Network Requirements of the National Cybersecurity Strategy

In March, the Biden administration released the National Cybersecurity Strategy (NCS) “to secure the full benefits of a safe and secure digital ecosystem for all Americans.” In the administration’s view, cyberspace is a tool for achieving a range of lofty goals, among them economic prosperity, human rights, freedom, democracy, and an equitable and diverse society. It’s a vision predicated on making “fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace,” according to the White House.

The NCS establishes five foundational principles or pillars upon which to build out the strategy in pursuit of its goals:

• Defend Critical Infrastructure
• Disrupt and Dismantle Threat Actors
• Shape Market Forces to Drive Security and Resilience
• Invest in a Resilient Future
• Forge International Partnerships to Pursue Shared Goals

The Cybersecurity Strategy further contemplates policy changes that could advance those objectives. Notably, the White House has proposed shifting responsibility for improved cybersecurity to private-sector vendors that develop IT hardware and software. Many of the details have yet to be worked out.

Overall, the NCS is a strong and decisive step in the direction of improved cybersecurity. The plan unwaveringly focuses on the “cyber” in cybersecurity. The document is replete with references to digital assets, software, the internet and the Internet of Things, wireless capabilities, and space-based assets. The NCS mentions “cyber” almost 300 times.

A need to focus on physical infrastructure

Less prominent in the NCS are certain indispensable physical components of networks and cyberspace. I’m referring to electronic devices—laptops, mobile phones, tablets, network switches, sensors—the physical infrastructure and endpoints of networks, virtual and otherwise. These devices make possible the routing, transport, and storage of data. They provide interfaces enabling human users to exchange information on global networks. The term “device” appears in the NCS six times.

This is not to suggest that the Cybersecurity Strategy neglects physical infrastructure. It doesn’t. The NCS does, however, present a view of networks and cybersecurity that is skewed toward the virtual—not unusual in discussions of cybersecurity—to the exclusion of electronic devices and components and the importance of securing them.

We mention the imbalance by way of encouraging proportional effort while trudging the road to greater cybersecurity. Getting there will be a slog. Let us remember that cyberspace and the “virtual world” aren’t as virtual as we might like to believe. The cloud is a collection of massive terrestrial server farms, and cables at the bottom of the world’s oceans transmit more than 95% of international data. Those submerged cables are outside the purview of the NCS, yet the point remains: digital communication is a highly physical proposition, and electronic devices of all types must be secured.

Establishing a Zero Trust model

Although the administration has not directly addressed the physical infrastructure issue in the NCS, it has attempted to do so in previous documents. Notably in Executive Order (EO) 14028, "Improving the Nation's Cybersecurity," which calls on agencies to jettison perimeter security principles in favor of sophisticated Zero Trust cybersecurity architecture. In keeping with the EO, the Cybersecurity and Infrastructure Security Agency (CISA) developed a Zero Trust Maturity Model comprising five principles of modern cybersecurity: identity, devices, network, data, and applications and workloads. The maturity model also aligns with the Office of Management and Budget's (OMB) Zero Trust Strategy, a roadmap for implementing Zero Trust.

The challenge will be to implement multiple overlapping plans in a systematic, efficient, comprehensive fashion.

Shoring up the country’s cybersecurity is a priority of the administration, clearly. Just as apparent is the necessity to secure all aspects of our networks, including electronic devices, down to the last tablet, sensor, and network switch. As we move forward together, government agencies and IT vendors, we must be vigilant and thorough.

To truly be secure, we must leave no device unturned.

Want to learn more? See how top US Federal agencies upgrade their physical infrastructure, boost cybersecurity efforts and leverage cutting-edge analytics. Join author Brian Wright for an exclusive GovExec webcast.