While private sector engagement with the federal government has increased over the years, it's widely held to be insufficient.
The National Defense Authorization Act (NDAA) Conference Committee finalized its FY2021 bill Thursday. The bill includes more than 50 cyber provisions and 26 recommendations made by the Cyberspace Solarium Commission (CSC) in its inaugural report this year.
About 12 adopted recommendations directly or indirectly request private sector cooperation, including:
- Assess private-public cybersecurity collaboration
- Establish Joint Cyber Planning Office for cross-sector cyber defense planning
- Establish National Cyber Director in the White House
- Federal watchdog evaluation of cyber insurance
"I have never seen as many cybersecurity provisions in the NDAA," said Jonathan Reiber, senior director for Cybersecurity Strategy and Policy at AttackIQ and former chief strategy officer for cyber policy in the Office of the U.S. Secretary of Defense under the Obama administration.
The heavy addition of cyber provisions by Congress shows the federal government needs to do more in responding to rapidly evolving and maturing cyberthreats. But as the government asks the private sector to get more involved, companies have to weigh the risk of international business impact.
"The private sector, particularly large technology companies, those companies are in a difficult position and their platforms are used globally," said Reiber.
Impact on international markets
Cyber, whether in the public or private spaces, transcends U.S. borders.
"Cybersecurity is as critical as a physical security or any other kind of risk that they take into account when making decisions," said Tatyana Bolton who leads the Cybersecurity and Emerging Threats team at R Street Institute and served as senior policy director for the CSC.
All the cyber-related activity the government and private sector has engaged in is a layup for greater planning. One of the CSC's adopted recommendations in the NDAA — establishing the Joint Cyber Planning Office within DHS — will likely play a role in that.
"The fact of this provision is it says you should include outside experts from the private sector and others to think through potential options," said Reiber. However, a point of contention arises here. "One of the things that I've been very concerned about is that it's the government's job to defend the country … it's not the private sector's job to defend the country."
The U.S.'s ability to remain innovative and economically competitive is contingent upon companies' ability to work internationally. "It's dangerous to ask them to assume the burden of defending the country," said Reiber.
The cyber adoption in the NDAA indicates the role cyber will play in national, economic and diplomatic security moving forward. Cyber has pulled the private sector deeper into national security — whether it wants to be there or not. The adopted recommendations are meant to remedy areas of distrust and construct a more resilient cyber infrastructure, regardless of sector.
Balancing business and national security isn't clearly defined. For example, the U.S.'s overall relationship with the China and its market is simultaneously competitive and co-dependent.
In 2017, the U.S. Trade Representative estimated between $225 billion and $600 billion lost in U.S.-owned intellectual property (IP) was a result of theft from China. In response, the Trump administration imposed tariffs in 2018. But the U.S. continues to navigate how to impose "cyber norms" on adversarial countries while also benefiting from their markets.
Reaching agreements with foreign adversaries requires a long game before results are realized. "I do think that the Biden administration is going to have to wrestle with the technology relationship with China," said Mieke Eoyang, SVP of the National Security Program at Third Way, during a panel last week. "It is possible, with sustained attention and pressure, to try and get better behavior out of China. The question is, can we do it again?"
Countries with clear indications of defiance and unwillingness to meet "cyber norms" are easy to explain to private shareholders as to why business is undoable. Explaining away countries with substantial markets, such as China, is harder to do.
It's really up to companies to decide if they want to risk losing business in or with global markets. While companies have historically contributed to wartime efforts, "there's this gray space where adversaries are operating," which is different from a national economy during a "total war," said Reiber.
The most recent example of a private sector company taking such a risk was Microsoft's role in the Trickbot disruption. However, the mission was using its own platform, and therefore isn't considered an offensive operation. Microsoft's actions were in tandem with the U.S. Cyber Command, but it was "a very easy public affairs thing for a company to explain," said Reiber.
Cyber in the White House
Other adopted recommendations could improve intelligence support to the private sector, codifying processes, and a better market for cyber insurance. Cyber's overall inclusion "created the space for many of these suggestions to finally move forward," said Philip Reiner, CEO of Institute for Security and Technology. However, the adopted recommendation for assessing private-public collaboration "is a long time past talking about and assessing the issue. More action is needed."
One provision of the NDAA was the reauthorization of CSC through Dec. 2021, allowing the commission to add or finesse its cyber recommendations. The CSC and the Cybersecurity and Infrastructure Security Agency (CISA) are major advocates for cross-sector collaboration.
The Trump administration established CISA and its first director, which the NDAA adopted recommendations to embolden the agency and its head. CISA is currently operating with an acting director, Brandon Wales, after Trump terminated Chris Krebs in November.
"I think there is very little daylight between him and Chris Krebs," said Bolton. "He's steeped in the cybersecurity culture at DHS." Whomever President-elect Joe Biden chooses to fill the National Cyber Director will "be a known quantity in cybersecurity," said Bolton.
But the CSC's recommendation — to establish a Senate-confirmed National Cyber Director and Office of the National Cyber Director — is its biggest win. "It sets the tone and highlights the importance of cybersecurity," said Bolton.
President Donald Trump eliminated the national cyber coordinator position, held by Rob Joyce, in 2018. "I think that set the tone for cybersecurity going forward and for his administration, and, unfortunately, left a vacuum in the White House," said Bolton. Federal agencies, including CISA, acted to the best of their ability to operate as if the role was still filled. Coordination was, and is, still difficult without a voice in the executive office.
The National Cyber Director role will address contingency planning, an area particularly in need of improvement, especially when 85% of critical infrastructure is owned by the private sector. The addition of a National Cyber Director in the White House, in the event of a national cyber crisis, should be the "person who has credibility within the community, but who can also speak to the public, the government, government processes, and, importantly, engage the president," said Reiber. Credibility is king.
Other recommendations, including one for creating a biennial national cyber exercise, acknowledges the "cyber interaction in a suite of different agencies," said Reiner. "Cyberthreats are moving away from a partisan issue, and becoming a national priority."
And cybersecurity fits nicely into nonpartisanship. This year Congress brought a return to the NDAA's historically bipartisan vote count, obscuring the chances of a veto with an 86-14 majority in the Senate.
While the NDAA received Congressional approval, it has to make it past the Resolute Desk.
The bill does not include the repeal of Section 230 (from 1996's Communications Decency Act) as Trump wanted. Despite the two-thirds majority vote, Trump tweeted he will veto the bill because of the absent Section 230 revision.
However, with the incoming Biden administration about two months away, Congress can either override the president's veto, or present the bill again to President-elect Biden.