Evaluating the Biden cybersecurity strategy

In March 2023, the Biden administration outlined its vision for a more secure cyberspace with its release of a National Cybersecurity Strategy, which places more responsibility on software developers and other institutions to have safeguards in place that ensure their systems cannot be hacked.

The administration also announced it is proposing legislation that would establish liability for software developer that fail to take reasonable precautions to secure their products. Additionally, the administration wants to incentivize businesses and developers to invest long-term in cybersecurity.

Nadya Bliss, executive director of the Global Security Initiative, weighed in on the administration’s plan following its announcement.

Editor's note: The following interview has been lightly edited for length and clarity.

Question: What are your general takeaways regarding the new strategy?

Answer: The emphasis on incentives is incredibly positive. One of the biggest challenges with cybersecurity is that generally we design everything with capability first in mind and security second. If you think about how the market functions, everybody wants the next best thing. As a result, we have this system that is really not designed for security.

Second, I think it’s positive that the strategy has focused on prioritizing the burden for cybersecurity on sectors and companies that can bear it. Right now, too much responsibility falls on the individual.

Finally, the strategy is looking to the future of cybersecurity. Things like post-quantum encryption systems, artificial intelligence, biotechnology, clean energy, all of those have significant cybersecurity aspects. Sometimes they’re positive for cybersecurity, sometimes they increase the attack surface. These outlined research initiatives are another important aspect of the strategy.

Q: How much of a difference do you think offering incentives could make?

A: I think there is a significant benefit to elevating this to a core element of the strategy. I am the current vice chair of the Computing Community Consortium. We have a white paper on designing secure ecosystems that involves the notion of incentives. I think without having that as a top-level federal strategy, no progress is going to be made. The fact that it’s stated is very important. Whether or not it’s actually going to affect the security of our system is going to depend on specific domains and specific policies and how it is implemented.

Q: How much of this strategy do you think will actually be implemented?

A: I am feeling reasonably positive that this is going to be a high priority, as it is also aligned with a number of economic priorities and a number of other policy priorities, such as the CHIPS and Science Act, and all of the policy priorities around the new energy future. Cybersecurity is incredibly important in context of the changing climate.

Q: Final question. Why have products or software been designed with more capability in mind than security?

A: Think about what you’re looking for when you are buying something like a phone. Does it have a really nice camera? Is it fast? Very few people go to a store to buy a piece of technology and say, “Can you tell me what the security features are?”

I’m a computer scientist, and I ask those questions all the time, and usually the feedback I get from the person in the store is that no one ever asks this.

But I will tell you the focus is shifting. People are increasingly worried about their identity being stolen. They’re aware of data breaches. People worry about the resilience of infrastructure. People are thinking about these things a lot more and when it’s at the forefront at a national level, from policy issued by the White House, I think it’s a very positive focus.