The White House’s National Cybersecurity Strategy is primarily written for and designed to guide federal government officials. Yet the latest release of the strategy is remarkable for the commitments it makes to the private sector on a range of cybersecurity issues. Most significant, the President invited the private sector to join the federal government to address cybersecurity challenges not as a participant, but as a partner.
“This strategy recognizes that robust collaboration, particularly between the public and private sectors, is essential to securing cyberspace,” the strategy says.
Private sector organizations must seize the President’s invitation, individually and through trade organizations, and do so quickly. There will be limited seats at the table, and many in the federal government will need time, understanding and trust to accept private sector officials as partners in their work.
The President expects private sector participation on issues running from the legal and regulatory to the operational and strategic. The topics include:
Protecting networks and systems, prioritizing those associated with critical infrastructure.
Criminal and national security investigations.
New liability regimes for vendors responsible for software vulnerabilities.
Improving insurance products.
Preparation for post-quantum threats.
Countering autocratic governments’ efforts to control information technology.
The private sector should prioritize several of these topics. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is gathering feedback on incident reporting requirements. Private organizations must inform reporting regulation development because of their experience evaluating breach impacts on large, medium and small enterprises from a wide range of fields. They must also consider the resources an organization will likely have available to respond to an incident, as well as compile required reports, and the likelihood that accurate and worthwhile information can be gathered within required timeframes. Without private sector input, there is a greater probability that related regulations will drive resources toward incident reporting at the expense of response and recovery.
The private sector will need to inform federal officials regarding how the government can assist organizations during an ongoing incident most effectively, the balance between enabling software innovation and accounting for vulnerabilities, the possibility of an insurance backstop for major cyber incidents, and workforce development.
These topics involve a broad range of federal organizations, many of which need access to a greater depth of cybersecurity expertise than they possess, and all of which need to incorporate private sector cybersecurity perspectives. While the White House called for private sector participation in implementing the strategy, private sector integration at subordinate levels may face pushback. Most federal officials have not engaged the private sector on the type of work called for in the strategy, especially as a partner, and many officials have been subject to ethical rules and expectations that discouraged or prohibited private sector engagement. Government and private personnel will need to make cultural adjustments to nurture the trust and understanding needed to navigate critical issues together.
Multiple federal departments and agencies have cybersecurity responsibilities, and the private sector will need to engage many of them. Taking as an example a social media company that wishes to participate in the strategy’s implementation, it is feasible that the company may have interests in regulatory development, criminal and foreign intelligence investigations, incident response, liability regimes for software vulnerabilities, workforce development efforts, and countering malign foreign control over information technology. The federal organizations these issues involve include the Securities and Exchange Commission, Federal Trade Commission, FBI, National Security Agency, DHS/CISA, and the departments of Justice, Defense, Commerce, Labor and State.
The private sector’s expertise is also essential to inform government organizations that do not have adequate expertise in house. Those with requisite expertise nevertheless need private sector participation because the vast majority of infrastructure on which information technology runs is in private hands. As a matter of operational concern, too much of U.S. cyberspace is controlled by the private sector for the government to protect it alone. As a matter of administrative, regulatory and legal concerns, relying on the private sector’s experience and understanding is essential to creating the rules, expectations and culture necessary to make U.S. cyberspace safe without damaging its economic, social and political utility.
There is no RSVP information in the National Cybersecurity Strategy, no point of contact designated, no email address to correspond with or number to call. The White House’s invitation must be pursued proactively and persistently if it is to be taken advantage of. Private sector organizations must find entry points with appropriate agencies to influence cybersecurity developments. This will be challenging, especially for organizations that do not have former federal employees on their teams. Communicating with federal officials is an acquired skill that depends on understanding government processes and institutional equities.
The White House’s unprecedented offer to involve the private sector in federal government cybersecurity responsibilities aligns with the nature of cyberspace. The domain is essential to supporting the American way of life, most of which is a product of individual freedom and private effort, not government direction. Before federal officials do the heavy lifting demanded by the National Cybersecurity Strategy, private sector leaders should engage federal departments and agencies that align to their equities, take seats at the table that the President offered, and provide the insights and expertise only they can. A private entity failing to take advantage of the opportunity faces the possibility of seismic changes affecting cybersecurity, business operations and investments without having their voice heard.
Kurt Sanger is an attorney and an expert in national security and cybersecurity. He is the also the Strategic Advisor for Imperium Global Advisors. He recently retired from the U.S. Marine Corps, having spent his last eight years with U.S. Cyber Command in several legal and policy positions, most recently as Deputy Staff Judge Advocate (Deputy General Counsel).