On the National Cybersecurity Strategy

As part of my coursework last semester, I wrote a short dissection of the National Cybersecurity Strategy document published by the White House. Since my semester ended a month ago, I feel comfortable sharing my thoughts with the public. Please find the essay reproduced below.

(For added context: the prompt asked me to read the entire document, and inform my readers why the strategy would or would not be effective.)

The National Cybersecurity Strategy document’s welcome focus on economic incentives for cybersecurity investment is tempered by its deference to temporary technological trends (i.e., “Internet of Things”), focus on traditional regulation, and its refusal to elaborate on finer details. On the whole, the document barely proposes anything concrete; as such it can hardly be called “effective.” The author even acknowledges this near the end: “Realizing the strategic objectives outlined in this strategy will require a strong focus on implementation.” Yet what little is actually proposed leaves much to be desired. But some of its general principles bode well for the future should they be adopted by the industry (nobody in the industry will disagree with the statement “A single person’s momentary lapse in judgment… should not have national security consequences”); others, quite the opposite. My assessment is that this document will not be effective because it hardly makes any specific or actionable recommendations; it focuses on heavy-handed regulation instead of softer economic incentives; and it defers to an existing bureaucracy that cannot handle the challenge of strengthening America’s cybersecurity.

Despite the natural pitfalls of only spelling out principles without any indications for practice, many of the general ideas in the document deserve applause (in particular, the section regarding Strategic Objective (henceforth “SO”) 1.2 beautifully outlines the idea of distributed security and its advantages over a centralized response). Yet throughout the document little definitive action is proposed – and consequently little in the way of strategic value. To be singled out for particular ridicule are the requests in SO 1.2 for “enhanced coordination” (which I am certain the target audience shall interpret as a request for an additional email at the end of every fiscal year), in SO 1.3 for the “integration of Federal Cybersecurity Centers” (unless they are empowered similar to law enforcement agencies, I suspect this shall consist of an additional site visit or two), and the description of Internet technologies in the Introduction sectinn as “underlying structural dynamics” (which sounds like something inserted into an essay ChatGPT would write instead of a nominally serious paper about cybersecurity). These examples come from near the beginning of the document but many just like them are peppered throughout, forming the bulk of what is written, as will be noted below.

Regarding trends, both the document’s introduction and SO 3.2 embrace the current trend of putting a microchip in everything (called the Internet of Things). Subsequently the author discusses securing IoT devices instead of treating their existence at all as an inherent security risk. In addition to the inherent danger of connecting every household appliance to the Internet, (according to a rule of thumb, no system can ever be made perfectly secure [Chapple & Seidl, 193]), the massive control possessed by the adversarial People’s Republic of China over the IoT industry has already had several ramifications for national security across Western nations (Noone).

In terms of proposed government action to mitigate cyber risk, the document gives ground to regulatory measures in Pillar One as opposed to the promising financial incentives it mentioned earlier. The author rightly summarizes that “today’s marketplace insufficiently rewards… operators of critical infrastructure who invest in proactive measures.” But the proposed regulations fail to target the source of corporations’ risky behavior in cyberspace: data is treated as the property of its hosting provider, not of the subject it regards. To this day, no law has ever criminalized the grossly negligent mishandling of Americans’ most critical information at the hands of Equifax, Capital One, and far too many others to count (Klosowski). Rather than make companies treat the data they handle seriously and delicately, these proposed regulations rely on frameworks advising technical implementations which will be outdated by the time I give you this essay (“Cybersecurity Framework”). Of course, when the time comes for these regulations to be updated, we can trust that a regulatory board will oversee the review and approval process, alongside a lengthy public comment period, all of which will take so long that the approved regulations will be outdated as soon as they are implemented. While more promising incentives are discussed later in SO 3.3, namely the increase in liability for companies producing grossly insecure products and development of standards to shield companies following them from liability, the author quickly mentions that “this [standardization effort] will draw from current best practices for secure software development,” guaranteeing its irrelevance when put into practice.

Some concrete objectives are thankfully stated in SO 1.4, which focuses on the excessive difficulty in national cyber incident response created by byzantine reporting and coordination. It notes that the Cyber Incident Reporting for Critical Infrastructure Act and pending legislation to institute the Cyber Safety Review Board (CSRB) permanently will provide the private sector with simpler methods of reporting cybercrime (ideally, to coordinate responses faster) and to conduct postmortems on a national level. The author also rightly identifies the masking of aging infrastructure (in my experience, a hodgepodge of COBOL and discontinued IT systems) as a large risk to national cybersecurity and promises to develop a lifecycle plan to modernize architecture across the Federal behemoth. Sadly the details are left to existing agencies, and are not addressed in the document.

Pillar Two concerns counter-offensives and disruptions of malicious cyber-activity. An often-discussed technique in cybersecurity deterrence and counter-operations are corporate hack-backs, raising questions of legality and cost-effectiveness. When trying to address counter-ops in Pillar Two, the document sidesteps this issue while reiterating support for more conventional counter-operations against traditional forms of organized cybercrime (botnets, ransomware gangs) and meekly requesting that private sector organizations generously donate their “resources” to existing organizations and avoid paying ransoms if demanded (as opposed to suggesting concrete action, i.e., criminalizing ransomware payments). Again, some finer (and firmer) details would make this a more effective strategy, not to mention some justification for continuing what has been up until this point an ineffective approach to dealing with modern cybercrime.

Pillar Three, the section containing economic incentives to drive national cybersecurity, has plenty of ideas to celebrate. SO 3.1 vows that the White House will “impose robust, clear limits on the ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data;” SO 3.3 (discussed previously) champions changes to liability law; and SO 3.5 would conscript the Federal procurement process (already quite lucrative for its participants) to further improve cybersecurity standards. Yet the complete lack of concrete details in this section leaves us to speculate on the implementation of these ideas. Uncharitable interpretations can lead us to view SO 3.1 as a proposal for an “American GDPR,” which has had disastrous consequences overseas (Fefer & Archick). The glaring flaw in SO 3.3 has already been discussed. And SO 3.5 is vulnerable to the same issues as SO 3.3 in that regulations move far slower than the technologies they regulate. Again, the author describes the “what” should be done while leaving the “how” for an unspecified later date.

The closest the document ever comes to elaborating on truly technical matters is in Pillar Four, where the author (in SO 4.1) mentions the Border Gateway Protocol, Domain Name System, and Internet Protocol by name. These technologies are correctly identified as the underpinning of the Internet and vital to its security. Similarly the notion of foreign influence on the governance of Internet technologies is pointed out. Sadly our respite from ambiguity ends here, as the author demands a “clean-up” of the vulnerabilities in these technologies without specifying any plan to do so. A touch of ambition can be seen in SO 4.3’s post-quantum aspirations, but the plan they mention consists of working groups, status reports, provisions of guidance, and other informational pieces (“National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems”). Information without action is wasted opportunity. Additionally, what little has come out of these groups has been found cryptographically insecure (“NIST’s Quantum-Proof Algorithm Has a Bug, Analysts Say”). Similarly SO 4.5’s proposal for “strong, verifiable digital identity solutions” in the context of rampant identity fraud rings hollow when the most important credential Americans possess is a 9-digit number that instantly unlocks their (attackers’) access to credit, tax refunds, and government services. More welcome would be a gradual phase-out of the SSN and introduction of a rotational system similar to the one I propose in my blog (Gilad).

Pillar Five deals mostly with foreign policy objectives and their alignment with cybersecurity challenges in the United States. Unlike the other Pillars, this section is entirely non-technical; evaluating its general principles alone (coalition-building, expanding support for allies) shows only one missing element: previous notes about the threats posed by hostile nations are missing from this section, where they would appear most appropriate. Coalition-building will help strengthen our alliances, but without mentioning the threat these coalitions face we are left to wonder if these efforts will be too passive to make a substantial difference.

The concluding section of the document – incorrectly named “Implementation” – is a microcosm of the rest of the document. It designates other agencies and authorities to handle the dirty work of the document’s implementation while touting them as reliable and ready to handle the work. The most disheartening example here is their parading of the CSRB’s work regarding Log4j. They note that a review into the vulnerability (called Log4Shell) was completed in mid-2022, and stakeholders were provided with “clear, actionable recommendations based on what the review discovered.” There’s just one problem: Log4Shell was discovered in December of 2021 (Associated Press). That means it took the CSRB around 6 months to make recommendations about a vulnerability which by then had been patched, mitigated, and resolved by the private sector. That the author should appear almost proud that this occurred is a troubling sign for this document’s implementation. Not only can I not say that this document, which has hardly any will to say anything definite about America’s cybersecurity policy, will be “effective” – I can say that its feeding of an outdated and sluggish bureaucracy will actively harm America’s security.