A good strategy has three major components: a description of the goals you are trying to achieve, an explanation of how you are going to achieve those goals, and what things look like when your strategy is working, or a definition of “success.”
As fine a piece of work as the new National Cybersecurity Strategy is, and it is a substantial and well-produced piece of work, its hand-wavy definitions of success are a shortcoming that threatens to render all this good work moot.
On the plus side, there are signs of very insightful and creative thinking at play with talk of realigning, reshaping and re-balancing incentives, shaping market forces, grants, and an insurance backstop. This is the first meaningful sign that we may have left the ‘thoughts and prayers’ approach to cybersecurity of the last few decades behind.
But because we have no accurate understanding of where we are – besides “everything is terrible” – we have no real way of measuring success. Those of you who are familiar with the federal bureaucracy will no doubt be saying to yourself, “that tracks,” but this is not an academic exercise. Our relationship with technology has never been more intimate and it is only getting more so. All those wolf-at-the-door scenarios that never came true (and I’m as guilty as the next for playing the role of shepherd boy at times), it is worth noting that eventually the wolf shows up, and from a malice and hazard perspective, now is perfect timing.
Others are addressing different parts of the strategy (and the strategy writ large) but I’d like to focus on one particular goal in which I have a modest amount of (public) experience: “disrupting transnational criminals and other malicious cyber actors” (page 29). What does ‘disrupt’ mean? There is no number or dollar figure attached to this goal. Is a doubling of the handful of botnets we take down in a year considered a ‘win?’ Indictments? Instead of that one guy we happen to arrest every blue moon we arrest two?
“A <INT>% reduction in illicit income from internet-based schemes perpetrated by transnational criminal groups” would be a more meaningful way to frame things, but that would require accurate, reliable data upon which to measure progress. We kind of have the opposite of that. The strategy’s Implementation section indicates the authors appreciate this dilemma. But assembling and making useful the volume and type of data needed is going to be problematic. Even if we could get our hands on the data we needed, there is no one to collect, normalize, clean up, and make it usable. Such an entity has been proposed but its status is currently unknown.
Regardless of what goal in this strategy you’re keen on, it is the status of the operational components required to realize the strategy that will allow us to suss out how well it is going to work. We might not know for years what actions may result from the implementation of this strategy, but we’ll know we can impose costs at the proper scale if we observe the building blocks required for success being cut and set. Actions may be classified, but everything that enables action is observable.
Allow me to reiterate: this is as sound a piece of policy work related to cybersecurity as I have ever seen, and I’ve been doing this since you were wearing Garanimals. But if the necessary institutions, relationships, and capabilities are not in place, and follow-on work does not clearly define success in quantifiable terms, this has been another exercise in “doing what we know how to do” versus something that might make a difference.