to ensure robust and cutting-edge cyber solutions are readily available and outpacing the competition. Accordingly, the federal government can help by “investing in a resilient future.”
Last Thursday’s announcement is a step in the right direction. The details of the implementation plan — expected later this year — will serve as the next benchmark for progress. The acknowledgment of the need for innovation is clear, but as the NCS states, “Leadership in innovation without security is not enough.” Innovation is often spawned out of necessity — and we’ve never been at a point where it was more necessary than the present — but once put in motion, it can just as quickly become extinguished by layers of legacy logic and process, so it’s critical that we not only innovate our tech, but also the process by which it’s developed, procured, and deployed as well. Much of the innovation that’s needed already exists — what we hope is that the implementation of the NCS will synchronize the government’s need for innovation with its ability to rapidly adopt it.