The new National Security Strategy (NSS) was released recently, and it is quite unlike its predecessor. Instead of promoting a Hobbesian view of humanity, where conflict and scarce resources are the prevailing reality, the NSS has a more idealistic and hopeful vision of cooperation for the common good. The strategy certainly acknowledges that self-interest remains a powerful force within international relations, and it embraces a somewhat binary construct of cooperation and competition. It also advocates for a “carrot-and-stick” approach: play ball with the United States and receive the mutual benefits of doing so; oppose the United States and suffer the consequences of not doing so.
The current administration seeks to “avoid the temptation to see the world solely through the prism of strategic competition” and instead work “to engage countries on their own terms” and within a more collegial atmosphere in its efforts to “pursue an affirmative agenda to advance peace and security and to promote prosperity” across the globe. More specifically, it desires to cooperate with nations that share the US vision and values and is willing to engage “with any country, including our geopolitical rivals, that is willing to work constructively with us to address shared challenges” while also “reinforcing and building new ties based on shared interests.”
The core goal of the NSS is to avoid conflict, which has a particularly intriguing impact on cybersecurity.
When this type of engagement is not possible, the United States is prepared to compete with those powers that offer a different and “darker vision” (e.g., “from powers that layer authoritarian governance with a revisionist foreign policy” whose “behavior that poses a challenge to international peace and stability”). While the Biden administration aims to thwart the efforts of states that constrain our policy options and those of our allies and partners, the intention is to manage such competition responsibly. In other words, the core goal of the NSS is avoiding conflict, a new Cold War, and/or having the world separate into “rigid blocs” between/among/within which cooperation is more challenging. This construct, and the overall approach in this NSS, has a particularly intriguing impact on cybersecurity.
THE “SHARED CHALLENGE”
The new NSS characterizes cybersecurity as one of the world’s “shared challenges” — described as “transnational challenges that do not respect borders and affect all nations.” The rhetoric of the NSS indicates that cooperation is a more effective way of addressing shared challenges, but it is also realistic in understanding that such efforts will require and involve competitive measures.
Concerning cyber, and based upon the premises that “information must be allowed to flow freely” in open societies like the United States and that many/most nations share a common interest in “strengthening norms that mitigate cyber threats and enhance stability in cyberspace,” the NSS expresses the Biden administration’s desire to broadly safeguard the United States’ shared military-technological edge, especially in the cyber realm. For example, in terms of cyber cooperation, the NSS identifies that the United States is working with allies and partners to build collective capabilities to deter cyber attacks from state and non-state actors and respond to attacks effectively while improving its overall level of “cyber resilience.” Many of these efforts are highly technical in nature, made possible by a collaborative approach based on cooperation and mutual trust.
With respect to cyber competition, the United States also pledges to “respond decisively with all appropriate tools of national power to hostile acts in cyberspace, including those that disrupt or degrade vital national functions or critical infrastructure.” More specifically related to criminal cyber activity, the United States has created innovative partnerships “to expand law enforcement cooperation, deny sanctuary to cyber criminals and counter illicit use of cryptocurrency to launder the proceeds of cybercrime.” For example, the United States is enhancing its ability to detect cyber attacks from a myriad of actors and will continue to support the UN General Assembly-endorsed framework of responsible state behavior in cyberspace, which recognizes that international law applies online.
Characterizing portions of cyber activity as a part of its efforts to modernize and adapt its “tools of Statecraft” for today’s challenges, the NSS is even more specific in its intention of strengthening the Department of Homeland Security’s (DHS) Cybersecurity Service, by reimagining how the department “hires, develops, and retains top-tier and diverse cyber talent.” The department determined several years ago that the evolving threat landscape with respect to cyber required a departure from traditional government hiring tools to enable it to better compete for cybersecurity professionals, fill its mission-critical vacancies, and remain agile enough to meet the demands of its critical cybersecurity mission.
Even though the NSS was delayed due to Russia’s invasion of Ukraine, its implementation had already begun in cybersecurity.
Launched in November 2021, DHS’s new Cybersecurity Talent Management System is designed to facilitate achieving this objective by screening applicants based on demonstrated competencies, competitively compensating employees, and reducing the time it takes to make its hires. Individuals hired through this system will join the new DHS Cybersecurity Service, charged with the responsibility of increasing cyber resilience (i.e., the ability to withstand cyber attacks) nationwide and protecting US critical infrastructure and the American people from cybersecurity threats.
These measures appear to prioritize cybersecurity and align with the overall effort to achieve its Four-Point Vision for a free, open, prosperous, and secure international order. In this vision, “free” allows people to enjoy their basic, universal rights and freedoms. “Open” refers to allowing nations with a democratic system of communication to shape the rules. “Prosperous” empowers all nations to continually raise the standard of living for their citizens, and “secure” means free from aggression, coercion, and intimidation.
Even though the NSS was delayed due to Russia’s invasion of Ukraine, its implementation had already begun in cybersecurity. For example, Executive Order 14028 on Improving the Nation’s Cybersecurity in January 2022 requires government agencies to shift to a “zero-trust paradigm.” A zero-trust paradigm is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data, embracing a stronger, more coordinated, whole-of-government approach to cybersecurity risk management. This policy will help agencies and leaders advance a common security baseline across the federal government. Pursuing a type of federal zero-trust security network domestically that could lead to some type of zero-trust security alliance network that incorporates a universal standard of authentication for all network users is a type of cooperative measure that would also create additional incentives for cooperation to be included in such a network.
A GLARING OMISSION?
Despite addressing cyber fairly comprehensively, especially when compared to the NSS’ of the last two decades, it is notable that this strategy omits mention of cyber from its emphasis on protecting other domains, including sea, air, and space. The United States has recently adopted a warfighting approach it calls Joint All-Domain Operations. This approach is intended to integrate, synchronize, and synergize actions in the five recognized domains of conflict — land, sea/maritime, air, space, and cyberspace — to provide a more complete intelligence picture and understanding of the battlespace that will provide warfighters reliable information, empowering them to make decisions more rapidly. Along with how the NSS characterizes the threats posed to the United States by state and non-state actors in cyberspace, the omission of cyberspace in this regard is quite puzzling. It is also unclear why cyberspace was not included explicitly, but perhaps the reasons may become more evident as this administration implements the NSS.
The cooperative approach conveyed in the Biden administration’s NSS is also reflected in the recently released National Defense Strategy’s “Integrated Deterrence.” Integrated Deterrence is defined as “working seamlessly across warfighting domains, theaters, the spectrum of conflict, all instruments of US national power, and our network of alliances and partnerships.” One expects to also see this approach reflected in the forthcoming National Cyber Strategy.
While certainly a very different approach from previous strategies, research on the cooperation-and-competition dynamic suggests that such an approach can only expect to sustain the status quo at best and is more likely to exacerbate existing tensions. Yet, this is precisely what the Biden administration is seeking to avoid. It will need to play out a bit before the true implications of this approach become apparent, but forewarned is forearmed.
Kelly C. Jordan is a retired US Army lieutenant colonel and is currently a full-time professor of military studies and national security studies at American Military University, where he also stewards the Military Studies program.