US Still Lacks Federal Cyber Strategy After Decades of Attempts

Despite starts and stops dating back to the early 1990s and frequent references to a national strategy, U.S. cybersecurity remains in jeopardy from the lack of a comprehensive plan that includes accountability to specific outcomes, according to a leading official from the Government Accountability Office.

“The reality is that every administration, honestly since the Clinton administration, has applied effort and priority to trying to coalesce some sort of national strategy—maybe it's in different shapes and forms, may be in several documents or one—but no one has gotten all the way there and we definitely have not gotten to the point of actually executing a strategy,” said Nick Marinos, a director of information technology and cybersecurity at GAO.

Marinos was participating in a Dec. 9 event Government Executive hosted on the discipline of enterprise risk management, something federal agencies are required to practice in the development of their individual priorities. Agencies’ risk management activities are guided by technical guidance from the National Institute of Standards and Technology, but Marinos said they should also have a big-picture reference to who’s responsible for what outside of their own operations. 

“Obviously, the scope of [a national strategy] is enormous compared to what a federal agency may have to do to ensure that they can continue their specific mission activities,” Marinos said. “But that also is the reason why it's so critical because it's what each agency ought to be looking at to sort of get its initial instructions when it comes to cybersecurity and what they should be focused on.”

Previous attempts to execute a national strategy have also sought to address the responsibilities of the private sector, which controls the vast majority of U.S. critical infrastructure.Marinos said those lacked crucial checks on the backend. 

“The Trump administration, they did have a national cyber strategy,” he said. “It had an implementation plan that laid out almost 200 specific activities, who was responsible for what and so there were some good bones to it. But when we went in and looked at these documents, we found a lot of the things that we end up seeing when we go to the agency level on cyber risk, which was a lack of clarity on who's ultimately responsible for checking up on whether we were actually fulfilling these activities.”

Marinos noted the emergence this year of the Office of the National Cyber Director as a positive development toward fixing that. And in October, National Cyber Director Chris Inglis released a statement of “strategic intent.” But Marinos said the administration is still missing essential elements for executing an effective plan: goals and outcomes.  

“How do we actually measure progress on things that have such a significant importance to ensuring our nation is protected from cyber threats?” he said. “The national cyber director and their office is ultimately responsible for things like developing that national strategy with the entire federal community and following up to make sure that it's implemented, but we're still waiting for those documents to actually come out and then to see a process for them to actually implement it.”

In contrast to the state of affairs in the U.S., the United Kingdom this month updated a national cyber strategy the government rolled out in 2018. The update took stock of progress from the plan, and notes the government’s intention of doubling down on a regulatory approach that features financial penalties for failure to implement appropriate cyber defenses and report cybersecurity incidents.  

“New regulation has had a positive impact on cyber security, with 82% of organisations saying the improvements they had made were influenced by the introduction of the UK General Data Protection Regulation in 2018,” reads the updated cyber strategy released by the UK’s National Cyber Security Center. “The introduction of the Network and Information Systems Regulations in 2018 also led to designated organisations taking measures to better ensure the security of their networks and information systems, leading to a reduction in the cyber risks posed to essential services and important digital services.”

CISA Director Jen Easterly has consulted closely with Lindy Cameron, her counterpart who leads the UK NCSC, and tweeted that she was excited to read the new plan.

Easterly has also favored the use of fines to enforce private-sector incident reporting. 

But there’s another crucial element to implementing a national plan—the support of a cooperative legislative body. Even after fines were removed from bipartisan incident reporting legislation, Congress was not able to get the bill past the finish line.