Last Thursday, the Biden-Harris administration released an aggressive strategy to tackle the nation’s most pressing cybersecurity issues. The National Cybersecurity Strategy (NCS) is a welcome development for industry advocates who’ve long encouraged the government to adopt a culture where protecting our infrastructure from digital threats isn’t a passive add-on or afterthought. Cyber protection and survivability must be a primary consideration from conception and design to implementation and deployment. Cybersecurity is national security.
At Shift5, we’re working at the speed of innovation to solve some of these challenges, and we very much welcome yesterday’s announcement. While it’s rare that any policy is perfect — and much work will need to be done to turn this one into actionable tactics — there’s a lot of promise in this strategy. Over the next few weeks, we’ll be diving into how we believe this policy impacts the operational technology (OT) space as it pertains to defense, commercial air, and industrial rail. But at first glance, several key points stand out as vital to understanding the NCS’s implications.
Takeaway 1: The strategy wastes no time in addressing Malicious Actors, calling out the People’s Republic of China (PRC) as the “broadest, most active, and most persistent threat.”
Indeed, the PRC continues to be our military pacing challenge, and they have made great strides to integrate holistic cyber and electronic warfare capabilities. As it relates to our own military, we’ve heard calls from numerous senior officials that hone in on this topic. At last year’s Reagan National Defense Forum, Secretary of the Air Force Frank Kendall noted: “We take it as a given now that anything we build has to have cyber capabilities,” and, “There’s another category of cyber risks, which is one I worry about more, which is associated with weapons.” The NCS articulates some bold new policy demands for the U.S. Department of Defense to maintain its competitive edge:
“Informed by lessons learned and the rapidly-evolving threat environment, DoD will develop an updated departmental cyber strategy aligned with the National Security Strategy, National Defense Strategy, and this National Cybersecurity Strategy. DoD’s new strategy will clarify how U.S. Cyber Command and other DoD components will integrate cyberspace operations into their efforts to defend against state and non-state actors capable of posing strategic-level threats to U.S. interests, while continuing to strengthen their integration and coordination of operations with civilian, law enforcement, and intelligence partners to disrupt malicious activity at scale.”
Takeaway 2: As the government implements this strategy and works with Congress to address the unique challenges posed by the PRC, it will be critical to, as the NCS states, “realign incentives to favor long-term investments.”
Successful adoption of this strategy will require the commercial sector — infrastructure, transportation, etc. — to shift away from passive technology adoption and refocus on data access and visibility for collective, collaborative defense. Leading voices in Congress have already identified this very challenge. At an event with the Council on Foreign Relations last year, Senator Ed Markey (D-Mass.) said that commercial adoption of OT cybersecurity defense tools “requires ongoing financing in order to meet with the increase in the offensive cyber capacity…we just need a policy in our country where we’re requiring all essential infrastructure to make this investment on an ongoing basis.” By realigning incentives to favor long-term investment, the administration will help the commercial sector to leverage the tools required for robust platform observability across every aspect of horizontal infrastructure:
“Our economy and society must incentivize decision-making to make cyberspace more resilient and defensible over the long term. Balancing short-term imperatives against a long-term vision will be no easy task. We must defend the systems we have now, while investing in and building toward a future digital ecosystem that is more inherently defensible and resilient. We must ensure that market forces and public programs alike reward security and resilience, build a robust and diverse cyber workforce, embrace security and resilience by design, strategically coordinate research and development investments in cybersecurity, and promote the collaborative stewardship of our digital ecosystem. To achieve these goals, the Federal Government will focus on points of leverage, where minimally invasive actions will produce the greatest gains in defensibility and systemic resilience.”
Takeaway 3: Placing demands on the federal government and the commercial sector to overhaul their approach to cybersecurity is only one half of the problem.
For them to be successful, the cybersecurity industry must not only keep pace, but continue researching and building at the speed of innovation to ensure robust and cutting-edge cyber solutions are readily available and outpacing the competition. Accordingly, the federal government can help by “investing in a resilient future.”
“Public and private investments in cybersecurity have long trailed the threats and challenges we face. As we build a new generation of digital infrastructure, from next-generation telecommunications and IoT to distributed energy resources, and prepare for revolutionary changes in our technology landscape brought by artificial intelligence and quantum computing, the need to address this investment gap has grown more urgent. The Federal Government must leverage strategic public investments in innovation, R&D, and education to drive outcomes that are economically sustainable and serve the national interest.”
Last Thursday’s announcement is a step in the right direction. The details of the implementation plan — expected later this year — will serve as the next benchmark for progress. The acknowledgment of the need for innovation is clear, but as the NCS states, “Leadership in innovation without security is not enough.” Innovation is often spawned out of necessity — and we’ve never been at a point where it was more necessary than the present — but once put in motion, it can just as quickly become extinguished by layers of legacy logic and process, so it’s critical that we not only innovate our tech, but also the process by which it’s developed, procured, and deployed as well. Much of the innovation that’s needed already exists — what we hope is that the implementation of the NCS will synchronize the government’s need for innovation with its ability to rapidly adopt it.