Acting National Cyber Director Kemba Walden provides remarks at the launch of the President’s National Cybersecurity Strategy
ACTING NATIONAL CYBER DIRECTOR KEMBA WALDEN REMARKS
NCS Launch Event
March 2, 2023
Center for Strategic and International Studies
I want to start by thanking Jim. I’m grateful to you and to CSIS for giving me the opportunity to speak to this audience today.
I can’t think of a better place to launch a cyber strategy. After all, it was the CSIS Commission on Cybersecurity for the 44th Presidency, led by Jim, that first called for the creation of a cyber office in the White House.
As the Acting National Cyber Director, I’m so incredibly excited to be able to say that the Biden-Harris Administration has released the President’s National Cybersecurity Strategy. We are thrilled to share with the American people what we’ve been working on and explain why it matters, and then turn to the hard but exciting work of implementation.
To start, the strategy is just the latest action the Administration has taken to strengthen our cybersecurity posture. This strategy builds on two years of unprecedented attention that the President has placed on cyber issues.
The May 2021 Executive Order set the tone, committing the government to significantly enhancing our defenses and using our purchasing power to drive improvements in the broader ecosystem. We are implementing a Zero Trust Architecture Strategy to make Federal networks more resilient. We are focusing on industrial control systems and other operational technology, including through the publication of CISA’s Cybersecurity Performance Goals. And we are looking further down the road, preparing for the future by deploying a new generation of quantum-resistant cryptographic systems.
Whether it’s the at the White House or in the interagency community, the Biden-Harris Administration has made cybersecurity a clear priority.
My office, ONCD, has been just one small part of this fast-growing cyber community. We work with international partners, government at all levels, non-profits, academics, and the private sector to help communities thrive and prosper online. At ONCD, part of our job is to drive all of this energy and collaborative spirit into a broader strategic approach.
Strategies are tools. At their most basic level, they match our goals—where we’re trying to go—with the resources we need to get there. And when I say “resources,” I don’t just mean money though that’s certainly important. I also mean our people, our time, our expertise, and our focus. We have to coordinate our investments in technologies, in people, and in processes to make sure that cyberspace is safe, accessible, and equitable for all Americans.
The President has very clearly laid out his vision for America, and in his first two years, he has set us on a path to make it a reality. The President committed to creating a more equitable economy, overseeing our clean energy transition, rebuilding our national infrastructure, strengthening our democracy, and making the nation’s workforce more competitive. Generational investments in the Bipartisan Infrastructure Law, the CHIPS and Science Act, and the Inflation Reduction Act are models for how we do this the right way.
But each of these initiatives depends on, and is enhanced by, technology. And beginning with a strong cyber foundation is essential to their ultimate success.
To understand why cybersecurity is so fundamental to the President’s vision for the country, we must remember that securing ourselves against threats is not the only thing that matters when it comes to cyberspace. If that were the case, we’d simply tell everyone to turn off their computers! But since even our most basic home appliances have chips in them, that approach is off the table.
We use and connect these technologies to make our lives easier, safer, and more equitable. But that also means that, increasingly, everything we do, from talking with friends to banking, from turning on the tap to driving to work, has a connection to cyberspace.
We defend cyberspace not because it is some distant terrain on which we battle our adversaries. We defend cyberspace because it is interwoven into our very lives.
We should be able to talk to our friends and family online without worrying if it’s really them or some criminal after our bank account. We should be confident that the power won’t go out because a rogue nation or terrorist launched a cyber attack to disrupt our way of life.
If we build a secure and resilient cyber foundation, we can pursue our boldest national goals with confidence. Goals like an electrical grid capable of distributing renewable energy across vast distances with pinpoint, real-time precision. Goals like high-bandwidth, instantaneous communications that enable collaboration, commerce, and cultural exchange. And goals like an Internet that strengthens our democracy.
When you look at cyberspace from this perspective, it’s clear that we can’t just think in terms of national security. We also have to think about cyberspace in terms of political economy; —of social change; —of technological innovation.
This is the framing that we started with when ONCD was asked to lead a whole-of-government effort to draft a new National Cybersecurity Strategy. The strategy aligns with and nests under the National Security Strategy. But it’s not just about security. The President’s National Cybersecurity Strategy, acknowledges a profound truth: technology and humanity are intertwined.
In the strategy, our ultimate goal is a digital ecosystem that is more inherently defensible, resilient, and aligned with our values. What do I mean by that?
Defensible means that we’ve tipped the advantage from attackers to defenders by designing systems where security is baked in, not bolted on. Resilient means that when defenses fail—which they sometimes will—the consequences are not catastrophic and recovery is seamless and swift. Cyber incidents shouldn’t have systemic real-world impacts. And, finally, we cannot ignore the way that technology shapes—and is shaped by—the rest of our society.
Technology does not, itself, represent a value system. It carries with it the values of its creators and operators. Technology can bring great advancement, from groundbreaking vaccines to essential services for the underserved. But it can also be used by antidemocratic forces to suppress or to misinform. We have to actively define and assert our values in the way we build our digital world.
In crafting this strategy, we borrowed from the past, and you will see echoes and overtones from the important policy work that has come before. But we also looked for ways we could go further and be bolder. If you look at cyber strategies going back decades, they tend to say many of the same things: We need to prioritize our defenses, share information, and so on.
But while we’ve made important progress in these areas, it’s clear we still have a long way to go to ensure that every American feels confident that cyberspace can work safely for them. The truth is that we need to make some fundamental shifts in the way our digital ecosystem works.
This is where President Biden’s strategy takes a new approach.
First, we need to rebalance the responsibility for managing cyber risk—rethinking whom we ask to keep all of us secure. Today, across the public and private sectors, we tend to devolve responsibility for cyber risk downwards. We ask individuals, small businesses, and local governments to shoulder a significant burden for defending us all. We ask my mother and my kids to be vigilant against clicking suspicious links. We expect school districts to go toe-to-toe with transnational criminal organizations largely by themselves.
This isn’t just unfair; it’s ineffective.
The biggest, most capable, and best positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe.
And that includes the Federal government. We must do a better job of leading by example, defending our own systems and sharing relevant and timely information with the private sector.
But we expect that same leadership from industry, too. That includes cloud service providers and other internet infrastructure companies; the developers of software and the manufacturers of hardware; and other key players in our technology ecosystem.
We need to step up and work shoulder-to-shoulder, together.
Every American should be able to benefit from cyberspace. But every American should not have the same responsibility to keep it secure.
However, simply shifting the burden for security won’t solve all our problems if we don’t start thinking in terms of long-term solutions. It’s not enough to manage the threats of today; we need to make tomorrow more inherently defensible and resilient.
I know how tempting it can be to focus on short term fixes. Whether we’re government policymakers, industry leaders, or just average Americans trying to make smart decisions online, we all face very real near-term risks, legal requirements, and commercial incentives.
But if tomorrow we were to wake up having perfected our current means of cyber defense, we would at best be losing more slowly. Instead, we need to change the underlying rules of the game to give ourselves the advantage.
I want cybersecurity to be an unfair fight.
To do that, we need to make it so that when public and private sector entities face trade-offs between easy but temporary fixes and harder solutions that will stand the test of time, they have the incentives they need to consistently choose the latter.
Rebalancing the responsibility to defend cyberspace and incentivizing investments in a resilient future: These are the fundamental shifts that guide the President’s strategy.
When it comes to our critical infrastructure—when national security and public safety are at stake—we have to make sure we’re meeting a baseline level of security. Every American deserves to feel confident that their local power station, cell network, hospital, and other infrastructure is resilient to cyber threats.
But today that is not the case. In too many sectors, we still aren’t where we need to be. To strengthen America’s confidence in the infrastructure that powers our lives, regulation needs to be part of our approach.
We will take the lightest possible touch, but no less than that.
In drafting baseline regulatory requirements, we will be guided by the principles of harmonization and reciprocity. Companies shouldn’t have to prove the same thing more than once, and costs of compliance should not detract from investments in security.
We will also prioritize consultation with regulated entities. We have to make sure we’re using regulations in a way that makes us all safer.
But we also have to recognize that the most pernicious cyber problems can only be solved together. We’ve made significant progress building collaboration between government and industry to protect our infrastructure through initiatives like CISA’s Joint Cyber Defense Collaborative and the NSA’s Cyber Collaboration Center. We’ve expanded information sharing and pioneered new ways of working together side-by-side to defeat urgent threats. And now we need to think creatively about other tools that government has at its disposal to improve cybersecurity.
In the President’s strategy, we commit to deepening operational collaboration with the private sector and with our allies and partners abroad. We need to scale collaboration with industry by encouraging agencies to proactively address the needs of critical infrastructure owners and operators in their sectors. We also need to do more to get operationally relevant intelligence into the hands of private sector stakeholders, as we have done in connection with the Russian invasion of Ukraine.
Now, to be clear, there are some things only the government can do. When our adversaries threaten our national security or public safety, they need to know that we are going to use all instruments of national power to stop them.
We are focused on building long-term resilience, but we don’t have the luxury of ignoring the threats we face today. And it’s absurd to expect my mother or your public library to defend themselves against attacks from sophisticated adversaries in China, Russia, North Korea, and Iran.
Only the government has the authorities and resources to go after them.
We’re going to build on lessons we’ve learned taking down ransomware criminals. We’ve had success when multiple departments and agencies across the government and around the world combine forces, as we saw recently when the Department of Justice and the FBI took down the Hive ransomware gang.
Whether we’re disrupting our shared adversaries, setting new cybersecurity requirements to level the playing field, or finding new ways to share information and build trust, collaboration is at the core of the President’s National Cybersecurity Strategy. And it will continue to guide our approach in the months and years to come.
But writing this strategy was the easy part.
Now is the time to lean into the hard work of implementing the strategy, and that’s going to be a team effort. In government, we’re going to stay coordinated, put funding and investment where it needs to go, and hold ourselves accountable to the goals we’ve set out. And we need the private sector to step forward with us. We can’t do this alone, and we’re excited to keep making progress together.
I want to close by thanking some of the people who put us in this position.
The President chose Chris Inglis to be his inaugural National Cyber Director, and Chris was instrumental in developing this strategy and standing up this office.
I also want to thank our partners in Congress. Cybersecurity has been an area of bipartisan cooperation for years.
I’m especially grateful for the hard work of all of the people who contributed to the development of this strategy. That includes the staff who led the process and the hundreds of stakeholders from departments and agencies and outside of government who helped to shape it.
I also have to mention the Cyberspace Solarium Commission, including CSIS Senior Advisor Suzanne Spaulding. The Solarium report helped to lay the groundwork for both ONCD and this strategy.
And, finally, thanks to Jim and CSIS for giving me the forum to talk to you today.
It was an honor and a privilege for ONCD to be entrusted with the development of the President’s strategy. It will be a further privilege to administer its implementation.
We are just getting started, and I’m looking forward to working with all of you to put this strategy into action.
Acting National Cyber Director Kemba Walden provides remarks at the launch of the President’s National Cybersecurity Strategy