Following the President’s invitation to the private sector to collaborate with the federal government on the National Cybersecurity Strategy’s execution, the White House released the National Cybersecurity Strategy Implementation Plan (NCSIP). The strategy did not include a way to “RSVP” to the President’s invitation, nor does the NCSIP. The absence of specified lines of communication for the private sector to follow provides an open forum for organizations to maximize initial engagement with the federal government.
To take full advantage of the strategy’s opportunities, the private sector must aggressively pursue engagement. Below are three recommendations for private sector representatives (and the federal officials directed to work with them) to consider as they develop collaborative relationships and put the NCSIP’s initiatives in motion. Keeping a mindset of collaboration is essential; not only will collaboration benefit private organizations, but it will also improve U.S. national security and international stability.
Default to private sector participation
The National Cybersecurity Strategy of 2018 acknowledged the role of the private sector and the federal government’s need to work with industry to secure information technology. The March 2023 strategy took significant, detailed steps forward in elevating the private sector’s role. The newer strategy refers to the private sector’s involvement throughout, stressing partnership on the most critical cybersecurity issues, many of which were previously reserved for the government’s action alone.
Strategic objective 2.2’s discussion of the potential for government and private sector operational collaboration is particularly remarkable. Such collaboration goes beyond information sharing and will involve types of cooperation, trust and understanding that will be unprecedented for most non-government organizations. Strategic Objective 2.2 tacitly acknowledges that there are capabilities the private sector can bring to cyber competition that the government cannot.
However, there are other strategic objectives that do not mention the private sector, but probably should. Strategic objective 1.4, ‘Update Federal Incident Response Plans and Processes,’ for example, provides little discussion of the private sector’s role in implementing this component of the strategy. Ironically, cyber is a digital-first domain with products and services that come from the most customer-centric focused development processes in the world. While developing federal responses is, of course, a federal government responsibility, the nature of the cyber domain counsels in favor of expertise at scale (private sector) informing the service provider (government) how best to respond to potential incidents that will involve customers (taxpayers). A minor example: Incident plans should include alternative methods for key government and private sector personnel to contact each other in the event that one form of communications is unavailable and leverage secure virtual and collaborative spaces that solve the “place problem” for bringing people together across sectors, geographies, time zones and levels of classification. It has been my experience that adversaries rarely strike conveniently during working hours.
The default for the strategy’s implementation should be set to include the private sector in establishing every strategic objective possible and to move beyond the expectation of blind incident response and information sharing. Federal officials should seek participation and input proactively, even for those objectives in which private sector equities and potential contributions are unclear. Not every equity or capability is well known by the government, nor are the circumstances under which the private sector can contribute knowledge or resources.
Empower sector risk management agencies
The strategy’s success depends in large part on the performance of sector risk management agencies (SRMAs), federal departments and agencies aligned to organizations responsible for critical infrastructure. Their alignment to critical infrastructure owners and operators is based on familiarity with the sector, not cybersecurity expertise. As discussed in the strategy, “SRMAs have day-to-day responsibility and sector-specific expertise to improve security and resilience within their sectors. In turn, SRMAs support individual owners and operators in their respective sectors who are responsible for protecting the systems and assets they operate.”
This framework may be optimal, but it will be of little impact if SRMAs are not given the proper capabilities, resources and authorities to carry out their responsibilities. SRMAs include federal organizations that have national responsibilities for cybersecurity, such as the departments of Defense and Homeland Security, and those that do not, such as the Department of Health and Human Services and Environmental Protection Agency. With hundreds of thousands of U.S. cybersecurity jobs unfilled, it is a challenge for the most well-resourced departments to find and keep qualified cybersecurity experts in their government positions, especially with the rewards the private sector offers to qualified employment prospects. Between budget constraints, the expertise gap, and difficulty modifying executive branch authorities through legislation, enabling SRMAs to execute strategic objectives likely will be implementation’s greatest challenge. The federal government should invite the private sector to participate in SRMA process building to ensure mutual understanding of how all organizations will carry out cybersecurity activities during day-to-day and crisis situations.
The work SRMAs have ahead of them is substantial, particularly those for which cybersecurity is not a primary mission. Most critically, each SRMA should be tasked to author their own implementation plan. Each plan should be shaped based on each SRMA’s capacity to carry out their responsibilities. Shortfalls in capacity must be communicated to the White House and Congress. Identifying authority shortfalls is especially important as the Supreme Court plans to reexamine long-standing, foundational regulatory powers next term.
Assign appropriate roles for implementation actions
While authoritarian regimes would disagree, in democracies, the power of citizens relative to that of their governments is significantly increased by information technology. This shifting balance of power should not be seen as a threat to democratic governments; rather, governments should use this dynamic to their advantage and acknowledge when the private sector should lead on actions and issues.
Pillar three of the strategy focuses on market forces and their cybersecurity impact. Market participants have demonstrated to date that they alone cannot achieve the security necessary to preserve U.S. cyber interests. However, participants should be given the opportunity to lead on issues that primarily impact them. Exploring a federal cyber insurance backstop, developing software bills of materials, and establishing legal accountability for insecure software should be handed initially to the private sector to develop solutions – with a firm reminder that if the private sector doesn’t get it right, government officials will take the reins.
The federal government will always be a regulator, law maker, law enforcer, and protector of the nation. However, in the cybersecurity arena, sometimes government needs to play a much more important, though difficult part: the role of acknowledging that government may not have all the answers and must assemble teammates from the private sector. The federal government must understand that it is, for certain purposes, merely a peer to other network owners facing similar threats, vulnerabilities and fears. Often it will be better for government to take a backseat in areas in which it normally directs efforts and yield to subject matter experts from technology and business.
Kurt Sanger is strategic advisor for Imperium Global Advisors.