The White House released the 2023 National Cybersecurity Strategy almost 20 years to the month that the George W. Bush administration released its National Strategy to Secure Cyberspace in 2003. MeriTalk sat down with Simon Szykman, senior vice president for client growth at Maximus and a contributor to the 2003 strategy, to discuss the similarities and differences between the strategies and assess the work that still needs to be done to strengthen our nation’s cybersecurity.
MeriTalk: Since the 2003 National Cybersecurity Strategy was issued, other policies and strategies were released under both the Obama and Trump administrations. What prompted the White House to choose this moment to issue the new National Cybersecurity Strategy?
Szykman: This new National Cybersecurity Strategy was issued almost 20 years to the month after the strategy issued under George W. Bush, and since that time, the cybersecurity landscape has changed dramatically. The 2003 strategy was very hands off in terms of legislation and regulation. It took a free market approach to cybersecurity improvements. Since that time, the executive branch (under this administration as well as prior ones) has gotten much more involved by issuing cybersecurity guidelines and policies, including the 2021 Executive Order on Improving the Nation’s Cybersecurity.
Those things pushed Federal agencies to focus on agency-level cybersecurity policies and strategies. I believe that much of the infrastructure is in place for the executive branch to continue pressing forward on securing the government’s information technology, but also that the administration felt it was time to articulate a vision for what can be done outside of the executive branch to improve cybersecurity. The new National Cybersecurity Strategy involves much more interaction and stakeholder collaboration with both the legislative branch and the private sector to drive the next level of improvements in the nation’s cybersecurity posture.
MeriTalk: What are some of the key improvements across the cybersecurity landscape following the release of the 2003 strategy?
Szykman: We have seen tremendous progress in a variety of areas. One is the security of government systems, which has been driven by the evolution of the Federal IT security risk management framework and other related guidance issued by NIST, revisions to FISMA, and the establishment of the FITARA Scorecard. Cross-agency priority goals, or CAP goals, which are part of OMB’s performance management framework, are also driving cybersecurity improvements. Then there are the advances in technology over the past 20 years, which have enabled agencies to improve their cybersecurity posture.
The first cybersecurity strategy was issued not long after 9/11, and at the time, the relatively new Department of Homeland Security was focused on strengthening all aspects of security – not just cybersecurity – for the critical infrastructure sectors. Historically, the critical infrastructure domains were places where cybersecurity was lagging. So cybersecurity for some of the critical infrastructure sectors is another area where we have seen quite a bit of improvement since 2003, though more work remains to be done.
MeriTalk: Where did the 2003 strategy fall short of expected outcomes? What were barriers that impeded progress in those areas?
Szykman: We can infer where the 2003 strategy may have fallen short by looking both at the similarities and the differences in the two strategies. As an example, both strategies call for international cooperation and collaboration on cyberspace. It was a priority 20 years ago, and it remains a priority today. While there has been significant progress in this area over 20 years, the fact that it’s a major focus of the new strategy indicates that outcomes in this area may have fallen short, or that more progress has yet to be made.
One of the barriers to progress is that as much as cybersecurity technology has improved, the capabilities of hostile adversaries – from the routine hacker to nation state-threats – have improved as well. It’s easy to get stuck in a reactive mode, which makes it hard to make advancements in cybersecurity that leapfrog the capabilities of malicious actors. Keeping up with adversaries remains an ongoing challenge.
MeriTalk: Were there lessons learned following the release of the 2003 strategy that are reflected in the 2023 strategy?
Szykman: Yes, definitely – especially around the fundamental question of whether there is a need for stronger government involvement in driving improvements to cybersecurity. The 2003 strategy was pretty explicit in taking a hands-off approach with respect to legislation and regulation, and letting the free markets – the technology industry – drive cybersecurity improvements for our nation. The 2023 strategy makes it clear that this administration believes that strategy was not successful. The cost of improving security is borne by one set of stakeholders, the cost of dealing with inadequate security is borne by a different set of stakeholders, and there is an imbalance between those costs. The strategy argues that businesses and citizens are carrying too much of the burden of that imbalance, and IT vendors are paying too little. The 2023 strategy proposes a much more hands-on approach to drive security improvements through regulation and legislation.
MeriTalk: We talked about similarities in the two strategies – especially the call for international collaboration to thwart cybercrime. How vital is the role of the international community to the success of the latest strategy?
Szykman: Because a significant proportion of cybercrime crosses international boundaries, international cooperation is essential to stopping cybercrime. The approach to international support is different today than in 2003 because both international engagement and cybercrime have evolved over two decades. First, while there were clear statements in the 2003 strategy about driving forward international collaboration through an international convention on cybercrime, the reality is that not every country signed on as a member of that treaty, or others that came later. When a country doesn’t participate in the conversation or adhere to the provisions of international agreements, that creates holes in cybersecurity by limiting our ability to respond to cybercrime and take legal or enforcement actions against overseas criminals. For example, some countries are sources of cyberattacks, cybercrime, and cyber espionage directed against the U.S., but we don’t have the relationships with those countries that would enable us to ensure that those governments are enforcing laws to prevent or respond to cybercrime. International collaborations are only as successful as each government’s level of involvement and commitment.
Second, the nature of the cybersecurity landscape has changed. Twenty years ago, general cybercrime was a concern. Today, ransomware is a new class of cybercrime and a key concern, and so not surprisingly, one of the strategic objectives of the 2023 strategy regarding international collaboration is focused on defeating ransomware. The nature of the threats and the kinds of crime that are enabled by information technology are shaping the kinds of collaborations that take place internationally.
MeriTalk: What elements of the 2023 strategy will have the biggest impact in the short term on national security? How about the long term?
Szykman: This new strategy expresses the administration’s philosophy that both government and industry are responsible and must be held accountable for our nation’s cybersecurity. This includes stronger policies and legislation from government, and a commitment from industry to develop the tools and technologies in partnership with government to secure our nation. But getting there will require buy-in from industry and legislators. In the short term, the administration will presumably engage with the IT community and Congress to help win over the hearts and minds of people to rally behind the strategy’s philosophy. In the long term, meeting the objectives of the strategy will require support from stakeholders and a rebalancing of the risk equation. There is a big question of cybersecurity investment – who’s making those investments and how much it’s going to cost to ensure better security for the future. Without investment, it’s going to be hard to realize the goals of the strategy to improve cybersecurity through better – and more accountable – partnerships.
MeriTalk: Looking at those partnerships, how can industry support government in improving our nation’s cybersecurity?
Szykman: The companies building the technology we use today are truly committed to better security. It’s a balancing act, though, because companies are under pressure to get products to market quickly. The quicker they go to market, the less time they have to invest in ensuring the best possible security for their product. The collaboration between industry and government needs to support establishing frameworks that will strike the right balance between security and time to market. An example of where collaboration is working is the software bill of materials, which is designed to ensure the private sector builds more secure products by using secure components. The government is driving this effort but doing it collaboratively with industry. That collaboration is evolving the business model to bake security into product development so that the technology that is ultimately going to be used by businesses, citizens, and government agencies is more secure out of the box.
MeriTalk: What should agencies be doing right now from a security perspective to help them achieve the spirit of the National Cybersecurity Strategy and other Federal mandates, and how can Maximus help them on their cybersecurity journey?
Szykman: Federal agencies have always had a good understanding of what they could be doing to improve their cybersecurity. It just never happens as quickly as people would like. To accelerate the process, agencies should continue to prioritize cybersecurity goals and – importantly – the funding needed to achieve those outcomes. They also should develop an agency-level cybersecurity strategy – an overarching document that the agency can align its plans, milestones, and execution activities around. Some agencies already have agency-level strategies, but others don’t. Strategy documents always make the path to outcomes faster and more effective.
Maximus offers a full spectrum of capabilities to support Federal agencies with implementation of their cybersecurity strategies, including supporting continuous monitoring, developing zero trust architectures, and building stronger security operations. Maximus is currently focused on the use of automation and machine learning for cybersecurity, and helping agencies make the leap from real-time continuous monitoring to continuous Authority to Operate (cATO). Together, these steps are enabling a transition that drives cybersecurity management from a process of periodic upgrades to one of continuous improvement.