New National Cyber Strategy – Contractor Opportunities and Implications

Published: October 04, 2018

Critical Infrastructure ProtectionCybersecurityPolicy and LegislationPresident Trump

The new National Cyber Strategy points to cyber- opportunities for contractors, but also to greater scrutiny for their products and internal systems.

In late September the Trump Administration released an updated National Cyber Strategy, the first new such broad strategy update in 15 years.

In introducing the strategy National Security Adviser John Bolton presented what looks to be a mix of greater cyber offense – as a means to deter and punish adversaries – and stronger efforts to defend and protect government networks and critical infrastructure. “For any nation that’s taking cyber activity against the United States, they should expect…we will respond offensively as well as defensively,” Bolton said.

Michael Daniel, Obama Administration Cyber Coordinator commented that “It strikes a good balance between defensive actions and seeking to impose consequences on malicious actors. Further, it’s clear that this strategy is a reflection of a strong policy development process across administrations.”

Four Pillars

The Strategy is built on four “pillars” that address broad priorities for the U.S. that stretch beyond federal departments and agencies.

  • Pillar I: Protect the American People, the Homeland, and the American Way of Life – The main objective is to manage cybersecurity risks to increase the security and resilience of the Nation’s information and information systems. Efforts will be to secure federal networks and information, secure critical infrastructure, combat cybercrime and improve incident reporting.
  • Pillar II: Promote American Prosperity – The main objective is to preserve U.S. influence in the technological ecosystem and the development of cyberspace as an open engine of economic growth, innovation, and efficiency. Efforts will be to foster a vibrant and resilient digital economy, foster and protect U.S. ingenuity, develop a superior cybersecurity workforce.
  • Pillar III: Preserve Peace through Strength – The main objective is to identify, counter, disrupt, degrade, and deter behavior in cyberspace that is destabilizing and contrary to national interests, while preserving United States overmatch in and through cyberspace. Efforts will be to enhance cyber stability through norms of responsible state behavior, attribute and deter unacceptable behavior in cyberspace.
  • Pillar IV: Advance American Influence – The main objective is to preserve the long-term openness, interoperability, security, and reliability of the Internet, which supports and is reinforced by U.S. interests. Efforts will be to promote an open, interoperable, reliable, and secure internet, build international cyber capacity.

Opportunities and Implications

The new strategy presents contractors with both opportunities to support federal efforts and implications for their operations when doing so. Under Pillar I and the securing of federal networks and information DHS will continue to push civilian agencies to transition to shared services and infrastructure and will continue to deploy centralized cyber capabilities, tools, and services. The Department of Defense (DoD) and the Intelligence Community (IC) will also consider such efforts within their own cyber posture improvements. As the implementation evolves, this will open up greater opportunity for service providers, and innovative products as well as thought leaders who can help shape governance, standards and implementation approaches.

There are also implications and expectations that vendors should recognize well. This Pillar also encompasses improving supply chain risk management (SCRM) and improving the security of contractor systems. The administration will pursue a supply chain risk assessment shared service and streamlined authorities to exclude risky vendors, products, and services from federal acquisitions and national infrastructure.

Efforts to assess the security of federal data processed within contractor systems will include “reviewing contractor risk management practices and adequately testing, hunting, sensoring, and responding to incidents on contractor systems” with a particular focus on those within the defense industrial base (DIB).

The DoD has been placing compliance requirements around cybersecurity and information risk management (IRM) on firms within the DIB community for several years and this strategy update signals that greater collaboration and compliance requirements are on the way. Some requirements may increase the overhead and operational costs of doing business with the DoD, although most firms have likely bitten that bullet incrementally over time as these policies have evolved. However, what may be required going forward is more of a cultural shift in firms being comfortable with having DoD personnel actively operating on their systems during a cyber event.