Assessing the Effectiveness of the National Cyber Strategy for the United States

Published on by Tasha Jhangiani

Nations over the years have been hit with the growing challenges that stem from securing cyberspace. Cybersecurity encompasses a range of aspects – governance, policy, operations, technical, and legal.[1] The Internet has essentially become the “backbone” of business, critical infrastructure, social networks, and the global economy. As a result, many nations are looking into launching digital strategies that help stimulate economic growth, promote productivity and efficiency, to enhance workforces and provide skills training, and to promote good governance.[2] Additionally, nations are looking into securing their technology and critical infrastructure, as there are rapidly evolving cyber threats that leave countries more vulnerable to property damage, data and intellectual property threat, and service disruption.[3]

To make the process of launching a cyber strategy as simple as possible, the International Telecommunication Union (ITU) released the “Guide to Developing a National Cybersecurity Strategy: Strategic Engagement in Cybersecurity,” a guide targeted at policymakers, as well as other private and public stakeholders, that outlines the principles and good practices that should be included in the process of developing a National Cybersecurity Strategy.[4] The ITU Guide explains that states must align their national economic visions with their national security priorities – otherwise, countries will not be able to fully achieve the growth and security they are seeking.[5] In September 2018, the Trump Administration released the National Cyber Strategy for the United States as a response to both prevent and combat American competitors and adversaries from causing significant damage to the economies, allies, and interests of the U.S. and its allies through the cyberspace. This paper will assess and grade the U.S.’s National Cyber Strategy using the guidelines of the ITU Guide and will determine if the United States has created an effective Cyber Strategy based on the recommendations of the ITU.

One key strength of the United States National Cyber Strategy is that it respects and is consistent with fundamental human rights. The ITU Guide writes that any strategy must recognize that the rights of people offline should be equally protected online, and should “respect universally agreed fundamental rights,” with particular attention paid to “freedom of expression, privacy of communications and personal-data protection.”[6] The promotion of Internet freedom is not a new one for the United States, as it was a critical issue for both the Bush and Obama administrations.[7] This latest National Cyber Strategy outlines the protection of promotion of Internet freedom as a priority action, writing that human rights and fundamental freedoms, including freedoms of expression, association, religion, and privacy rights online, should be respected regardless of frontiers or medium.[8] The United States’ Strategy also outline that Internet freedom, by extension, supports the free flow of information that enhances international trade, fosters innovation, and strengthens our national and international security.[9] The Strategy also advocates working with like-minded countries, industry, academia, and civil society to advance human rights and Internet freedom globally, and to counter authoritarian efforts to suppress these rights.[10] Additionally, the Strategy promotes that the United States will actively engage with multilateral and international organizations, including the United Nations, Intergovernance Forum, and the ITU, to “defend the open, interoperable nature of the Internet.”[11]

Another strength of the National Cyber Strategy of the United States is that it promotes the development of a superior cybersecurity workforce through skills development and workforce training. The ITU guide outlines that any national strategy needs to address the development of cybersecurity training and skills-development schemes in the public and private sectors alike, through efforts such as executive and operational training, technical training, and certification of security professionals based on the government’s needs.[12] The ITU guide also suggests fostering initiatives aimed at developing cybersecurity career paths for workers in the public sectors, and incentives to increase the supply of qualified cybersecurity professionals. [13]

The United States National Cyber Strategy outlines four priority actions within this pillar:

  • Building and sustaining the talent pipeline: This action details the United States investing and enhancing programs that build the domestic talent pipeline, as well as merit-based immigration reforms to ensure that the United States has a competitive cybersecurity and technology workforce;
  • Expanding reskilling and educational opportunities for America’s workforce: This section proposes cooperation between the Administration and Congress to promote and reinvigorate educational and training opportunities related to cybersecurity. The Strategy outlines expanding Federal recruitment, training, and re-skilling workers from other background.
  • Enhancing the federal cybersecurity workforce: This section states that the Administration will continue utilizing the already-existing National Initiative for Cybersecurity Education (NICE) Framework to allow for a standardized approach for identifying, hiring, developing, and retaining the cybersecurity workforce.
  • Using executive authority to highlight and reward talent: This section outlines that the Federal government will leverage public-private collaboration to circulate the NICE framework across several industries, also implementing actions to prepare, grow, and sustain America’s cybersecurity workforce over time.[14]

Another strength of the National Cyber Strategy of the United States is that it encourages inter-sectoral cooperation. The ITU Guide outlines that identifying a network of contact points across various industries (including the private sector and other national stakeholders) is essential for the operation and recovery of critical services and infrastructure.[15] The National Cybersecurity Strategy of the United States proposes utilizing a risk-management approach, in partnership with the private sector, to mitigate vulnerabilities to raise the base level of cybersecurity across critical infrastructure.[16] The Strategy also proposes the federal government collaborating with the private sector, academia, and civil society to identify, counter, and prevent foreign influence operators from using digital platforms for malign purposes.[17]

Despite its strengths, however, the National Cyber Strategy of the United States has some significant flaws. One of the biggest criticisms of United States’ Strategy is that it fails to identify a lead project authority to oversee the development and execution of the Strategy. The ITU Guide stresses that any national cybersecurity strategy should be “…coordinated by a single, competent authority…[appointing] an either pre-existing or newly created public entity, such as a ministry, agency, or a department, to lead the development of the Strategy.”[18] The ITU Guide writes that this “Lead Project Authority” is a critical asset in several areas of a National Cybersecurity Strategy, including engaging with key stakeholders from the public and private sectors and civil society, labeling potential gaps in policy and options for addressing them, identifying specific initiatives within focus areas that will help meet the objectives of the Strategy, specifying which government agencies are responsible and accountable for each initiative, and securing the human and financial resources necessary for different projects and initiatives.[19]

Microsoft’s “Building an Effective National Cybersecurity Agency” reflects a similar sentiment, stating that a single agency that is solely dedicated to managing cybersecurity at the national level is the most effective way to manage the security of civilian agencies, critical infrastructure, and national level incident response.[20] Microsoft’s guide outlines further, Governments have limited time, expertise and resources to deal with the range of threats they face. Bringing core national level functions for coordination, standards setting, incident response, partnership and  international outreach into one agency will allow governments to prioritize their limited resources.[21]

Since cybersecurity concerns cut across several policy and regulatory branches, including justice, treasury, defense, and foreign affairs, having a single cybersecurity agency that supports other relevant agencies in these branches can help improve the effectiveness of a government-wide cybersecurity strategy.

The way the United States’ National Cybersecurity Strategy is outlined, there is no singular overarching agency or department that is dedicated solely to cybersecurity. Instead, the Administration appears to take the lead on facilitating and/or overseeing some of the initiatives outlined in the Strategy while delegating other initiatives to various departments and/or agencies, as well as the private sector and civil society. This means each department, agency, private sector organization or civil society actor(s) is making their own decisions and taking their own approaches to the implementation of the strategy. According to Microsoft, this fragmented approach to structuring a cyber strategy “will inevitably create weaknesses that attackers can exploit.”[22]

Another criticism of the National Cyber Strategy of the United States that directly stems from the lack of a lead project authority is that in terms of intra-governmental cooperation, the Strategy does not clearly outline which department or agency will take the lead on priority areas and initiatives. The ITU Guide writes that, “Intra-governmental commitment, coordination and cooperation are core functions of those governmental institutions, needed to ensure that the governance mechanisms…and resources yield the desired outcomes of the Strategy.”[23] Additionally, effective communication and coordination between government agencies ensures that the agencies are aware of each other’s authorities, missions, and tasks.[24]

On the surface level, the Strategy does encourage intra-governmental cooperation.  For example, one of the Strategy’s ideas to secure federal networks and information is improving federal supply chain risk management. As this idea outlines, the Trump Administration will integrate supply chain risk management into agency procurement and risk management processes by ensuring better information sharing among departments and agencies to improve awareness of supply chain threats and reduce duplicative supply chain services.[25] Another priority action the Strategy outlines is refining the roles, responsibilities, and expectations of the various Federal agencies and departments related to issues of cybersecurity risk management and incident response.[26] This clarity, the Strategy writes, “…will enable proactive risk management that comprehensively addresses threats, vulnerabilities, and consequences…[and] will also identify and bridge existing gaps in responsibilities and coordination among Federal and non-Federal incident response efforts and promote more routine training, exercises, and coordination.”[27]

However, upon inspecting further, it becomes noticeable that the Strategy does not explicitly go into detail on which departments and agencies will take the lead on particular assignments. For example, in the section that calls for improving federal supply chain risk management, one suggestion the U.S. Strategy outlines is creating a supply chain risk assessment shared service, which would include addressing deficiencies in the Federal acquisition system. This section mentions that the Administration will integrate this management into “agency procurement,” but it is not specified which agency specifically would be in charge of creating and running this shared service.[28] Another section that lacks clarification is the section on combatting cybercrime and improving incident reporting. The Strategy outlines that the Trump administration will ensure that Federal departments and agencies have the “necessary legal authority and resources to combat transnational cybercriminal activity;” however, this does not provide much insight into which departments and agencies will have that legal authority, nor does it specify which department or agency will combat what particular transnational cyber crime.[29] This lack of specificity can be damaging in the event of a transnational cyber crime, because confusion which Federal department or agency has the authority over what issue could lead to political infighting and the potential for a blame game to erupt over which department, agency or actor is responsible for defending the nation from a particular attack or fixing the damage in the aftermath of one.

Another serious criticism of the National Cyber Strategy of the United States is that there is an absence of outlined funding mechanisms for the projects the Federal Government proposes. The ITU guide outlines several stages of the cybersecurity strategy development process where outlining funding requirements and mechanisms are particularly important. When planning the development of the strategy, identifying the human and financial resources is necessary to determine the sustainability and survivability of the strategy. Whether the money comes from reallocated dedicated funding streams in existing budgets or through new funding from third parties (e.g. international organizations), it is important for a cyber strategy to outline these mechanisms – without monetary funds, the strategy will collapse.[30] Additionally, the ITU guide outlines that identifying and securing long-term funding for the full lifecycle of the national cybersecurity strategy is particularly important throughout the development, implementation, and refinement stages of the planning process.[31] As the guide explains, “Sufficient, consistent, and continuous funding provides the foundations for an effective national cybersecurity posture.”[32] Additionally, budget allocation should match the level of ambition and complexity of the outlined project.[33]

While the National Cyber Strategy of the United States does briefly mention that the National Security Council staff will coordinate with departments, agencies, and the Office of Management and Budget (OMB) to create an appropriate resource allocation plan, this step should have been taken during the initial stages of mapping out the Strategy before its release, as many of the projects outlined in the National Cyber Strategy of the United States are likely to be costly.[34] For example, one section of the Strategy highlights a critical need to improve transportation and maritime cybersecurity, as the United States’ current infrastructure is vulnerable to cyber exploitation. The Federal Government proposes “…[accelerating] the development of next-generation cyber-resilient maritime infrastructure.”[35] This section does not specify how much this new maritime infrastructure will cost. Not knowing the costs of a project and what financial resources it requires could lead to resource mismanagement, as well as increase the potential for wasteful spending.

Another criticism of the National Cyber Strategy of the United States is that it says little about the metrics or indicators that could keep the federal government accountable for what is outlined in the Strategy. The ITU guide states that any National Cybersecurity Strategy must identify the metrics that will be used to ensure that desired outcomes are achieved within set budgets and timelines.[36] Examples of these key performance indicators or metrics should be:

  • Specific – target a specific area for improvement
  • Measureable – quantify or at least suggest an indicator of progress
  • Achievable – state what results can realistically be achieved, given available resources
  • Responsible – specify who will do it
  • Time related – specify when results can be achieved.[37]

Establishing a set of baseline metrics “…will enable better monitoring of actions and highlight areas of potential improvement.”[38] Additionally, these metrics can help the government evaluate the efficiency and effectiveness of the initiatives within the strategy both during and following their completion.[39]

Within these metrics, outlining a timeline is particularly important. The National Cyber Strategy of the United States fails to outline any sort of timeline for both the objectives and the implementation timeline of the Strategy. Having a set timeline for any National Cybersecurity Strategy is critical in the initiation, production, implementation, and monitoring and evaluation phases of producing a strategy. Having a timeframe for adoption is critical for planning the development of the strategy, as it specifies how and when relevant stakeholders will be expected to participate and provide feedback to the development process. Having a set timeframe also provides the government with a plan on when set objectives should be accomplished, and can help relevant actors prioritize these objectives in terms of impact on society, the economy, and infrastructure.[40] Furthermore, a timeline will drive the allocation of resources that are required to support these activities and incentivize implementation efforts, as a timeline will provide relevant actors the information on which actions or projects need to be prioritized in terms of short-term and long-term criticality. As a result, this can help relevant actors ensure that limited resources are appropriately leveraged.[41]

Having a set timeline is also useful for evaluating the outcomes of the strategy. As mentioned above, the cybersecurity landscape is constantly changing. Broader risk evaluation will need to occur regular to understand if there are any external events or policies that may affect the overall outcomes of the Strategy. Having a set timeline can help the federal government reassess and reorganize priorities and objectives in the event that it is necessary. Additionally, setting a timeline in the initiation phase will help in this review, as it will provide the federal government keep track of the Strategy’s project and whether its goals are being met. In the event that a certain project is not expected to meet its timeframe of completion, the federal government can have an easier time assessing why the project will not be completed in its projected timeslot, whether it is because it does not have the adequate resources or if an external event has prevented the project from being completed in time. This will help keep the federal government accountable for its goals.

On the surface level, the National Cyber Strategy of the United States has high expectations that appear to cover a broad range of issues, including securing federal networks and information, invest in next-generation infrastructure, and deter malign actors in cyberspace. The Strategy does have some standout ideas – it is firm in its demand for respect for human rights and Internet freedom, provides a wide range of ideas for investing in and promoting a strong cybersecurity workforce, and encourages cooperation across various sectors, including the private sector, academia, and civil society. However, as outlined above, there are a few glaring errors with the National Cyber Strategy. The lack of a leading authority, lack of clarification over which department or agency has control over what projects and goals, the absence of any funding mechanism or resource allocation, and the failure to identify any set of metrics or timeline to evaluate the Strategy’s success are all serious concerns. Given all of these errors, the National Cyber Strategy of the United States deserves a grade of C-  – the Strategy just barely passes because it is ambitious in its goals and does a decent job at setting the surface level for what is necessary for an effective cyber strategy; however, the lack of specificity and detail could end up being a significant hindrance to the success of the National Cyber Strategy overall.

Works Cited

Building an Effective National Cybersecurity Agency. Microsoft, 2017.

 Grigsby, Alex. “The White House National Cyber Strategy: Continuity with a Hint of Hyperbole.” Council on Foreign Relations, October 8, 2018.

GUIDE TO DEVELOPING A NATIONAL CYBERSECURITY STRATEGY: STRATEGIC ENGAGEMENT IN CYBERSECURITY. Geneva, Switzerland: International Telecommunication Union (ITU), 2018.

National Cyber Strategy of the United States of America. 2018. 1-26.

[1] GUIDE TO DEVELOPING A NATIONAL CYBERSECURITY STRATEGY: STRATEGIC ENGAGEMENT IN CYBERSECURITY. Geneva, Switzerland: International Telecommunication Union (ITU), 2018.

[2] Ibid 12

[3] Ibid, 12

[4] Ibid, 8

[5] Ibid, 12

[6] Ibid, 32

[7] Grigsby, Alex. “The White House National Cyber Strategy: Continuity with a Hint of Hyperbole.” Council on Foreign Relations, October 8, 2018., n.p.

[8] National Cyber Strategy of the United States of America. 2018. 1-26., 24.

[9] Ibid, 26

[10] Ibid, 26

[11] Ibid, 25

[12] GUIDE TO DEVELOPING A NATIONAL CYBERSECURITY STRATEGY: STRATEGIC ENGAGEMENT IN CYBERSECURITY., 32

[13] Ibid, 45

[14] National Cyber Strategy of the United States of America, 17

[15] GUIDE TO DEVELOPING A NATIONAL CYBERSECURITY STRATEGY: STRATEGIC ENGAGEMENT IN CYBERSECURITY., 37

[16] National Cyber Strategy of the United States of America, 8

[17] Ibid, 21

[18] GUIDE TO DEVELOPING A NATIONAL CYBERSECURITY STRATEGY: STRATEGIC ENGAGEMENT IN CYBERSECURITY., 17

[19] Ibid, 22-25

[20] Building an Effective National Cybersecurity Agency. Microsoft, 2017., 10

[21] Ibid, 10

[22] Building an Effective National Cybersecurity Agency. Microsoft, 10.

[23] GUIDE TO DEVELOPING A NATIONAL CYBERSECURITY STRATEGY: STRATEGIC ENGAGEMENT IN CYBERSECURITY., 37

[24] Ibid, 37

[25] National Cyber Strategy of the United States of America, 7

[26] Ibid, 8

[27] Ibid, 8

[28] Ibid, 7

[29] Ibid, 19

[30] GUIDE TO DEVELOPING A NATIONAL CYBERSECURITY STRATEGY: STRATEGIC ENGAGEMENT IN CYBERSECURITY., 19

[31] Ibid, 19

[32] Ibid, 38

[33] Ibid, 26

[34] National Cyber Strategy of the United States of America, 3

[35] Ibid, 10

[36] GUIDE TO DEVELOPING A NATIONAL CYBERSECURITY STRATEGY: STRATEGIC ENGAGEMENT IN CYBERSECURITY., 14

[37] Ibid, 26

[38] Ibid, 26

[39] Ibid, 25

[40] GUIDE TO DEVELOPING A NATIONAL CYBERSECURITY STRATEGY: STRATEGIC ENGAGEMENT IN CYBERSECURITY., 23

[41] Ibid, 25

Leave a comment