A
fascinating
blog
recently
written
for
Lawfare
got
me
thinking
more
about
the
history
of
White
House
cyber
policies.
The
piece
takes
us
back
to
the
Clinton
administration’s
release
of
Presidential
Decision
63
(PDD
63)
in
1998,
and
goes
on
to
describe
a
(very
rare)
“broad
cyber
policy
consensus
across
three
Democratic
and
two
Republican
administrations.”
I
really
like
the
post
and
urge
you
to
read
both
parts
1
and
2.
Here
is
one
important
takeaway
on
our
latest
National
Cybersecurity
Strategy
(NCS):
“The
most
important
shift
in
the
new
NCS
…
is
not
the
headline-grabbing
actions
such
as
regulation
(mentioned
below),
but
those
that
set
out
an
actual
strategic
concept
rather
than
just
a
laundry
list
of
needed
actions.
“Real
strategic
concepts
should
be
simple
and
short.
The
U.S.
Cold
War
strategy
was
a
single
word
(containment).
The
Army’s
counterinsurgency
strategy
could
be
encapsulated
in
a
simple
phrase
(roughly,
to
win
hearts
and
minds).
Moreover,
a
strategic
concept
should
be
expandable,
that
is,
practitioners
can
take
the
basic
strategic
idea
and
unpack
it
to
develop
deeper
objectives
in
line
with
the
established
concept.
They
are
also
both
negatable,
so
that
a
critic
can
argue
no,
not
“hearts
and
minds”
but
“kill
the
insurgents.”
Together,
these
efforts
drive
priorities,
so
that
the
bureaucracy,
when
faced
with
competing
priorities
that
improve
cybersecurity,
can
decide
which
ones
to
invest
in
further
and
which
to
deprecate.
“Past
U.S.
cyber
strategies
lacked
any
such
expandible,
negatable
strategic
concept.”
WHAT’S
WRONG
WITH
THAT
CYBER
POLICY?
Beyond
arguments
surrounding
whether
market
forces
have
failed
in
the
cybersecurity
industry
and
highlighting
a
move
toward
more
regulation,
a
series
of
fundamental
questions
are
addressed
in
that
blog
post.
One
such
question
is:
What’s
wrong
with
our
current
approach?
An
article
for
Defense
One
suggests
“A
Decade-Old
Cyber
Policy
Desperately
Needs
an
Update,
Group
Says.”
The
bipartisan
Cyberspace
Solarium
Commission
has
recommendations
for
a
new
critical-infrastructure
playbook.
Following
this
same
theme,
the
Wall
Street
Journal
reported
that
“Federal
Cyber
Oversight
of
Critical
Infrastructure
Is
Failing,
Report
Warns.”
Both
of
these
pieces
highlight
the
2021
ransomware
strike
on
Colonial
Pipeline,
which
showed
how
the
federal
response
to
cyber
attacks
can
be
cumbersome,
according
to
one
of
the
authors
of
the
Cyberspace
Solarium
Commission
2.0
report:
“The
2013
policy
that
established
the
current
cybersecurity
response
and
governance
system
urgently
needs
to
be
revised,
the
report
added.
…
“The
May
2021
ransomware
strike
on
Colonial
Pipeline
shows
how
wires
can
quickly
become
crossed,
Fixler
said.
In
Congressional
testimony,
Colonial
executives
said
they
initially
notified
the
Federal
Bureau
of
Investigation
of
the
attack
because
it
is
the
government’s
lead
incident-response
agency.
“However,
the
Transportation
Security
Administration
is
the
sector
risk-management
agency
for
pipelines,
and
CISA,
which
focuses
on
infrastructure
protection,
later
learned
of
the
attack
from
the
FBI,
Fixler
said.
The
government
eventually
named
the
Energy
Department
as
the
lead
U.S.
agency
for
the
federal
response
to
the
attack.
During
the
incident,
Colonial
shut
operations
for
six
days,
prompting
panic
buying
that
drove
up
gasoline
prices.”
REVISING
PUBLIC-PRIVATE
COLLABORATION
TO
PROTECT
CRITICAL
INFRASTRUCTURE
On
June
7,
2023,
Cyberspace
Solarium
Commission
came
out
with
a
new
report
called
CSC
2.0
with
this
explanation
in
the
executive
summary:
“In
late
2022,
the
Biden
administration
announced
its
intention
to
rewrite
the
Obama-era
Presidential
Policy
Directive
21
(PPD-21),
which
established
the
current
iteration
of
the
critical
infrastructure
protection
framework.
This
decision
followed
congressional
intervention
two
years
earlier
to
clarify
and
expand
the
role
of
federal
agencies
responsible
for
interfacing
with
the
private
sector.
Congress
designated
these
organizations
as
Sector
Risk
Management
Agencies
(SRMAs).”
The
12
recommendations
in
the
report
include:
Rewrite
PPD-21
for
a
New
Era
-
Clearly
identify
strategic
changes. -
Assign
responsibilities
and
ensure
accountability
for
routine
updates
of
key
strategic
documents. -
Clarify
CISA’s
roles
and
responsibilities
as
NRMA. -
Resolve
questions
around
the
organization
and
designation
of
critical
infrastructure
sectors
and
assigned
SRMAs. -
Provide
guidance
on
SRMA
organization
and
operation. -
Facilitate
accountability.
Support
the
PPD-21
Rewrite
With
Implementation
and
Resourcing
Efforts
-
Strengthen
CISA’s
capabilities
to
execute
its
NRMA
responsibilities. -
Resource
SRMAs
for
the
responsibilities
they
have. -
Identify
a
more
effective
way
to
catalog,
support,
and
protect
priority
infrastructure. -
Develop
functional
information-sharing
capacity
across
all
sectors. -
Organize
public-private
collaboration
to
mitigate
systemic
and
cross-sector
risk. -
Ensure
effective
emergency
response.
FUTURE
CYBER
POLICIES
There
are
many
moving
parts
reading
cyber
policy
over
the
years.
There
are
also
new
policies
and
guidance
recently
released
on
topics
ranging
from
quantum
technologies
to
artificial
intelligence,
which
will
greatly
impact
future
cyber
policies.
Add
in
government
policies,
procedures
and
mandates
on
topics
like
FedRAMP,
which
are
full
of
cybersecurity
guidance,
as
well
as
DoD
cybersecurity
policies,
OMB
policies,
NIST
cyber
policy
guidance
and
more,
and
this
entire
topic
seems
to
become
alphabet
soup
to
most
readers.
For
states,
improved
cloud
security
often
comes
with
StateRAMP
guidance,
which
many
state
executive
branches
are
adopting
as
procurement
policies.
Nevertheless,
cyber
policy
at
the
federal,
state
and
local
levels
remains
a
work
in
progress
and
will
continue
to
evolve
—
albeit
a
bit
slower
than
our
technology
changes.
And
therein
is
one
of
our
top
challenges:
How
can
we
keep
up
with
the
breakneck
pace
of
technology
and
cybersecurity
change?
The
truth
is
we
cannot,
but
it
is
nice
that
there
is
(generally)
bipartisan
support
for
cyber
policy.
Let’s
hope
that
this
trend
continues.
About Author
