The Biden Administration recently published its National Security Strategy (NSS), a document that defines the government’s overall strategic priorities, and thereby serving as a guidelines for all U.S. government agencies. As such, it is the underpinning for agency-specific and other strategic documents like the Department of Defense’s National Defense Strategy and the forthcoming U.S. Government’s Cybersecurity Strategy. The NSS is a broad, high-level document focusing on two core strategic challenges – geopolitical competition and shared transnational threats, identifying both China and Russia as the United States primary adversaries. Per the strategy, China is the threat that the United States will “prioritize maintaining an enduring competitive edge over,” while Russia is the threat the United States will work toward constraining globally.
While referenced throughout the document, the strategy gave limited insight into how cybersecurity fits into the larger strategy, though the Administration’s dedicated cyber strategy is expected to be released sometime over the next couple of months. The small section in the NSS dedicated to “Securing Cyberspace” does not necessarily present a novel approach to grappling the challenges of the cyber ecosystem with respect to combatting the threats that have loomed, developed, and lingered for the past decade. The need to secure infrastructure, establish international norms of behavior for state activity, bolster international relationships and law enforcement cooperation, and counter hostile cyber activity are mainstay issues that consistently need to be addressed due to the dynamism of cyberspace.
Still, if the NSS is the roadmap by which all else falls under, then it should give insight into what the national cybersecurity strategy should look like, and what will be expected of its stakeholders. As such, the forthcoming cybersecurity strategy will likely drill down on these key issues. However, things like norms of behavior and increased international cyber cooperation seem less imperative as they fundamentally require outside engagement and are subject to back and forth negotiating before an agreement can be made. The global community has operated without norms in place, and there is no indication that even if norms were agreed upon that those states – especially those cyber powers – would adhere to the agreed-upon provisions in any meaningful way. While noble in cause, trying to tie down governments to specifics would most likely prove as fruitless endeavor as “no hack pacts.”
International cooperation has the potential to be advantageous but will largely depend on the purpose and mission of the agreement. International law enforcement has been instrumental to taking down cyber criminal gangs and perhaps even tracking down advanced persistent threat actors, but these victories have been few compared to the sheer volume of state and nonstate hostile cyber activity occurring on a daily basis. And even if the collaborative state cyber activity countering Russian online malfeasance has shown some measure of success, it is not certain that such cyber collaboration would be occurring outside the kinetic conflict. Such balkanization might encourage other governments to team up to form their own online cyber hamlets.
The importance of securing critical infrastructure is not new but has faced a series of difficulties over the past several years. There has been increased interest in targeting these systems, and some attacks have garnered international attention. Ransomware attacks impacted the Colonial Pipeline and JBS, as well as disrupting Ukraine’s power grid distribution exposing the potential consequences should they be disrupted or destroyed for any substantial amount of time. Indeed, even February 2022’s attack against VIASAT temporarily halted telecommunications services and even impacted German wind turbine functionality. What’s clear is that defending these infrastructures is extremely difficult – complex ecosystems made up of new and legacy systems make visibility and devising security strategies and controls a long, uphill battle, especially given resource constraints. Unlike the first two issues touched upon in the NSS, this is an area where the United States has purview over. What makes this difficult is that the private sector are the primary owners of the infrastructures on which all rely, making any failure to effectively partner with one another an area that warrants consistent attention.
Because of this consideration, there is indication that the U.S. government may implement a more aggressive approach to compel industry to fall into line, something that the White House cybersecurity director did not refute, advocating a need for the government to be “tough.” The government may be prepping expectation that the road forward may be regulation-focused with mandates as a means to industry compliance. The director even cited the recent regulation standardization for electric vehicles as an example of what may lie ahead for the critical infrastructure community. There are plans in the works for having the government become more active in helping set industry cybersecurity rules with the Administration preparing to “activate its regulatory authorities,” though it would leave it up to sector-specific entities to decide who should implement “appropriate cybersecurity defenses.” This has raised obvious concerns from industry as there is speculation as to what explicit tasking is given to it, and what possible consequences might result if deadlines and implementation are not met. Pushback may be great if industry is not happy.
But the big question is how the new cybersecurity strategy will address the two core strategic principles of the NSS – geopolitical competition and shared transnational threats? In that regard, there doesn’t appear anything “new” in the NSS that suggests a different approach than what has already been taken. Even the current cyber section in the NSS states that the government will use all tools at its disposal to respond to hostile cyber acts, which while strategically enigmatic does not provide any sense that there is a plan beyond what it is already doing. Given how it defines the United States’ two primary adversaries – China as aggressive competitor and Russia as an aggressive expansionist – securing cyberspace seems more about the status quo than innovating to meet the challenges these governments represent.
Now this could all change. The new cybersecurity strategy could be more descriptive in the steps the United States will take with respect to cyberspace and how it will use it to support addressing China and Russia as geopolitical competitors and transnational threats. This would not only be helpful but show that there is a larger cyber plan besides the obvious. Even Biden’s predecessor tweaked the usual talking points by saying it will be more aggressive in countering adversaries in cyberspace, thereby unshackling cyber operations from bureaucratic red tape. One problem may be that cyber continues to be viewed through separate lenses – offensive, defensive, standards, norms, governance – without considering how they should all be integrated to achieving specific cyber goals that support the larger national security strategy. How can an offensive operations feed into both securing a critical infrastructure while helping codify norms of behavior to constrain Russian expansionism? This is how strategic cyber thinking must evolve lest we run the risk of continuing to view an interconnected environment by its parts and not its whole.