Enough Strategies, More Tactics
The State Department introduces the United States International Cyberspace & Digital Policy Strategy - ENOUGH!!!!
During last week’s RSA conference Secretary of State Blinken was a keynote speaker (why? - I guess Mayor Pete wasn’t available) and he introduced something called the United States International Cyberspace & Digital Policy Strategy (ICDPS) and touted it as (I’m paraphrasing) “The North Star towards digital solidarity.” whatever that means.
I was asked to speak on this on Newsmax last week, so I read this strategy so you don’t have to. As I said on Newsmas, “There is nothing like a good cyber strategy, and this is nothing like a good cyber strategy.” This “strategy” utilizes about every potential buzzword from about every political subject area possible. It was like the State Department found out Blinken agreed to Keynote at the RSA Conference and had to have something for him to talk about. Two of the current buzzwords in cybersecurity that tend to get a lot of play are “encryption” and “zero trust”. Each are mentioned once. But the words “diversity”, equity, and “inclusion” are used 25 times. That alone highlights the problems with “strategies”, they say a lot but do little in terms of solving actual cyber problems for individuals and/or businesses. As I told Newsmax, “when I look for cyber solutions, the State Department is not the place I look.”
This post is not designed to be several hundred words that bag on the State Department, but rather highlight the exasperation I have with cyber strategies. Over the past 20 or so years the following Cyber Strategies or Cyber Executive Orders have been unleashed on the public:
1. National Plan for Information Systems Protection (2000)
2. National Strategy to Secure Cyberspace (2003)
3. Comprehensive National Cybersecurity Initiative (2008)
4. Department of Defense Strategy for Operating in Cyberspace (2011)
5. International Strategy for Cyberspace (2011)
6. Department of Defense Cyber Strategy (2015)
7. Federal Cybersecurity Workforce Strategy (2016)
8. National Cyber Incident Response Plan (NCIRP) (2016)
9. Cybersecurity National Action Plan (CNAP) (2016)
10. National Cyber Strategy (2018)
11. Department of Defense Cyber Strategy (2018)
12. National Cybersecurity Strategy (2023)
13. The National Artificial Intelligence Research and Development Strategic Plan (2016, updated 2019)**
14. The Executive Order on Maintaining American Leadership in Artificial Intelligence (2019)
15. The American AI Initiative (2019)
16. The National AI Strategy (2021)
17. Department of Defense AI Strategy (2018)
18. Executive Order 13231 – Critical Infrastructure Protection in the Information Age (2001)
19. Executive Order 13618 – Assignment of National Security and Emergency Preparedness Communications Functions (2012)
20. Executive Order 13636 – Improving Critical Infrastructure Cybersecurity (2013)
21. Executive Order 13691 – Promoting Private Sector Cybersecurity Information Sharing (2015)
22. Executive Order 13757 – Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities (2016)
23. Executive Order 13800 – Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (2017)
24. Executive Order 13920 – Securing the United States Bulk-Power System (2020)
25. Executive Order 13984 – Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities (2021)
26. Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (2023)
Looking at all these killed trees, are we safer? Has the cyber “problem” been solved or the threats reduced. Sadly, we all know the answer is NO. But not for lack of writing (and likely multiple SES-related promotions in the government by the authors.)
WHY?
Because strategies and Executive Orders are largely “suggestions”. There is rarely an accompanying “Tactical” document that supports the strategy. It is these tactical solutions that we need to develop, deploy, and dissect to find viable solutions that actually work to keep individuals and organizations safer. Tactical solutions are not a silver bullet to our problems, but a better point of emphasis than yet another cyber strategy.
To that end, I am rebranding the “CyBUr Guy Podcast” as the “Tactical Cyber Podcast” to discuss exactly these solutions. Me and my co-host will talk to industry practitioners who share the same desire to bring tactical solutions to listeners so they can better protect themselves from the myriad of cyber threats we face daily.
Time to move past the strategies and start incorporating the tactics. More to follow.
Dissenting opinions are always welcome at darren@thecyburguy.com.
When the podcast launches I hope you will give a listen and tell a friend.
#tacticalcyber #podcast #thisistheway