The Biden Administration’s National Cybersecurity Strategy: Opportunities and Challenges

Executive Summary

---

The Biden administration’s National Cybersecurity Strategy (NCS), published in March 2023, outlines how the White House plans on defending America’s digital ecosystem from malicious threat actors. The document, which has been rightly praised for its transformative agenda and ambitious vision, defines several key priorities for shaping a global cyber landscape that is more resilient and secure:

• Promoting multi-stakeholder cooperation with the private sector, international partners, and civil society organizations
   

• Modernizing legacy systems and transitioning to zero-trust architecture (ZTA)
   

• Investing in critical and emerging technologies and revitalizing America’s cyber workforce
   

• Crafting cybersecurity regulations and shifting liability for vulnerable software while minimizing the impact on market dynamics
   

• Embracing an offensive approach to foreign cyber operations by augmenting disruption campaigns against adversaries and malicious actors

Nonetheless, the Biden administration will face several obstacles and challenges while putting its plan into action, namely:

• Navigating implementation barriers, budgetary restrictions, and political gridlock
   

• Protecting personal data and establishing interoperable data transfer frameworks with global partners without imposing major compliance costs on technology companies
   

• Addressing deficiencies in critical infrastructure operational technology and difficulties in adopting ZTA
   

• Emphasizing manufacturing, not just innovation, to secure American leadership in next-generation technologies
   

• Harmonizing regulations across critical infrastructure sectors and carefully designing regulatory frameworks and liability regimes
   

• Reconciling an offensive cyber posture with a commitment to promote and uphold norms of responsible state behavior for cyberspace
   

• Ensuring that U.S. cyber strategy does not neglect the dangers posed by non-state actors and proxy groups
   

• Promoting a values-driven digital ecosystem and countering the model of cyber-sovereignty without sidelining key non-democratic cyber and technological partners
   

• Expanding digital trade and commerce, increasing investments in digital infrastructure development, and integrating cyber diplomacy effectively with other instruments of statecraft

To address the growing threats in the digital domain and successfully executive the NCS’s objectives, the Biden administration will need to overcome these obstacles by devising flexible, sustainable, and realistic policies at home and establishing robust cyber coalitions and trade frameworks with allies and partners abroad.

 

Introduction

---

In March 2023, the Biden administration published its National Cybersecurity Strategy (NCS),¹ which outlines how the executive branch will take on the proliferating threats facing the American digital landscape. The strategy, which consists of five pillars — Defend Critical Infrastructure, Disrupt and Dismantle Threat Actors, Shape Market Forces to Drive Security and Resilience, Invest in a Resilient Future, and Forge International Partnerships to Pursue Shared Goals — has been widely praised² for its embrace of an aggressive posture in cyberspace, calls for more regulations across critical infrastructure sectors, and advocacy for software liability reform.³ Others, however, are skeptical⁴ that its ambitions are achievable given the controversy over, and anticipated pushback against, some of its proposals and other implementation challenges.

Indeed, while the NCS is bold, expansive, and imaginative, it does leave many unanswered questions regarding the specific steps the administration will take to realize its vision for cyberspace. Though the July 2023 Implementation Plan⁵ names specific initiatives for each pillar and assigns a federal agency⁶ to lead and complete each of them by a target date, the White House still seems to have overlooked some critical issues — relating to data privacy and protection, migration to zero-trust architecture (ZTA), and digital infrastructure investment in the developing world, just to name a few — that it will need to address to foster a resilient digital ecosystem at home and abroad. The Biden administration also appears to be prone to repeating the same mistakes in the cyber domain that it has made in its overarching foreign policy.⁷

Thus, for the strategy’s promising and ambitious agenda to succeed, the Biden administration will need to be more nuanced and realistic about how it will pursue the objectives it has laid out. The White House also must start accounting for other ambiguities and gray areas that both the NCS and Implementation Plan have either de-emphasized or omitted altogether. Finally, to secure American interests in international cyberspace, Washington needs to incorporate its technology initiatives⁸ effectively into its broader foreign policy frameworks⁹ and reconsider some of its approaches to cyber diplomacy.
 

 

What the National Cybersecurity Strategy Gets Right

---

To its credit, the National Cybersecurity Strategy highlights numerous important security priorities for Washington to tackle in the digital arena. Many of these efforts will build upon and complement President Joe Biden’s previous executive orders¹⁰ and directives,¹¹ as well as policies and frameworks¹² that were established under the Trump and Obama administrations.

A Multistakeholder Model for Cooperation with the Private Sector and International Partners

Firstly, the document rightly underscores the significance of collaboration for achieving its goals. At the domestic level, this entails integrating federal cybersecurity centers and disruption campaigns as well as expanding defense and security coordination and intelligence sharing between the public and private sectors. This latter objective will be facilitated by the Cybersecurity and Infrastructure Security Agency (CISA)¹³ and other sector-specific entities such as Sector Risk Management Agencies (SRMAs) and Information Sharing Analysis Organizations and Centers (ISAOs and ISACs). Given that leading technology companies own and maintain much of the infrastructure¹⁴ upon which computer networks around the world are built, these public and private sector synergies will be crucial for gaining invaluable insights into adversarial activity in cyberspace.

On the global stage, the White House seeks to strengthen ties with its partners around the world and leverage international institutions to confront America’s foreign adversaries, safeguard global digital commerce and supply chains, and enforce norms of responsible state behavior in cyberspace. The Biden administration also lists civil society organizations, nonprofits,¹⁵ and local and regional entities as key partners in the fight against malicious cyber activity, reaffirming Washington’s commitment to promoting a multistakeholder model of Internet governance.¹⁶

Transitioning from Legacy Systems to Zero-Trust Architecture and Investing in Critical and Emerging Technologies

Modernizing federal software and equipment and upgrading security architectures are other noteworthy goals set forth by the NCS. Building off of Executive Order 14028,¹⁷ Memorandum 22-09,¹⁸ and recommendations by the National Institute of Standards and Technology (NIST),¹⁹ the Biden administration will work to expedite the federal government’s shift²⁰ toward ZTA — security models in which no user or communication within a network is trusted, and access permissions are restricted to the “least privileges”²¹ necessary to perform a given function. The administration will also assist federal agencies with replacing legacy systems and migrating on-premises workloads to the cloud.

Relatedly, the strategy appreciates that boosting R&D investments in cybersecurity, artificial intelligence (AI) (also emphasized in President Joe Biden’s recent executive order²² on the safe and secure development of AI), quantum computing, green energy, and biotechnology, along with fostering a stronger and more versatile cyber workforce,²³ will be vital for nurturing cybersecurity expertise and preserving American global leadership in critical technologies.

Issuing Cybersecurity Regulations and Shifting Liability for Insecure Software

Perhaps the most significant difference between the NCS and the strategies of previous administrations is the unprecedented role that it designates for the federal government to play in the software market. Stressing that voluntary adhesion to critical infrastructure cybersecurity has yielded inconsistent and unsatisfactory outcomes,²⁴ the document instead advocates sector-specific, modern, and nimble regulatory frameworks that establish minimum expected cybersecurity best-practices and mandates but also take into account the cost of implementation to help level the playing field. To alleviate the private sector of potential burdens, reduce duplication, and avoid obstructing digital trade flows, regulators are expected to harmonize and streamline new and existing regulations. If federal agencies lack the authority to enforce certain requirements, Congress is expected to help bridge this gap.

Shifting liability from end-users and open-source developers onto the private sector is the other major component of the administration’s ambition to realign incentives and shape market forces to drive security. Here, the strategy astutely observes that markets currently fail to hold software vendors accountable²⁵ when they maximize short-term profit at the expense of investing in security and overlook basic precautions²⁶ to prevent malicious users from infiltrating their networks. To shift the consequences of cybersecurity malpractice onto the entities “most capable of taking action to prevent bad outcomes,” the White House plans to work with Congress to design and enact legislation that would make it illegal for companies to fully disclaim liability by contract. The strategy also aims to encourage coordinated vulnerability disclosures and the generation of a Software Bill of Materials (SBOM).²⁷

Unsurprisingly, these declarations have ignited controversy among cybersecurity analysts and industry professionals, many of whom have warned²⁸ that government involvement — particularly in the highly complex and rapidly evolving software ecosystem — could lead to all sorts of unintended consequences and potentially stifle technological innovation. Critics are certainly correct that poorly designed regulatory frameworks and liability regimes could yield disastrous outcomes, and that determining accountability in cases where blame and root causes are difficult to pinpoint could be very problematic.

Nonetheless, the administration seems to have accounted for many of these concerns, even if it hasn’t provided definitive answers for all of them. Pillar Three, for example, repeatedly stresses that Washington will strive to encourage vendors to prioritize the security of their products without undermining or diminishing the role of the market. The centrality of cooperation with the private sector and multistakeholderism to numerous NCS objectives, as well as the White House’s appreciation of the private sector’s unmatched talent pool and resources, seem to affirm that the Biden administration is wary of encumbering the industry with heavy-handed policies. It’s also worth noting that the lack of specificity regarding implementation — while troubling in other respects — gives the administration some flexibility in adapting to emerging trends in the cybersecurity landscape.

The strategy also acknowledges that code vulnerabilities and errors are unavoidable even if enterprises diligently follow cyber-hygiene protocols. Through a safe harbor framework, the administration intends to shield companies that abide by best practices, such as the NIST Secure Software Development Framework,²⁹ from liability — only enterprises that fail to adhere to these standards and knowingly distribute vulnerable software will be held accountable. Moreover, the administration will leverage federal grants programs to create positive incentives for organizations to invest in secure-by-design software as opposed to solely relying on punishments to prod companies to bolster the security of their products and services.

Overall, there is widespread consensus³⁰ among policymakers and cybersecurity experts that despite the potential risks involved in legislating the technology industry, the status quo is unsustainable — change is both inevitable and necessary. Though some executives may decry these efforts, many have become more receptive³¹ to cyber regulation in the aftermath of the Russo-Ukrainian war and the SolarWinds and Colonial Pipelines incidents, and the strategy’s inclusion of safe harbors has made companies even more amenable to these proposals.³² Many firms have also joined forces in campaigns like the Cybersecurity Tech Accord³³ to assist each other on their journey to enhanced software security.

The Best Defense Is a Good Offense

The Biden administration is not just focused on ramping up defenses — a salient aspect of its vision is an aggressive U.S. posture in cyberspace. In 2018, the Trump administration freed³⁴ the military of several restraints to pursue offensive cyber operations, and U.S. Cyber Command (CYBERCOM)³⁵ started proactively monitoring digital space and disrupting malicious actors overseas before they could attack U.S. networks. The 2023 NCS will take the “defend forward” and “persistent-engagement”³⁶ approaches even further by increasing “the volume and speed of these integrated disruption campaigns” and leveraging joint task forces³⁷ to conduct cyber operations against adversaries abroad (with an appropriate³⁸ emphasis on ransomware groups³⁹ in particular, as can be seen by the recent expansion⁴⁰ of the International Counter Ransomware Initiative [CRI]). Moreover, by pleading to use “all instruments of national power” to neutralize digital adversaries, the White House recognizes the importance of integrating⁴¹ cyber capabilities with conventional modes of deterrence and warfare. The Pentagon reaffirms these concepts and articulates its planned use of integrated deterrence in its summary of its 2023 Cyber Strategy⁴² as well.

While the nature of the offense-defense balance⁴³ in cyberspace and the coercive potential⁴⁴ of cyber operations remain disputed, offensive campaigns have proven to be valuable in particular scenarios⁴⁵ and conditions, whereas purely defensive measures (like deterrence by denial) have often shown to be ineffective, given the impracticality of completely eliminating vulnerabilities from highly complex networks and systems. Moreover, Washington’s passivity⁴⁶ in earlier instances, such as after Russia’s devastating cyberattacks on Ukraine’s electrical grid in 2015, eventually came back to bite it.⁴⁷ In contrast, the Trump administration’s preemptive disruption of hostile networks and willingness to expose adversaries publicly⁴⁸ proved to be more effective in deterring⁴⁹ foreign attacks on U.S. digital infrastructure (though the NCS itself, in line with recommendations from experts,⁵⁰ opts for the phrase “resilience” over “deterrence”).

However, despite these steps in the right direction, the Biden administration will still face several obstacles while putting its plan into action.
 

 

Challenges and Recommendations for the Road Ahead

---

Implementation Barriers

As many observers have noted,⁵¹ the White House should expect to encounter numerous challenges as it embarks on its ambitious and revolutionary agenda. The administration has sought to address these concerns by revealing its Implementation Plan,⁵² which defines a (somewhat) more actionable list of initiatives — some of which are already in progress or have been completed ahead of schedule⁵³ — and commits to revisiting and updating these milestones annually. As announced by Chris DeRusha, a senior White House cybersecurity adviser, in November 2023, the Biden administration is already working on a “version 2.0”⁵⁴ of the Implementation Plan. Additionally, the subsequent confirmation of Harry Coker, who has affirmed his commitment to the NCS and Implementation Plan, as the new national cyber director⁵⁵ is an encouraging development in terms of the strategy actually being put into action.

Nonetheless, the plan still does not fully clarify how the administration will tackle some of the NCS’s most difficult goals. Several objectives’ timelines even seem to have been pushed farther out into 2025, which calls into question the feasibility of many of the Biden administration’s aspirations. Many other key issues have also been omitted. For instance, aside from tasking the Department of Commerce with publishing a Notice of Proposed Rulemaking with cybersecurity standards, procedures, and requirements for Infrastructure-as-a-Service (IaaS) providers, the plan neglects cloud security,⁵⁶ an especially important subject given the centrality of cloud computing to IT modernization both for the federal government and the private sector.

Data Privacy and Protection and International Data Transfers

Data privacy and protection is another topic that receives short shrift in the strategy and the Implementation Plan. Given the inefficiency and complexity of the current “patchwork”⁵⁷ of state-wide privacy laws, the NCS is correct to support legislation “to impose robust, clear limits on the ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data like geolocation and health information” and “set national requirements to secure personal data consistent with standards and guidelines developed by NIST.” However, the strategy doesn’t specify exactly what these regulations would entail, and the Implementation Plan leaves out the objective to “Hold the stewards of our Data Accountable” altogether.

The administration also overlooks some other risks involved with establishing data privacy requirements. A framework based directly on the oft-cited European Union’s General Data Protection Regulation (GDPR) or the California Consumer Protection Act (CCPA) could impose major compliance costs⁵⁸ on technology companies, restrict productivity, and curtail innovation. Washington should avoid these pitfalls while also setting a baseline set of targeted privacy principles that is interoperable with the GDPR⁵⁹ and assuages EU citizens’ unease about U.S. law enforcement’s access to their data. In exchange, Brussels should drop some of its data localization requirements⁶⁰ that are currently impeding transatlantic data flows.

Unfortunately, meaningful progress on this front seems elusive in light of recent events. Previously, the Court of Justice of the European Union (CJEU) invalidated the former U.S.-EU Safe Harbor⁶¹ and the Privacy Shield⁶² agreements in the Schrems I⁶³ (2015) and Schrems II⁶⁴ (2020) decisions, respectively, on the grounds that the two frameworks didn’t sufficiently protect EU citizens’ data from U.S. government surveillance. Based on these complaints, President Biden signed an executive order⁶⁵ in October 2022 that limits U.S. law enforcement and intelligence collection agencies’ access to and use of personal data for American and EU citizens, and also allows individuals in the EU to challenge how these agencies use their data through an independent Data Protection Review Court within the Department of Justice.

Earlier in 2023, President Biden fulfilled⁶⁶ all these commitments, and the European Commission’s adequacy decision⁶⁷ in July 2023 to approve the new EU-U.S. Data Privacy Framework⁶⁸ initially seemed to be a hopeful sign that a clear consensus could soon be met on personal data transfers between America and the EU. Nonetheless, privacy groups such as NOYB are determined to challenge⁶⁹ the framework and bring it back to the CJEU, and other data privacy watchdogs and institutions claimed that the new measures still did not go far enough.⁷⁰ Indeed, despite European Commission President Ursula von der Leyen’s praise⁷¹ of Washington for implementing “unprecedented commitments to establish the new framework,” experts⁷² and commentators⁷³ are anticipating and preparing for an upcoming “Schrems III”⁷⁴ case. There’s also the possibility of subsequent U.S. administrations overturning President Biden’s executive order. With no imminent end in sight for these ongoing disputes with a major trading partner, Washington will struggle to boost international digital trade and commerce.

Setting Precedents for Negligence Liability Standards and Safe Harbor Laws

The White House will need to tread carefully when executing the liability regime for cybersecurity as well. Even with a legal safe harbor to limit the scope of undesirable outcomes, the administration must resolve several crucial questions to avoid punishing vendors that have actually incorporated security precautions throughout the software development lifecycle. How should a court of law decide, without being exclusionary or unfair, whether a company took “reasonable precautions” to secure their products? What makes an actor “most capable” of taking action? How will the Civil Cyber-Fraud Initiative (CCFI) determine whether an entity or individual “knowingly” provided deficient products or services? Should negligence liability standards be applied to small and medium-sized businesses that may be under-resourced?

Establishing precedents for these scenarios to ensure that well-intentioned firms are not targeted will take years, if not decades. Companies can also become more risk-averse and start significantly scaling back the functionality of their offerings. Furthermore, the executive branch will need to distance itself from, and push back against, other legislation (not mentioned in the NCS itself) proposed by lawmakers that could impair⁷⁵ technology companies’ ability to invent secure-by-design solutions and discourage them from investing in cybersecurity and encryption research.

Promoting a Vibrant Technology Ecosystem Through Innovation, Manufacturing, and a Strengthened Cyber Workforce

The NCS acknowledges the indispensable roles of both the government and private sector in accelerating investments, achieving breakthroughs, and mitigating cybersecurity risks in existing and next-generation technologies. But safeguarding innovation⁷⁶ alone is not enough. To secure U.S. leadership in critical and emerging technologies, Washington must augment the country’s manufacturing potential⁷⁷ in these sectors as well. The CHIPS and Science Act, Inflation Reduction Act, and Bipartisan Infrastructure Law will serve as important first steps in improving American industrial policy, but without overarching cultural changes⁷⁸ and structural adjustments to recalibrate the nation’s conventional approaches to R&D and manufacturing — for instance, by pressing Silicon Valley to shift its focus back onto ultra-precision manufacturing, nurturing a business environment with favorable tax policies and environmental rules that encourage manufacturing, and reversing the consolidation of the American chip industry — the U.S. tech ecosystem could eventually fall behind those of the country’s primary competitors, namely China.

Relatedly, as the document states, strengthening the American cyber workforce will be crucial for building more secure and resilient systems at home and crafting effective cyber diplomacy abroad. Fortunately, the National Cyber Workforce and Education Strategy⁷⁹ outlines various initiatives to ameliorate talent and staff shortages by promoting computer networking and security expertise, facilitating talent exchanges and joint fellowship programs with international partners, and developing immigration laws that will help retain foreign science, technology, engineering, and mathematics (STEM) students and researchers. That being said, cooperation from Congress (as is currently underway for the creation of a Cyber Workforce Development Institute⁸⁰) will be necessary to enact these policies.
 

 

Budgetary Constraints and Political Obstacles

President Biden’s budget request last March for Fiscal Year (FY) 2024 allocated⁸¹ a notable increase in funds for cybersecurity across federal agencies,⁸² for initiatives ranging from IT modernization to boosting Ukraine’s digital defenses and augmenting digital transformation efforts⁸³ in the developing world. While the prospect of spending more on securing and modernizing federal network infrastructure and scaling public-private partnerships initially raised hopes⁸⁴ among cybersecurity and technology industry leaders that the administration’s priorities could be fulfilled, the Republican Study Committee’s fiscal blueprint⁸⁵ for the Congressional Budget Resolution — which promised to slash overall domestic spending — foreshadowed some major disagreements between Democrats and Republicans in Congress over a beefed up cybersecurity budget.

To be sure, some of the outcomes of the appropriations process have been conducive to the White House’s goals. The National Defense Authorization Act⁸⁶ (NDAA), signed into law⁸⁷ by President Biden on Dec. 22, 2023, contains extensive cybersecurity-related provisions, namely for defense and security-oriented cyber operations like leveraging AI digital assets in cyberspace and bolstering defensive military cybersecurity operations with foreign partners and allies. Other developments, however, were less encouraging. Though House Republicans’ attempt to slash CISA’s funding by 25% in September⁸⁸ was unsuccessful, the House appropriations bill for Homeland Security provides CISA with $2.926 billion — $130 million less than what the Biden administration had requested and, when adjusted for inflation,⁸⁹ amounts to a cut in CISA’s budget since FY23 — and also includes a policy rider to prohibit funding that would go toward countering misinformation. Other disparities⁹⁰ between the House and Senate appropriations bills remain to be resolved, but allocations for several other federal departments and agencies seem vulnerable to falling short of the requested amounts, which risks hindering their IT modernization and security objectives.

The recent conservative backlash against CISA, other federal agencies, and the Biden administration’s cyber-related initiatives in general (including the appointment of Harry Coker as the new White House cyber director⁹¹) stem from a deep distrust of campaigns to combat misinformation on digital platforms,⁹² which some hard-right lawmakers claim infringes upon freedom of speech and unfairly censors conservative voices online. In July 2023, U.S. District Judge Terry Doughty in Louisiana issued an order⁹³ to limit communications between the White House and several government agencies and social media platforms over taking down “content containing protected free speech.” Though the Supreme Court in October temporarily froze⁹⁴ the (narrower) restrictions set⁹⁵ by the U.S. Court of Appeals for the 5th Circuit, the bitter disputes over information integrity,⁹⁶ online content moderation, securing elections, and preventing foreign influence operations are unlikely to be resolved in the foreseeable future.

Unaddressed Vulnerabilities in Critical Infrastructure and Delays in Migration to Zero-Trust Architecture

Other attempts by the Biden administration to secure critical infrastructure have also faced major setbacks, due to political divides and unsettled disagreements over the role of government in protecting privately owned infrastructure. From the very outset of the NCS’s publication, House Republicans have expressed their staunch opposition⁹⁷ to granting the executive branch additional authority to regulate business sectors (or for passing legislation that would impose liability on software companies). More recently, due to opposition from Republican states⁹⁸ and water industry groups, the Environmental Protection Agency (EPA) withdrew⁹⁹ its memorandum¹⁰⁰ from March 2023 requiring states to assess operational technology (OT) for public water systems for cybersecurity risks.

The failure to address these long-standing vulnerabilities in the nation’s water infrastructure¹⁰¹ was exploited¹⁰² after the outbreak of the Israel-Hamas war¹⁰³ by Iranian-backed hackers, who launched a wave of cyberattacks against water facilities in the U.S. that use Israeli-made equipment. Though updates to the Implementation Plan¹⁰⁴ (which was announced as part of a broader discussion about managing risk to critical infrastructure) and the National Cyber Incident Response Plan (NCIRP),¹⁰⁵ a rewrite¹⁰⁶ of Presidential Policy Directive (PPD) 21 to more clearly define the role of government agencies and emphasize a greater role for CISA, and security-related mandates¹⁰⁷ in Biden’s AI executive order will be important steps toward addressing these deficiencies across the water and other critical infrastructure sectors,¹⁰⁸ harmonizing regulations and technical standards for all these sectors and spurring investment in underfunded systems¹⁰⁹ will be enormous tasks that will likely span the course of several administrations.

The ongoing effort to adopt ZTA reveals even more hurdles on the path to a more resilient digital ecosystem. While the federal government has made progress¹¹⁰ toward the mandates laid out in the Office of Management and Budget’s (OMB) ZTA memorandum,¹¹¹ the Department of Defense¹¹² (DoD) and other agencies have encountered major challenges during their migrations to zero-trust frameworks, which has led some observers to question the feasibility of the September 2024 deadline.¹¹³ The barriers¹¹⁴ to federal agencies’ shift away from traditional, perimeter-based defenses include outdated legacy systems, lack of urgency and technical expertise, and structural and organizational inefficiencies. Critical infrastructure owners¹¹⁵ and companies¹¹⁶ in the private sector also face similar problems in their adoption of ZTA. Government and industry leaders must therefore look beyond the technical dimensions of zero-trust security and start emphasizing the cultural and organizational factors involved in successful migrations to ZTA as well. Additionally, both the public and private sectors should treat the transition to zero-trust as a long-term process and be prepared for delays and growing pains along the way.

Managing Cyber-Escalation and Establishing Norms in Cyberspace While Going on the Offensive

As with securing critical infrastructure domestically, combating threat actors abroad will also be a formidable undertaking. In pursuing the aggressive stance outlined in both the NCS and the 2023 Cyber Strategy summary,¹¹⁷ the DoD will need to carefully distinguish between situations and attack types in which offensive maneuvers are appropriate (typically for quick, targeted, and short-lived attacks) and those in which their benefits will be more limited, as opposed to treating the question of the offense-defense balance in cyberspace in a one-size-fits-all manner. Moreover, while both documents acknowledge the threat posed by transnational criminal organizations and non-state actors,¹¹⁸ the growing (and warranted) emphasis on China’s and Russia’s cyber capabilities risks overshadowing the numerous problems¹¹⁹ that proxy groups could also present for U.S. interests. The Pentagon should remain vigilant about non-state entities’ malicious activity in cyberspace and differentiate tactics specifically tailored¹²⁰ to deal with these groups from those designed for established militaries and intelligence services.

Another pain point for the administration could be reconciling a more confrontational cyber doctrine with a commitment to reinforce global norms of responsible state behavior in cyberspace. As it is, setting standards for international cyberspace remains a struggle for the United Nations.¹²¹ Though claims that “norms of behavior aren’t well-established” in the cyber domain aren’t always accurate,¹²² scholars have often pointed out¹²³ that due to some of the digital arena’s unique characteristics (erosion of distance, speed of interaction, low cost, and difficulty of attribution), as well as the relative novelty of the Internet, the process of defining rules for cyberweapons will follow a different trajectory than it did for nuclear or conventional arms, and will likely be an uneven,¹²⁴ uncertain work in progress for several decades.

Russia’s numerous attacks against Ukraine’s critical infrastructure,¹²⁵ interference in U.S. elections, and sponsorship of ransomware gangs — despite having formerly signed off on nonbinding, voluntary UN agreements¹²⁶ eschewing such conduct — are key cases in point of the difficulty of enforcing norms across the digital ecosystem. And though Washington and its overseas partners have made notable strides¹²⁷ in advancing international law in cyberspace, they too have failed to abide by and honor many of these standards consistently. This was evident in Western officials’ overall muted response when their citizens helped “hacktivist” and digital vigilante groups, like Ukraine’s “IT Army,”¹²⁸ launch distributed-denial-of-service (DDoS) attacks against Moscow, even though such operations rest on shaky legal ground.¹²⁹ Similarly, the U.S. has previously stated¹³⁰ that only espionage directed against the private sector should be off-limits, but at times has also tried to rule out breaches like the SolarWinds incident¹³¹ that targeted government and military officials. Neither the NCS nor the Implementation Plan offer suggestions for crafting more enduring and consistent cyber-rules.

A growing reliance on offensive cyber operations risks jeopardizing this already fragile and delicate framework for developing standards for the digital domain. Indeed, fears of cyberwarfare escalating to physical conflict tend to be overblown,¹³² and the Pentagon can clarify that defend forward missions are preemptive measures only directed at hostile actors intending to attack U.S. networks, not unprovoked acts of aggression. But even if such operations won’t lay the groundwork for kinetic warfare, they could still risk inviting similar attacks by overseas actors, such as Iran and North Korea, which can justify their state-sponsored, cyber-enabled campaigns against the West as disruptions of imminent threats to their security,¹³³ whether or not such claims have any credibility.

Given that democracies like the U.S. are highly vulnerable¹³⁴ to cyberattacks and influence operations due to their political openness, protection of individual freedoms, and digital dependencies, Washington needs to prosecute an assertive cyber doctrine while still discouraging and deterring hostile states and proxy groups from launching destructive attacks against the American digital landscape. As suggested by cybersecurity policy expert Jacquelyn Schneider,¹³⁵ one way for CYBERCOM to square this circle would be to explicitly call out what America won’t do in the digital domain — such as attack critical infrastructure overseas — even as it embraces an offensive cyber strategy. Moreover, it’s worth noting that the DoD’s Cyber Strategy summary¹³⁶ does account for the possibility of unintended cyber escalation and reassures that “the Department will remain closely attuned to adversary perceptions.” Nevertheless, some disruptive events are impossible to prevent altogether, and the U.S. must be willing to accept some of the risks involved with expanding its digital capabilities and adopting a more aggressive posture in cyberspace. Hence, investing in resilient civilian and military systems that can withstand such assaults will continue to be a pressing priority for Washington.
 

 

Balancing American Interests and Values in the Digital Domain

Still, the White House’s aspiration to foster a “values-driven development of our digital ecosystem” internationally could face other major hindrances. To advance the liberal and democratic principles embodied in the Declaration for the Future of the Internet (DFI)¹³⁷ and the Freedom Online Coalition,¹³⁸ Washington plans to work with a broad, global coalition of “like-minded states” to counter transnational digital authoritarianism and nurture an “open, free, global, interoperable, reliable, and secure” Internet. Though the Trump administration’s National Cyber Strategy¹³⁹ also frequently underscores the importance of furthering American values in cyberspace, President Biden has been especially emphatic about the role of democracy promotion and human rights in both the digital¹⁴⁰ and physical¹⁴¹ worlds, and on numerous occasions has endorsed a binary foreign policy narrative of a global showdown between democracies and autocracies.

To be sure, the strategy is correct to highlight the threat that autocratic regimes pose to global Internet freedom and how the model of cyber-sovereignty¹⁴² promulgated by Beijing and Moscow erodes Western efforts to advance a multistakeholder framework for governing cyberspace. Likewise, Washington should strive to respect individual freedoms to the greatest extent possible as it works with social media platforms to combat misinformation online, and must treat cybersecurity as a vital component of its mission to restore faith¹⁴³ in democratic institutions at home. But unrealistic expectations of a global digital landscape anchored in U.S. ideals and technological partnerships based predominantly on shared values will easily backfire.

For starters, as can be seen by the numerous¹⁴⁴ and unresolved¹⁴⁵ aforementioned disagreements on data privacy and protection between Washington and Brussels, democracies won’t always see eye-to-eye on issues regarding cybersecurity and Internet governance. America’s priorities also often conflict with those of its “like-minded” partners when it comes to Washington’s technological competition with Beijing — the alarmingly slow progress by EU countries, especially Germany,¹⁴⁶ in excluding Huawei¹⁴⁷ from their 5G networks is a key case in point.

The other serious flaw of this strategic paradigm is that it risks harming technical cooperation with states in the developing world, particularly with illiberal or non-democratic ones. In the Greater Middle East,¹⁴⁸ for example, governments have invested heavily in digitally transforming¹⁴⁹ their societies and shoring up their defenses against proliferating cyber threats.¹⁵⁰ Therefore, it is essential that Washington deepens digital partnerships¹⁵¹ with countries throughout the Middle East and North Africa (MENA) if it wishes to preserve its hegemony in the region. This will entail scaling intelligence-sharing¹⁵² and counterterrorism campaigns, fostering vibrant technology ecosystems and startup scenes¹⁵³ to enable economic growth and diversification,¹⁵⁴ promoting information sharing platforms¹⁵⁵ used to identify ransomware threats, expanding partners’ AI capabilities,¹⁵⁶ countering the Iranian cyberthreat¹⁵⁷ by enhancing cyber cooperation between Israel and the Arab world,¹⁵⁸ and reversing¹⁵⁹ China’s technological advances in the Middle East.¹⁶⁰

Yet many countries in the MENA region are not fully on board with America’s commitment to an open and free online ecosystem. This is also the case for nations in other parts of the world — digital authoritarianism¹⁶¹ has been on the rise globally for over a decade,¹⁶² and even democracies have struggled¹⁶³ to protect civil liberties while simultaneously moderating illegal content and fighting misinformation (as evidenced by the aforementioned polarization¹⁶⁴ over CISA’s work to combat online misinformation) on the web. Nevertheless, many of the states that have seen drastic declines in Internet freedom are ones that Washington will inevitably need to engage with to maintain its technological competitiveness and defend its interests in international cyberspace. As an example, the fact that the CRI¹⁶⁵ consists of several illiberal and non-democratic countries, and will likely be expanded in the future to include even more, illustrates how crucial it is for Washington and other liberal democracies to collaborate effectively with these nations.

This dilemma can also be partly seen in the U.S’s vital partnership with India. The two countries have recently launched¹⁶⁶ numerous joint initiatives¹⁶⁷ on AI, telecommunications and wireless technology, quantum computing, space exploration, semiconductor supply chain resiliency, biotechnology, advanced weaponry, green energy, and talent exchanges. These engagements are expected to have a transformative impact on the strategic picture in the Indo-Pacific as both powers seek to offset Chinese hegemony¹⁶⁸ in the region. But government-initiated Internet shutdowns¹⁶⁹ have also been major points of tension between New Delhi and rights groups based in the West, and India (along with Brazil, another important technology partner¹⁷⁰ for the U.S.) has also not signed onto the DFI.¹⁷¹

This is not to say that the U.S. should abandon its values-driven approach to cyberspace altogether. Initiatives such as the DFI and Freedom Online Coalition will still be useful for galvanizing global support against China and Russia, which have exploited digital tools and AI software to quell dissent and surveil their populations,¹⁷² unfairly privileged¹⁷³ domestic companies over foreign competitors, and interfered¹⁷⁴ in the political affairs of democratic nations. Moreover, cross-border commercial activity is likely to suffer if more states start exerting extensive control of the Internet and enacting restrictive data localization and content-moderation policies.¹⁷⁵

However, Washington should be wary of framing the global cyber coalitions it builds as pacts against digital autocracy and repression, which could alienate potential allies and partners. Such an outcome would not only be inimical to American interests but would also undermine American values by ceding additional ground to Beijing and Moscow and further enabling them to dictate¹⁷⁶ international standards for the online world, export their illiberal visions¹⁷⁷ for cyberspace, and exacerbate¹⁷⁸ the global fragmentation of the Internet.
 

 

A Better Approach: Digital Trade and Cybersecurity Collaboration

Instead, as recommended by Nathaniel Fick, Jami Miscik, Adam Segal, and Cordon M. Goldstein in their Council on Foreign Relations (CFR) Task Force Report on “Confronting Reality in Cyberspace,” the U.S. should emphasize digital trade and commerce, secure and trusted data flows, and national security as the defining characteristics of a global cyber coalition.¹⁷⁹ Drawing in nations with tangible commercial benefits¹⁸⁰ and opportunities to augment offensive and defensive cyber capabilities can broaden these partnerships so that they can serve as effective counterweights to Beijing and Moscow. For instance, offering European nations higher-quality and cheaper 5G technology can help convince them to replace Huawei¹⁸¹ as their provider for mobile network infrastructure. Likewise, given the proliferation of digital trade agreements¹⁸² around the world, the U.S. must come off the sidelines in the global game on digital trade to remain a leading player in the world economy. This is especially true for the Indo-Pacific,¹⁸³ where Washington has been largely absent from meaningful economic and trade engagement — a trend that will likely be exacerbated¹⁸⁴ by a recent decision by the U.S. to drop demands at the World Trade Organization (WTO) to protect cross-border data flows and prohibit data localization mandates. By contrast, China has attempted to join the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the Digital Economy Partnership Agreement (DEPA) — the first digital-only trade agreement open to all members of the WTO.

Washington should launch new digital trade pacts and data transfer arrangements, see through the successful implementation of digital trade chapters in agreements such as the United States-Mexico-Canada Agreement (USMCA),¹⁸⁵ and determine a clear role for Congress in approving and shaping such frameworks. Incorporating digital trade updates to existing free trade agreements is another option, albeit less impactful than creating wider-ranging, digital-only initiatives.¹⁸⁶ Bridging the aforementioned differences in regulatory approaches and localization policies with European and Asian partners will also be necessary for establishing unimpeded and secure global information flows. Furthermore, incorporating cooperation on cybersecurity, as the USMCA does, can serve as an additional incentive for states to join these frameworks.

These strong political and commercial inducements won’t just benefit America economically. With states more willing to forego more localized, protectionist systems to harness the full benefits of digital trade, the Biden administration can leverage these arrangements to gradually incentivize other nations to adopt practices that are more in line with America’s vision of an open, free, secure, and trusted global digital ecosystem. And while full alignment on cyber norms or data protection and localization policies is unlikely, the U.S. and its partners can still find common ground on how citizens’ data should be used, shared, and secured within interoperable frameworks. Additionally, Washington will be presented with ample opportunities (through subtle dialogues, as opposed to public naming and shaming¹⁸⁷) to encourage its allies and partners to use digital tools and emerging technologies more responsibly. One way of doing this is to point out to world leaders and officials that excessive control and moderation of the Internet can hinder their countries’ digital transformations.

Though such a network of alliances would still fall short of a united group of “techno-democracies,”¹⁸⁸ it will nonetheless allow American diplomats and policymakers to play an extensive role in shaping norms and standards on a broad range of economic and security issues in cyberspace. Over the long term, a more holistic and inclusive definition of what it means to be “like-minded” will therefore not only leave the U.S. well-positioned to safeguard its vital interests, but will also enable it to push back against the top-down, closed model of Internet governance espoused by Russia and China.

Investing in Digital Infrastructure Development and Reinvigorating American Cyber Diplomacy

Relatedly, Washington needs to work with its international partners to finance digital infrastructure projects in the developing world. Through the Digital Silk Road (DSR),¹⁸⁹ the technological component of the Belt and Road Initiative (BRI), the Chinese government has invested billions of dollars in building 5G networks, cloud computing platforms, data centers, mobile payment services, AI systems, smart cities, and surveillance technologies for participating countries. This diffusion of Chinese technology throughout Latin America,¹⁹⁰ Africa,¹⁹¹ and the Middle East¹⁹² has presented Beijing with numerous opportunities¹⁹³ to conduct espionage against foreign governments and military facilities, augment its offensive cyber capabilities, promote technical standards that favor its geopolitical and economic interests, and undercut American efforts to establish international cyber norms. Over time, China will likely prioritize¹⁹⁴ the DSR over other traditional BRI projects; hence, it will be paramount that America and its allies fulfill the growing global demand for technology infrastructure.

Though the U.S. has warned the international community of the cybersecurity risks of using Chinese technology and shed light on how DSR-provided software and tools entrench digital authoritarianism, it has struggled to provide developing nations with realistic alternatives. Beijing has heavily subsidized¹⁹⁵ companies like Huawei to undercut foreign competitors and has also provided countries with low-interest loans to use Huawei’s equipment. Washington should expand initiatives such as the International Development Finance Corporation (DFC),¹⁹⁶ Blue Dot Network,¹⁹⁷ USAID Digital Strategy,¹⁹⁸ and the digital components of the Partnership for Global Infrastructure and Investment (PGII)¹⁹⁹ to offer countries low-cost hardware, software, and services to realize their digital connectivity and technological modernization aspirations. Drawing in the private sector into these programs will also be crucial for ensuring their success. While President Biden has allocated funding²⁰⁰ for digital development in his budget proposal, the West’s financial commitment to building technological infrastructure abroad is still well behind Beijing’s investment in the DSR,²⁰¹ and the likely funding cuts²⁰² to the State Department²⁰³ suggest that this trend is unlikely to be reversed anytime soon, expansions of other initiatives notwithstanding. Moreover, the failure of the NCS and Implementation Plan to mention digital infrastructure development as a pressing priority reflects a lack of urgency toward the issue.

Most importantly, the Biden administration needs to understand that technical solutions and advanced cyber capabilities alone are not sufficient for defending American interests in the digital realm. As Dimitri Alperovitch, the co-founder and former CTO of CrowdStrike, has argued,²⁰⁴ countering the Chinese, Russian, Iranian, and North Korean cyberthreats requires addressing them in their wider geopolitical contexts. Additionally, despite important differences²⁰⁵ between the cyber and physical realms, missteps in conventional diplomacy²⁰⁶ will inevitably hinder deterrence of overseas adversaries in the digital domain. Thus, for Washington’s cybersecurity and cyber diplomacy initiatives to succeed, the broader foreign policy framework of which they are part must also be robust and well executed. Similarly, advancing an open, free, global, interoperable, reliable, and secure Internet will entail more than just denouncing the “splinternet”²⁰⁷ and rebuking the model of cyber-sovereignty.²⁰⁸ If American policymakers wish to make the case for online freedom and the unrestricted flow of data to countries around the world, they must wed these with other parallel efforts to rectify and clarify perceived faults with globalization,²⁰⁹ free trade, and democracy²¹⁰ in general.
 

 

Conclusion and Summary

---

The Biden administration’s NCS lays out a bold and transformative agenda for safeguarding America’s digital landscape. Some of these noteworthy undertakings include:

• Promoting multi-stakeholder cooperation with the private sector, international partners, and civil society organizations
   

• Modernizing legacy systems and transitioning to ZTA
   

• Investing in critical and emerging technologies and revitalizing America’s cyber workforce
   

• Crafting cybersecurity regulations and shifting liability for vulnerable software while minimizing the impact on market dynamics
   

• Embracing an offensive approach to foreign cyber operations by augmenting disruption campaigns against adversaries and malicious actors

While many of these objectives build off of ones set forth by Donald Trump²¹¹ and CYBERCOM Director Paul Nakasone,²¹² others — like realigning market incentives to favor secure software design, shifting liability for vulnerable products and services from end-users onto the best-positioned actors in the private sector, and establishing stronger regulatory regimes to enforce cybersecurity requirements — set the White House’s approach apart from that of previous administrations. The document also implicitly acknowledges that cyberattacks against the United States and its allies cannot be completely prevented, and instead outlines steps to nurture a resilient digital ecosystem at home and abroad.

Nonetheless, even after the publication of the Implementation Plan²¹³ and agency-specific strategies,²¹⁴ the Biden administration will still face numerous challenges on the domestic and international stages while striving to achieve its ambitious vision, such as:

• Navigating implementation barriers, budgetary restrictions, and political gridlock
   

• Protecting personal data and establishing interoperable data transfer frameworks with global partners without imposing major compliance costs on technology companies
   

• Addressing deficiencies in critical infrastructure OT and difficulties in adopting ZTA
   

• Emphasizing manufacturing, not just innovation, to secure American leadership in next-generation technologies
   

• Harmonizing regulations across critical infrastructure sectors and carefully designing regulatory frameworks and liability regimes
   

• Reconciling an offensive cyber posture with a commitment to promote and uphold norms of responsible state behavior for cyberspace
   

• Ensuring that U.S. cyber strategy does not neglect the dangers posed by non-state actors and proxy groups
   

• Promoting a values-driven digital ecosystem and countering the model of cyber-sovereignty without sidelining key non-democratic cyber and technology partners
   

• Expanding digital trade and commerce, increasing investments in digital infrastructure development, and integrating cyber diplomacy effectively with other instruments of statecraft

To enhance its competitiveness in today’s digital world, the United States will need to devise effective and sustainable policies for triumphing over these obstacles and confronting the growing threats throughout the global cybersecurity landscape.