The White House introduced a new national cybersecurity strategy September 2018, the first governmentwide strategy published in about 15 years. And while there isn’t a lot in the strategy that wasn’t already known by most of government and industry, the strategy is innovative in that it plans for action where previously the focus had been on policy, according to Federal Chief Information Security Officer Grant Schneider.
“If you read the national cyber strategy — a lot of the feedback I get from people is there’s not a lot of new. There’s not some new solution to the cyber problem, and that’s why there is a cyber event almost every day during October and lots of days the rest of the year,” said Schneider at the 2018 CyberCon, hosted by Fifth Domain.
“What’s new about the national cyber strategy, though, is it’s a movement from policy and process to one of action and accountability.”
He added that a lot of the strategy is about fulfilling the basics, as a May 2018 risk determination report across the federal government found that approximately three-quarters of agencies were at moderate or high cyber risk.
The strategy takes its lead from the four pillars of the National Security Strategy: protecting the American people and way of life; promoting American prosperity; preserving peace through strength; and advancing American influence.
“It is oriented around the National Security Strategy, which makes sense because cyber and cybersecurity are so critically aligned with our national security,” said Schneider.
Central to improving cybersecurity within the government and industry is increasing the cybersecurity workforce in the United States and encouraging them to join federal service.
“I don’t view cybersecurity as a technology challenge; I view it as a people challenge,” said Schneider.
“We don’t have enough of the people with the skills and expertise that we need across the nation in cybersecurity. And this isn’t just people who are the chief information officer, who work in the basement, who keep the lights running and keep the bad guys out of the system. It’s actually everyone having an awareness.”
For example, the other senior members of a private sector company or government agency need to have enough cyber understanding to know that there is no such thing as perfectly safe, and not punish a CISO for saying that they will always be in some level of danger, according to Schneider.
The administration has taken steps to address the needs for at least some of the cyber-specific workforce through a proposed rule change that would give direct hire authority decision-making to the heads of agencies rather than having it go through the Office of Personnel Management when it comes to hiring critically needed IT personnel.
Schneider applauded this step but said that the nation would have to take broader actions to really address the spectrum of cyber personnel needed in today’s environment.
“The other step, though, is that we have to look at education,” said Schneider. “We’ve got to look at how are we developing that awareness, whether it’s through grant money, through scholarship for service — which is a program the federal government has through the National Science Foundation where we will pay for I think three years of college and [then] someone needs to come work in the cyber realm for U.S., state and local or federal government for a number of years.”
Schneider said that the national cyber strategy would also work to address the broad spectrum of supply chain security issues that appear in federal acquisitions, critical infrastructure components and commercial products.
“I view supply chain as very broad,” said Schneider. “All of that matters.”
To ensure agencies are taking action on the needs outlined in the strategy, the administration is currently developing an implementation plan, which will not be publicly released in order to keep American adversaries in the dark about government cyber plans, according to Schneider.
Agencies will also have to weigh the balance of defensive and offensive cyber capabilities, the latter of which Schneider called an “inherently governmental” capability, that will fall into a larger international security strategy.
“I don’t think Putin is going to go, ‘Oh no, the U.S. has another offensive cyber thing, maybe I should stop using my offensive cyber capability.’ That said, I think our offensive cyber capability can be very, very targeted," said Schneider.
“We don’t use them for cyber means or cyber outcomes necessarily; it’s part of our national objective of what are we trying to achieve. We don’t drop bombs from airplanes because we want to see a hole in the ground; it’s part of a broader approach of what are we trying to accomplish in the nation to either deter people or to retaliate or respond in some way, shape or form. And I think our cyber tools are going to be used in the same way.”