The United States is at an inflection point when it comes to the future of our nation’s cybersecurity.
To harden our defenses, top U.S. cyber officials are providing fresh vision and new national-level strategies: This fall saw the unveiling of the Cybersecurity and Infrastructure Security Agency (CISA)’s first comprehensive strategic plan, followed by the release of the new U.S. National Security Strategy, which emphasizes the need to secure cyberspace.
As we look to the new year, the Office of the National Cyber Director will soon release a National Cybersecurity Strategy, laying the foundation for how our nation responds to cyberattacks. And at the same time, cybersecurity is one of few areas where we expect to see bipartisan effort this next Congress, led by new cybersecurity champions in the House and Senate.
With this groundwork laid, now is the time to think “big picture” about how we approach our national cyber strategy.
Ensuring future cyber superiority will require us to see the cyber threat landscape in the same way our adversaries see it: as one battlespace. When adversaries devise strategies for digital conflict, they don’t view the federal government, the defense and intelligence communities, public infrastructure, and private industry as separate targets. To our adversaries, this target-rich environment is one connected battlespace.
To defend in one battlespace, the U.S. needs a holistic approach to cybersecurity. No single organization can protect our nation alone. That is why transforming national cyber capabilities will require a unified approach that fosters operational collaboration, best-in-class solutions, and synchronized capabilities.
Fostering operational collaboration
In one battlespace, the public and private sectors are intertwined — and the digital and physical realms converge. Case in point: Colonial Pipeline. What started as a ransomware attack on a privately-owned oil pipeline system quickly escalated to national-level concern and widespread disruptions to pipeline operations, fuel supply, and travel. This brought to light a harsh reality: Critical infrastructure is vital to public health and safety, the economy, and national security — yet much of it is run by privately owned companies. That is why public-private partnerships and information sharing are so crucial to securing our infrastructure and ensuring collaboration between government and industry.
Effective information sharing is not always easy, but recent events have shown it’s possible.
Following Colonial Pipeline, a rapid review found the Transportation Security Administration (TSA) had emergency authorities to mandate the transportation sector’s minimum cybersecurity guidelines. The TSA then convened transportation sector executives, provided them with a classified briefing to explain the context behind the threats, and ultimately adjusted their security guidelines based on this back-and-forth.
This is a step in the right direction. In the future, however, it’s important to note private companies may say the government’s information sharing comes too late or is too watered down to be actionable. To achieve operational collaboration, the government must share threat intelligence more quickly. Private companies, in turn, must trust that sharing information with the government will improve our collective cyber defenses, rather than lead to penalties.
Focusing innovation where it’s needed most
Securing one battlespace requires a holistic view of tools, including those used by our adversaries and those at our disposal. It’s important for organizations, regardless of sector, to pay close attention to adversarial tactics, techniques, and procedures to help them stay ahead of threats and harden their critical systems. But that’s only the beginning. We also need government and industry working together to mobilize the national cyber tech and innovation base.
Ultimately, the weak links in our cyber defenses are not due to a lack of investment and innovation; they are due to lack of collaboration to maximize return on investment.
As a nation, we are pouring billions of dollars’ worth of appropriations and private capital into cybersecurity. But what’s missing is a clear sense of direction for how to proactively focus the nation’s collective cyber defenses to ensure we’re deploying the latest innovations when and where they are needed most.
The U.S. should ensure integration between those on the front lines of our cyber defenses and those on the cutting edge of developing new tools and products. To achieve this, the federal government should make targeted investments in best-in-class innovations, ensure they remain appropriately safeguarded, and deliver the right capabilities at the right time to support critical missions. This should include fostering viable incentive structures that help start-ups, accelerators, and incubator programs plug directly into government research and development efforts — bringing early-stage companies into the national mission at the onset.
Synchronizing offense and defense
In one battlespace, we must view defensive and offensive cyber operations as two sides of the same coin. But all too often, defensive and offensive operational planning and execution functions are isolated, with siloed missions, resources, and capabilities. Defensively, this creates shortfalls in cross-domain protective measures and leaves defenders with limited knowledge of adversaries’ offensive tradecraft. Offensively, the disconnect between mission developers, capability providers, and defenders prevents offensive mission owners from benefiting from data on tactics, techniques, and procedures learned during cyber defense operations.
To outpace our adversaries, Congress should establish clear authorities for the oversight of defensive and offensive cyber collaboration that enable the U.S. to synchronize national defensive and offensive operations with appropriate strategies, operating models, and governance. National-level wargames could help pressure test the resulting offensive and defensive collaboration. This would support achievement of operational integration that unlocks the full efficiency and effectiveness of U.S. national cyber capabilities.
We’ve reached a crossroads in our nation’s cybersecurity journey. We can choose to view the threat landscape as one battlespace, just like our adversaries, and deploy a unified approach to defend it. We can choose to improve public-private partnerships, foster innovations that support critical missions, and integrate offense and defense. But if we fail to do so, we choose to risk everything. The time to make that choice is now.
Brad Medairy is executive vice president and leader of Booz Allen Hamilton’s national cyber business.