The Biden administration came out with their National Cyber Strategy a few months ago. And as the architect/author of the last one — 2018 — I want to give you, my dear readers and listeners, a quick rundown.
LISTENER’S NOTE: I wrote this the week after the strategy came out back in March, but hadn’t found the time to record it with everything going on with Galvanick. Then a friend told me about Elevenlabs, and a few experiments later, voila. The voice on the podcast isn’t really mine — it is synthesized from my voice. Technology rocks.
What is a National Strategy?
What most people know as “the United States government” isn’t law, but regulations. Regulations are said to “carry the force of law,” but are not made by our lawmakers; they are instead made by civil servants working at Executive Branch Departments and Agencies (Energy, Interior, Agriculture, Defense, Justice, etc.). Civil Servants write and promulgate things called “rules.” H1-B visas? Shaped by regulation. Dealing with a banking liquidity crisis? Regulation. And so on.
What, then, guides regulation?
Law can. Lawmakers can direct the Executive Branch to take steps to achieve certain end-states. But more often than not, it is up to senior executive branch leaders — From the President to members of the Cabinet — to provide guidance that shapes these quasi-laws.
Enter national strategies.
National strategies are documents generated by the White House that are supposed to serve as a sort of “North Star” for Departments and Agencies to use when making and enforcing regulations.
During my time as the Senior Director for Cyber on the National Security Council, I architected many of them, including the 2018 National Cyber Strategy. And in early March, the Biden Administration announced their update to that very document. As a now-dispassionate observer of such things, this post is my review of their work, especially challenges and opportunities.
Before kicking this off, I would be remiss if I didn’t acknowledge that the authors of the document, the new cyber team at the White House, included a passage up front acknowledging the work done by me and my team from 2017-2021, and explicitly identifying that they would be keeping most of it in place, and building upon it. They didn’t call me, email me, or tell me this was coming. I haven’t really talked to anybody involved in national cyber policy for years. But it’s there, and including it was gracious and honorable, given all of the hard work that we did over the years that has begun to stand the test of time — Space Policy Directive 5 (the first-ever policy document to call for encryption of space systems), the National Strategy to Secure 5G, EO 13800, and (later in the document) EO 13984. I certainly have disagreements with this new strategy, but would also return the favor and say that this document is about as good as I would have hoped it to be, taking into account some of the philosophical differences between the two dominant governing philosophies in American politics.
The Big Picture
The new strategy, which you can read here, has file pillars: (1) Defend Critical Infrastructure, (2) Disrupt and Dismantle Threat Actors, (3) Shape Market Forces to Drive Security and Resilience, (4) Invest in a Resilient Future, and (5) Forge International Partnerships to Pursue Shared Goals. You can think of these as chapter headings in the document, under which individual lines of effort are nested. I’ll break down each one below.
There are also two “fundamental shifts” in the document: (1) Rebalance responsibility for defending against malicious actors, and (2) Realign incentives for organizations to favor long-term investments in security. These two concepts, taken together, are about changing the overall dynamics in the software industry, and the digital world writ large.
Since the beginning of time, offense and defense have, at different points, each had advantages and disadvantages. These differences actually form core intellectual pillars of various theories of international relations — especially Realism. And what the strategy is articulating is that the Biden Administration is going to attempt to forcibly alter the balance between offense and defense, by changing the financial and legal incentives around security. This isn’t unexpected, but it is ambitious.
Pillar One: Defend Critical Infrastructure
Over the past forty years, vast swathes of the United States have been digitized and electrified. From our industry to infrastructure, homes, cars, and even our selves. With this has come massive, unaccounted cyber risk. The White House is saying that it is time to pay the piper.
STRATEGIC OBJECTIVE 1.1: ESTABLISH CYBERSECURITY REQUIREMENTS TO SUPPORT NATIONAL SECURITY AND PUBLIC SAFETY
Today’s marketplace insufficiently rewards—and often disadvantages—the owners and operators of critical infrastructure who invest in proactive measures to prevent or mitigate the effects of cyber incidents.
The effort to “Establish cybersecurity regulations to secure critical infrastructure” began over a decade ago, continued under the Trump Administration, and will now continue. The emphasis for this next push are laid out in the section.
First: secure-by-design principals, prioritization of “availability” (likely: able to run when offline), and fail-safe-and-recover architectures. Furthermore, the strategy identifies use of “shared services,” (e.g. cloud services for things like storage and email) which we began to push for the Federal Government back in 2018, as a mechanism by which critical industries and infrastructures can buy down risk. And for those industries, which are becoming more and more central to the security practices of a wide swath of companies, “The Administration will identify gaps in authorities to drive better cybersecurity practices in the cloud computing industry and for other essential third-party services, and work with industry, Congress, and regulators to close them.”
Second: “Harmonize and streamline new and existing regulation.” This is a task that the Office of the National Cyber Director might be good at — teams of bureaucrats going line-by-line across tens of agencies’ regulations and harmonizing them. It is unglamorous work, but mercifully important, especially for small businesses in America.
Third: “Enable regulated entities to accord security.” This is very important to accomplishing this strategic goal. Even between the power and water sectors, the purchasing of cybersecurity solutions is often fraught because they are cost centers. While true on a short time horizon, cybersecurity is about buying down catastrophic risk. For highly regulated industries, it can be hard to justify these expenditures. The White House proposes to “Work with Congress to develop regulatory frameworks that take into account the resources necessary to implement them.” Let us hope the solutions they arrive at are judicious, responsible, and effective.
STRATEGIC OBJECTIVE 1.2: SCALE PUBLIC-PRIVATE COLLABORATION
This section is about enabling communication, between DHS’s sub-unit, CISA, and what are called “Senior Risk Management Agencies” (SRMA’s), which are responsible for individual sectors — like how the Department of Transportation is responsible for cybersecurity of oil pipelines, and the private sector.
Accelerating operational collaboration will require the use of technology solutions to share information and coordinate defensive efforts. We must complement human-to-human collaboration efforts with machine-to-machine data sharing and security orchestration.
Chairing my first Policy Coordination Committee meeting in 2017, I made this point to the assembled senior civil servants from over twenty agencies, when asked of my priorities. This new strategy identifies this as a major issue, and so does the company I started back in 2021, to address this challenge. It is important.
STRATEGIC OBJECTIVE 1.3: INTEGRATE FEDERAL CYBERSECURITY CENTERS
Lots of insider stuff here but if it means they can actually compress redundant, perennially-underfunded entities into something much stronger, with sector-specific appendages, that would be great.
STRATEGIC OBJECTIVE 1.4: UPDATE FEDERAL INCIDENT RESPONSE PLANS AND PROCESSES
More insider federal cyber policy here, especially around PPD-41 and national incident response. I recommend those who know what PPD-41 is read the section.
Also in this section: empowering the Cyber Safety Review Board (CSRB). This has been an idea for over a decade, and I quietly voiced support for its creation when the Cyberspace Solarium floated the idea, and was glad to see the Biden Administration finally made a reality with EO 14028.. The nation needs a national entity that can do post-incident assessments, and promulgate lessons learned.
STRATEGIC OBJECTIVE 1.5: MODERNIZE FEDERAL DEFENSES
This section is a continuation of ongoing efforts, but with a new aspect: DHS’s CISA has been given the task to work with OMB to develop the plan to protect the other federal agencies against cyber attacks. While the Bureau of Land Management is not equipped to handle APT 10, for cyber insiders, it also signals the current administration’s willingness to grow CISA’s mission.
Pillar Two: Disrupt and Dismantle Threat Actors
I’m fond of this section because it takes a whole bunch of activity that my team and I kicked off starting in early 2017, and it directs the US Government to really start putting it to good use. I’m specifically talking about NSPM-13, which I architected along with Tyson Meadors, our outstanding White House lawyers: John Eisenberg, Michael Ellis, John Dermody, senior officials at the ~20 departments and agencies across the national security apparatus. A senior U.S. military officer once described it as “The Magna Carta for cyber operations.” As a longtime fan of Colonel John Boyd, I deliberately designed it to reflect the Prussian concept of Auftragstaktik. By all reports, it is operating as designed.
STRATEGIC OBJECTIVE 2.1: INTEGRATE FEDERAL DISRUPTION ACTIVITIES
Out of the gate we are cooking with gas: “Disruption campaigns must become so sustained and targeted that criminal cyber activity is rendered unprofitable and foreign government actors engaging in malicious cyber activity no longer see it as an effective means of achieving their goals.” I am glad to see continued pursuit of a cost imposition strategy against foreign actors causing direct harm to American citizens, while also enabling our operators to practice for larger problem-sets.
STRATEGIC OBJECTIVE 2.2: ENHANCE PUBLIC-PRIVATE OPERATIONAL COLLABORATION TO DISRUPT ADVERSARIES
At present, it is hard to extract meaningful information out of the private sector, and get it to the U.S. Government. Lawyers don’t want to disclose sensitive info that would provide a record of a breach, systems are often cleaned up as soon as possible in order to restore operability, etc.
“Using virtual collaboration platforms, members of the cell would share information bidirectionally and work rapidly to disrupt adversaries.”
STRATEGIC OBJECTIVE 2.3: INCREASE THE SPEED AND SCALE OF INTELLIGENCE SHARING AND VICTIM NOTIFICATION
Often, the US Government is aware of an incident, but the victim is not. On the USG side, there are huge inter-agency politics over who ought to notify the affected entity. This section doesn’t seem to make any decision about who should, but simply lists how various groups have played roles in this sort of activity: the NSA Cybersecurity Collaboration Center, CISA’s Joint Cyber Defense Collaborative, and the FBI. Importantly, there’s a small call-out, directing a review of declassification processes, which enable better/faster/more effective information sharing with the private sector. This is an important but often overlooked tool.
One personal note here: in my time as the senior-most cyber policymaker for the United States, I always sought to make one single person, or one single entity, responsible for any given task. This was a departure from the norm, and I would call this section a regression to that prior mean. For aspiring policymakers: unless you have a single point of responsibility in a system, it rarely functions optimally.
STRATEGIC OBJECTIVE 2.4: PREVENT ABUSE OF U.S.-BASED INFRASTRUCTURE
In early 2017, a young civil servant asked to come see me, through an intermediary. I of course said yes (I had a quiet open door policy all four years). He wanted to come work for me.
“Not good enough.” I said. “Come back when you have a coherent plan to solve a major problem in under two years.”
He dutifully obliged, returning a few weeks later with a coherent proposal to solve a major national cybersecurity issue. Apparently, malicious cyber actors routinely rented server space from U.S. companies to conduct cyber attacks against American companies and citizens. “They get all the benefits of the 4th and 5th Amendment for a few bucks a day.”
I was shocked. He was hired.
I talked about this hiring methodology in the below thread:
His name is Steve Nelson. And he became one of the most important members of the NSC Cyber team, staying for three years (he has since left federal service). This specific effort, which he was responsible for, eventually became EO13984.
I will tell the story another time, but suffice it to say, after years of work and perseverance, EO 13984 was one of the last documents signed by President Trump in office — on January 19th, 2021, at around 5pm. It is one of our major achievements.
The signing of an Executive Order is, however, only the beginning of the regulatory process. Next, an agency needs to draft and “promulgate” implementation regulations. For the past two years, nothing has happened.
Until now.
Section 2.4 explicitly states that Biden Administration intends to finish the regulations, and fully implement 13984. Huzzah.
On implementation, I only have a single concern: that it will be used to prevent U.S. citizens from exercising their First Amendment rights to speak freely. We designed the Order to not restrict these rights, while protecting Americans’ privacy, but it remains to be seen how the current Administration will implement it.
STRATEGIC OBJECTIVE 2.5: COUNTER CYBERCRIME, DEFEAT RANSOMWARE
This section contains some notable elements, many of which are concerning.
First, the targeting of “exchanges on which ransomware operators rely” and implementing “international AML/CFT standards globally to mitigate the use of cryptocurrencies for illicit activities that undermine our national interest as part of our efforts to implement EO 14067, “Ensuring Responsible Development of Digital Assets.” This is dangerous territory, as forces aligned against the rapid expansion of decentralized technologies broadly known as “web 3” might seek to burden it with undue regulations, under the guise of “anti-ransomware” efforts. Stopping money laundering and terrorism are both noble goals, but implementing broad-based KYC/AML regulations for compute is unlikely to stop crime, while also pushing development of next generation technologies abroad.
Pillar Three: Shape Market Forces to Drive Security and Resilience
This section is something of a political Rorschach test. The language is imprecise in immediate meaning and possible regulatory interpretation. The formulation of “we like the market, but it has failed,” is often the pretext for bad things. That said, as someone who wrestled with these issues for a long time, and literally sat in this seat previously, the state’s power to compel companies is one of the few tools left.
STRATEGIC OBJECTIVE 3.1: HOLD THE STEWARDS OF OUR DATA ACCOUNTABLE
This section has two paragraphs covering (1) punishment for data breaches, and (2) proposing Congress pass a personal data protection law. There are a few different pressures on the second point, especially the American competition with the Europeans over GDPR, and the privacy lobby (which I am partial to) pushing back against commercial developments like micro targeting of ads. This section likely represents one of the many ways in which this strategy (like most) was the coming together of various interests from across the federal bureaucracy; perhaps pro-consumer privacy Commerce Department staffers put their foot down, and negotiated this language in to the document (Commerce oversees NIST).
STRATEGIC OBJECTIVE 3.2: DRIVE THE DEVELOPMENT OF SECURE IOT DEVICES
As much as I might complain about the use of state power, this section contains a very good proposal for its use: cybersecurity labeling for IOT devices. The devil is, of course, in the details, but by pushing for clear “grades” to be placed on the packages of products being sold, the Government can incentivize both manufacturers and consumers via transparency.
STRATEGIC OBJECTIVE 3.3: SHIFT LIABILITY FOR INSECURE SOFTWARE PRODUCTS AND SERVICES
Probably one of the more legally fraught sections of this entire document, in terms of its aims, this section focuses on trying to shift internal company incentives towards secure software development practices. The keystone statement is: “We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities.” It is a serious task. Consider for a moment that Solar Winds was a publicly traded company at the time of the eponymous cyber attack, and as the national incident coordinator during the incident, the lack of corporate structures (especially lack of a CISO) gave malicious actors the opportunity to run a complex operation that ultimately yielded access to a multitude of government systems and networks.
The section also calls for legislation to more clearly demarcate when companies ought to be held liable for their poor practices. This again might be challenging — imagine the federal government dispatching auditors to a company to do codebase reviews after a catastrophic incident — so …
STRATEGIC OBJECTIVE 3.4: USE FEDERAL GRANTS AND OTHER INCENTIVES TO BUILD IN SECURITY
Continuing on a lot of good work done in the Trump Administration, and others, to drive the U.S. Government to use its purchasing power to drive innovation and adoption of cybersecurity technologies.
Of note: the reference here to coordinating cybersecurity requirements with those of State, Local, Territorial and Tribal entities is one of many examples across this document of how the Office of the National Cyber Director (ONCD), which now employs just under 100 people inside the White House, enhances the ability to monitor and mandate behavior deep within the federal bureaucracy, as well as engage outside of traditional partners. Before the creation of ONCD, there were less than 30 White House staff (out of hundreds) focused on cyber policy, spending, and research, spread out across the National Security Council (the coordinator), Office of Management and Budget, Office of Science and Technology Policy, and Domestic Policy Council. ONCD has effectively tripled that number.
STRATEGIC OBJECTIVE 3.5: LEVERAGE FEDERAL PROCUREMENT TO IMPROVE ACCOUNTABILITY
This section dovetails with 3.4, and similarly demonstrates how this Administration is capable of going deep in the weeds in order to ensure that Federal contracts contain meaningful cybersecurity requirements.
Additionally, the Administration pledges to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cyber incidents and breaches.” This is a novel use of “stick” vs. “carrot.” We will see how this works out in the coming years.
STRATEGIC OBJECTIVE 3.6: EXPLORE A FEDERAL CYBER INSURANCE BACKSTOP
One of the more controversial sections in this document. Taxpayer-sponsored insurance backstops — most notably the National Flood Insurance Program — are operationally and politically fraught, since they can “socialize loss.” The language here is fairly broad: “In the event of a catastrophic cyber incident, the Federal Government could be called upon to stabilize the economy and aid recovery.” My concern here is that it could incentivize the partitioning of the economy, with certain firms (perhaps those within the “Critical Infrastructures” identified within PPD-41) identified as “too-big-to-fail,” where they might start assuming U.S. Government assistance in case of a cyber attack. This might disincentivize the adoption of best practices in cybersecurity.
We looked at the cyber insurance market extensively while on our journey to create Galvanick. Suffice it to say, the economics of cyber insurance aren’t optimal, as risk to both IT and OT systems seems to be compounding over time. We will see what comes as a result of this effort, but I am skeptical.
Pillar Four: Invest in a Resilient Future
Government spending time. This entire section covers the Administration’s plan for spending taxpayer dollars in and around cyberspace. Worth reading if you want to understand where the White House will be directing dollars in the coming months.
A brief digression: In January 2017, I was asked by the NSC Chief of Staff what I wanted to call my directorate. Under President Obama, it had been the “Cybersecurity Directorate.” But I made a different decision: “Cyber.” Over the next four years, we addressed a range of issues that were not traditionally understood as directly related to “-security.” And here, you see the same trend in full force. The paragraphs within “Pillar Four” are as much about security as they are about technology development. So much so that from a grammatical standpoint, eliminating the word “security” often leaves the sentences with nearly the same meaning. This matters because it in some ways serves as confirmation of Marc Andreessen’s conclusion, captured in his seminal 2011 essay, Software is Eating the World, and which I built on in a 2015 essay, Software is Eating the War. Technology is suffusing not only conflict — an observation made by Neal Stephenson in Cryptonomicon, where he points out that Athena is the goddess of both technology and war — but reality itself, through energy, money, and language. Nowhere is this more apparent than Pillar Four.
STRATEGIC OBJECTIVE 4.1: SECURE THE TECHNICAL FOUNDATION OF THE INTERNET
This section signals continued emphasis, and perhaps even additional support for, major R&D programs to shore up the internet’s underlying infrastructure; the shorthand used frequently is “Preserving and extending the open, free, global, interoperable, reliable, and secure Internet,” though they have also added “… requires sustained engagement in standards development processes to instill our values and ensure that technical standards produce technologies that are more secure and resilient.” This phrase can be taken many ways, where “our values” could mean the freedom of American citizens to speak their mind, no matter how offensive to those in power, or it could means something much more ominous. I pray it is the former.
The also section talks about how the U.S. Government is going to continue to engage, and perhaps even increase its engagement, with the international standards organizations that determine how the internet is built and maintained. This is important for many reasons, not the least of which is because the Chinese Communist Party has, of late, started sending hundreds of representatives to these organizations to try and “hack” their processes, to make the underlying technologies that route information around the world safe for global, totalitarian, communist dictatorships.
STRATEGIC OBJECTIVE 4.2: REINVIGORATE FEDERAL RESEARCH AND DEVELOPMENT FOR CYBERSECURITY
More details on spending priorities. Of note, as I covered in the analysis of section 3.4, the directive to shift spending towards specific priorities would have been, in past instances, challenging to execute. It was for us (2017-2021). But with an 80-person Office of the National Cyber Director, able to hold regular meetings and dive deep into budgets, policy directives, and so on, I expect these words to carry significant force in the coming years.
STRATEGIC OBJECTIVE 4.3: PREPARE FOR OUR POST-QUANTUM FUTURE
Much like how most people didn’t — and don’t — seem to understand the implications of advanced machine learning models (i.e. GPT-4, and beyond), we have a similar event just over the horizon with quantum computing.
We did a lot of good work on this during the Trump Administration — especially the Office of Science and Technology Policy (OSTP - another White House office), which was the primary driver behind a host of quantum computing initiatives, as well as EO 13885. The new strategy continues and enhances a lot of that work, especially around pushing towards quantum resistant cryptography.
STRATEGIC OBJECTIVE 4.4: SECURE OUR CLEAN ENERGY FUTURE
This section comes off as one of the more political in the document. Wind and solar can’t provide baseload power, and their supply chains run straight through CCP-owned African mineral extraction sites and refineries with questionable human rights practices. Neither have long-term survivability, and recycling them is currently impossible. They’ll never replace the reliability of coal, natural gas, or nuclear. And yet powerful interests on the left have lined up to advocate for, and in some cases jam through massive spending programs to try and change the cost dynamics around them. Combine all of that with the fact that “smart” grids are invitations to adversaries to engage in malicious behavior that risks our nation’s way of life, and reading this section makes the hair on the back of my neck stand up.
STRATEGIC OBJECTIVE 4.5: SUPPORT DEVELOPMENT OF A DIGITAL IDENTITY ECOSYSTEM
Major concerns here. Digitization of these information architectures offer totalitarian opportunities to governments both in the U.S. and abroad. I fear ours might seek to avoid constraining itself with “pesky” things like Constitutional rights. Time will tell, but Congress will likely need to provide some clear guidance on this.
STRATEGIC OBJECTIVE 4.6: DEVELOP A NATIONAL STRATEGY TO STRENGTHEN OUR CYBER WORKFORCE
The biggest “miss” in the document. In cyber, people are the capability. To write a national strategy with just a few short paragraphs about the people the United States expects to do the work is disappointing. This document is now two and a half years in the making, and the best they have is the announcement that the ONCD will be writing a workforce strategy.
What meat they have is a re-hash of the directives out of EO 13800 and EO 13870:
The strategy will build on existing efforts to develop our national cybersecurity workforce including the National Initiative for Cybersecurity Education (NICE), the CyberCorps: Scholarship for Service program, the National Centers of Academic Excellence in Cybersecurity program, the Cybersecurity Education Training and Assistance Program, and the registered apprenticeships program. The strategy will also leverage ongoing workforce development programs at NSF and other science agencies to augment Federal Government programs.
I look forward to reading the forthcoming ONCD strategy. Let’s hope it arrives before 2024.
Pillar Five: Forge International Partnerships to Pursue Shared Goals
Deep inside baseball here, but the introductory section reads — to an insider — straight out of the orthodox State Department/Atlanticist hymnal that was recited at me for years. This macro strategy misses the importance of raw American leadership, and always came off as seeking safety in numbers, rather than acting with conviction and rewarding those who followed. “Coalitions,” “collaboration,” “international law” and “voluntary norms” to me were always secondary to deeds. But elections have consequences, so here we are.
STRATEGIC OBJECTIVE 5.1: BUILD COALITIONS TO COUNTER THREATS TO OUR DIGITAL ECOSYSTEM
Lots of concerning stuff here. As Mike Benz and the Foundation for Freedom Online have been illustrating over the past few months since launch, non-governmental organizations often to do the deeply illiberal work of restricting free speech under the banner of “safety,” and have been doing so with tacit, and sometimes even explicit support of US Government agencies. This is deeply concerning. There is a lot of that language in this section, for example their tacit support for the “Christchurch Call to Action to Eliminate Terrorist and Violent Extremist Content Online,” a public statement that the New Zealand government perennially seeks to gain support for, and which is essentially a synthetic repudiation of the First Amendment.
There is some goodness as well, as the document indicates that the Administration will be using multilateral organizations to continue pushing for renewed focus on issues like supply chain resilience and countering ransomware.
STRATEGIC OBJECTIVE 5.2: STRENGTHEN INTERNATIONAL PARTNER CAPACITY
Innocuous, and roughly a continuation of previous administrations’ policies.
STRATEGIC OBJECTIVE 5.3: EXPAND U.S. ABILITY TO ASSIST ALLIES AND PARTNERS
The concept of playing “away games” before playing “home games” was prominent prior to 2017, though we tried to put more energy into it. The major question is: where are the people going to come from? It is something of a chicken-and-egg problem. The U.S. Government doesn’t have the cyber workforce it wants. To build a workforce, you need to give them experience. Without real exposure to challenging scenarios, your people won’t gain confidence and competence. So in a way, pushing talent out to partners and allies can be a useful tool to try and build a deep cyber bench. I just hope we are thinking about it from the perspective of workforce construction, rather than the normal thing that happens in large organizations, where the hardest work is consistently placed on the shoulders of small groups with proven skill and experience. That is a recipe for burn-out.
STRATEGIC OBJECTIVE 5.4: BUILD COALITIONS TO REINFORCE GLOBAL NORMS OF RESPONSIBLE STATE BEHAVIOR
More State Department chatter, here. I wish the wordcels luck. Let’s hope they bring some shape rotators, in case things ever get dicey.
STRATEGIC OBJECTIVE 5.5: SECURE GLOBAL SUPPLY CHAINS FOR INFORMATION, COMMUNICATIONS, AND OPERATIONAL TECHNOLOGY PRODUCTS AND SERVICES
I’m all in on this, and appreciate the call-out of our National Strategy to Secure 5G (I architected it), initiatives to drive down the cost of 5G, and many more bipartisan activities covered here.
Conclusion
Strategies are hard. And the first take-away you should have as a reader is that this document is the result of years of drafting and negotiation by thousands of political appointees, government specialists, and special interest groups.
The hard work always comes after publication — implementation. There is surely a ~50 page “implementation plan” sitting somewhere in the Eisenhower Executive Office Building, with one or more staff whose full time job is to manage its faithful execution.
We ought to wish them luck.
Analyzing the 2023 National Cyber Strategy