The Biden Administration released the new US National Cybersecurity Strategy last week (fact sheet and full document). I’m still puzzled on the timing, weeks after Chris Inglis leaves as National Cyber Director, and with no replacement announced (Kemba Walden is acting NCD). Maybe it doesn’t matter because there was little shift in executive branch action in this strategy. Most of the headline grabbing changes, such as changing software vendor liability and calls for new regulation beyond what is underway, would require congressional action. Something that is almost never swift.

These types of strategy documents are worth putting out and updating, perhaps once per administration. It probably should have come out sometime in the first year of the administration, but still worthwhile at this time.

The Big Miss

Resilient and it’s derivatives appears 8 times in the short fact sheet and 68 times in the 35-page strategy document. Despite this wise focus on resilience, there are no objectives or approaches or actions suggested related to the critical infrastructure being able to function at some minimal required level in some time period after a cyber incident.

Big miss, huge miss. And surprising given that the Department of Energy’s Cyber-Informed Engineering leans heavily on this and INL’s CCE is raising awareness on consequence reduction. (as is my Security Truths and Consequences Keynote).

The Fact Sheet has a prominently placed bullet:

Resilient, where cyber incidents and errors have little widespread or lasting impact;

Acting NCD Walden tees it up well in a speech at CSIS:

Resilience meaning that when defenses fail, which they sometimes will, the consequences are not catastrophic and recovery is seamless and swift. Cyber incidents shouldn’t have systemic, real world impacts.

And then nothing in the strategy to address an attack that succeeds, “which they sometimes will”, not having an unacceptable consequence? Baffling. How can this be one of the three main items in the executive summary, and the strategy have no actions related to this?

Given the approaches and detail in the strategy, this document has to be read as eliminating cyber incidents. None of the items listed in the approach talk about the ability to recover, replace or otherwise keep providing the critical infrastructure product or service after a cyber incident (the regulation I would require if I were king).

The “resilience” approach items in the fact sheet are minimum cybersecurity requirements, reducing vulnerabilities, more R&D on future cybersecurity controls, and a diverse and robust cyber workforce. All efforts to reduce the number and scope of incidents. Sure let’s do this, but even the US Government acknowledges we will not stop all attacks on critical infrastructure if we implement this strategy.

Is the government’s answer to Colonial Pipeline more security controls? Perhaps, although they already had two-factor authentication as a security control and simply were not perfect.

The real question though is what would have happened if the ICS that monitored and controlled Colonial’s pipelines was down for 2 weeks or 2 months or 1 year. How would we have delivered gasoline and jet fuel if that ICS was not available, or needed to be completely rebuilt? I’ve been hoping the government is focused on that. Since it is nowhere in the strategy it appears they are not. It’s not easy facing these terrible possible situations, and saying they are a potential reality that we have to plan for and be prepared to live through.

One big part of the National Cyber Strategy should be the ability to continue on in the event a cyber attack succeeds. It’s difficult for any one company or even an industry consortium to do because it is more than a business risk, it is a societal risk. I thought the USG had realized this based on the CIE, CCE and recent experience.

This is only the fact sheet, perhaps there is more on this missing piece in the full document. Before going there, not having it in the fact sheet alone is a huge miss. This is what the administration views as the most important items; what will get the most attention by the people and government. It would have been top priority on my list and in fact the quoted bullet, one of three emphasized, would lead one to believe this is the administration’s view. So why do the highlighted approaches not address this?

While resilience is mentioned throughout the Strategy document, the most applicable area to put the requirement to recover or otherwise continue to provide the critical infrastructure product or service is Pillar 4: Invest In A Resilient Future. The only area in the whole document that vaguely addresses consequence reduction is Strategic Objective 4.4: Secure Our Clean Energy Future. It mentions Cyber-Informed Engineering as a way to “build in cybersecurity proactively”. Again the focus and belief that we can reduce the likelihood to zero or even near zero, rather than being able to live in a world where a cyber incident has happened.

Too Late

One of the problems with these wide ranging strategic documents is it is politically difficult to say we made a big mistake. I’m under no illusion that the Strategy document will be updated for years. Hopefully the prominent Resilient bullet in the fact sheet will allow the US Government to pursue a major program that is not in the strategy. My Magic 8 Ball’s answer: my sources say no.