On March 1, 2023, the White House published an updated National Cybersecurity Strategy. Previous editions of this strategy were published in 2018 and in 2003. All three versions address very similar topics. They discuss how most critical technology assets are owned by the private sector and how the U.S. government must partner to address challenges. They talk about letting the market address cybersecurity issues for the most part, but that the government also has a role to play. The United States has been operating under 20 years of national cybersecurity strategy roughly coinciding with the establishment of the Department of Homeland Security in 2002.
The newest strategy is significant for many reasons. The federal government has learned many lessons in the past 20 years from dealing with malicious nation state actors, widespread criminal activity, and overt election interference. Public/private partnership efforts undertaken since the first strategy release, have also clearly informed this newest strategy in some insightful ways. There is also more public awareness and concern about the impact of connected technologies on data privacy, civil rights, national security, and public safety.
The newest strategy addresses the challenges of securing identity, the threats of phishing and ransomware, and the complexities of combating criminal activities which are condoned by several nation states. It’s more specific than previous strategies without getting mired down by technical details like the 2003 report. That report expended time on explaining how the Internet worked, which at the time was probably needed for context.
Some key highlights of the strategy involved assigning more responsibility to the information technology industry for the products they create, incorporating safety labeling on all Internet connected devices, using Federal purchasing power to support safety conscious market solutions, and making strong investments in modernizing the Internet's core technologies. Placing more responsibility on technology companies is an especially striking message since it’s a stark departure from previous strategies.
Cisco, for instance, employs some of the world’s leading networking professionals and engineers. They create very complex solutions for a wide array of customer needs. They have vastly more expertise in this area, and more money and resources devoted to it, than any small business in the country. But if Cisco software fails to protect a business from a cyber-attack due to a preventable flaw, it’s the small business who assumes the liability. That type of liability typically rests with the manufacturer or service provider in almost every other industry. Technology companies, however, can place most of that risk directly onto consumers and businesses. It’s a buyer beware situation with the consumer at a significant disadvantage in product knowledge and sometimes even in a lack of real alternatives. Placing product liability on the party most able to address it and most responsible is key for resolving many of today’s cybersecurity challenges.
Safety labeling is also very exciting. Many consumers find it difficult to evaluate products for privacy and safety. This issue is clearly illustrated by the FBI in their outreach in 2017 related to child privacy and safety using Internet connected toys (FBI). Many families purchase these toys and provide them to their children, without understanding the potential risks and harms. While the U.S. government is reluctant to strongly regulate technology company products and services, safety labeling will allow consumers to make their own decisions armed with more consumer-friendly information.
The federal government itself is a large purchaser of IT products and services. It takes a lot of technology to run the government and to provide federal services. If the Federal government starts requiring safer products for its own operations, then they are greatly subsidizing that safety for the rest of the American people. If such a large buyer has safety requirements, then it may be easier for developers to simply apply those safety standards to all their customers instead of having dramatically different products for federal and non-federal customers.
And lastly, the structure of the Internet itself was built in a different time. There was little concern about criminal activity and tampering. The creators of our foundational technologies also never envisioned they would be utilized on such a grand scale and become so important to the way we live. Updating that technology, however, is very expensive and difficult because so many of us already depend on it. This is an area where the government should be applying time and resources because the problem is larger than any one institution or private organization can solve independently.
Overall, the new strategy document is very encouraging. It outlines specific and actionable goals addressing software liability, consumer product labeling, supporting safe behaviors through federal purchasing, and supporting the modernization of the Internet itself to address current and future threats. The associated partnership organizations and legislative initiatives have become very real over the past 20 years. That realness makes it very likely this strategy will be even more fully enacted than its predecessors.
Need to report an IT security event or incident?
To report, please submit a ticket here: Report an IT Security Incident, or call the IT Service Desk at (585) 395-5151 Option 1.