IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Government Cyber Policy: The Way We Were, Are and Will Be

For 25 years, cyber policies have evolved and grown as the breadth and impact of cyber threats skyrocket. So what happened, and what’s missing as we head toward 2030?

A person holding up a tablet flat in their hand with a blue lock symbol hovering above it.
Shutterstock/Treecha
A fascinating blog recently written forLawfare got me thinking more about the history of White House cyber policies.

The piece takes us back to the Clinton administration’s release of Presidential Decision 63 (PDD 63) in 1998, and goes on to describe a (very rare) “broad cyber policy consensus across three Democratic and two Republican administrations.”

I really like the post and urge you to read both parts 1 and 2. Here is one important takeaway on our latest National Cybersecurity Strategy (NCS): “The most important shift in the new NCS … is not the headline-grabbing actions such as regulation (mentioned below), but those that set out an actual strategic concept rather than just a laundry list of needed actions.

“Real strategic concepts should be simple and short. The U.S. Cold War strategy was a single word (containment). The Army’s counterinsurgency strategy could be encapsulated in a simple phrase (roughly, to win hearts and minds). Moreover, a strategic concept should be expandable, that is, practitioners can take the basic strategic idea and unpack it to develop deeper objectives in line with the established concept. They are also both negatable, so that a critic can argue no, not “hearts and minds” but “kill the insurgents.” Together, these efforts drive priorities, so that the bureaucracy, when faced with competing priorities that improve cybersecurity, can decide which ones to invest in further and which to deprecate.

“Past U.S. cyber strategies lacked any such expandible, negatable strategic concept.”

WHAT’S WRONG WITH THAT CYBER POLICY?


Beyond arguments surrounding whether market forces have failed in the cybersecurity industry and highlighting a move toward more regulation, a series of fundamental questions are addressed in that blog post. One such question is: What’s wrong with our current approach?

An article for Defense One suggests “A Decade-Old Cyber Policy Desperately Needs an Update, Group Says.” The bipartisan Cyberspace Solarium Commission has recommendations for a new critical-infrastructure playbook.

Following this same theme, the Wall Street Journal reported that “Federal Cyber Oversight of Critical Infrastructure Is Failing, Report Warns.” Both of these pieces highlight the 2021 ransomware strike on Colonial Pipeline, which showed how the federal response to cyber attacks can be cumbersome, according to one of the authors of the Cyberspace Solarium Commission 2.0 report:

“The 2013 policy that established the current cybersecurity response and governance system urgently needs to be revised, the report added. …

“The May 2021 ransomware strike on Colonial Pipeline shows how wires can quickly become crossed, Fixler said. In Congressional testimony, Colonial executives said they initially notified the Federal Bureau of Investigation of the attack because it is the government’s lead incident-response agency.

“However, the Transportation Security Administration is the sector risk-management agency for pipelines, and CISA, which focuses on infrastructure protection, later learned of the attack from the FBI, Fixler said. The government eventually named the Energy Department as the lead U.S. agency for the federal response to the attack. During the incident, Colonial shut operations for six days, prompting panic buying that drove up gasoline prices.”

REVISING PUBLIC-PRIVATE COLLABORATION TO PROTECT CRITICAL INFRASTRUCTURE


On June 7, 2023, Cyberspace Solarium Commission came out with a new report called CSC 2.0 with this explanation in the executive summary: “In late 2022, the Biden administration announced its intention to rewrite the Obama-era Presidential Policy Directive 21 (PPD-21), which established the current iteration of the critical infrastructure protection framework. This decision followed congressional intervention two years earlier to clarify and expand the role of federal agencies responsible for interfacing with the private sector. Congress designated these organizations as Sector Risk Management Agencies (SRMAs).”

The 12 recommendations in the report include:

Rewrite PPD-21 for a New Era
  1. Clearly identify strategic changes.
  2. Assign responsibilities and ensure accountability for routine updates of key strategic documents.
  3. Clarify CISA’s roles and responsibilities as NRMA.
  4. Resolve questions around the organization and designation of critical infrastructure sectors and assigned SRMAs.
  5. Provide guidance on SRMA organization and operation.
  6. Facilitate accountability.

Support the PPD-21 Rewrite With Implementation and Resourcing Efforts
  1. Strengthen CISA’s capabilities to execute its NRMA responsibilities.
  2. Resource SRMAs for the responsibilities they have.
  3. Identify a more effective way to catalog, support, and protect priority infrastructure.
  4. Develop functional information-sharing capacity across all sectors.
  5. Organize public-private collaboration to mitigate systemic and cross-sector risk.
  6. Ensure effective emergency response.

FUTURE CYBER POLICIES


There are many moving parts reading cyber policy over the years. There are also new policies and guidance recently released on topics ranging from quantum technologies to artificial intelligence, which will greatly impact future cyber policies.

Add in government policies, procedures and mandates on topics like FedRAMP, which are full of cybersecurity guidance, as well as DoD cybersecurity policies, OMB policies, NIST cyber policy guidance and more, and this entire topic seems to become alphabet soup to most readers.

For states, improved cloud security often comes with StateRAMP guidance, which many state executive branches are adopting as procurement policies.

Nevertheless, cyber policy at the federal, state and local levels remains a work in progress and will continue to evolve — albeit a bit slower than our technology changes.

And therein is one of our top challenges: How can we keep up with the breakneck pace of technology and cybersecurity change?

The truth is we cannot, but it is nice that there is (generally) bipartisan support for cyber policy. Let’s hope that this trend continues.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.