A Federal Cybersecurity Primer

For most of us, national security is an abstract idea: perhaps something to worry about, but not something that directly involves us.

Technology tells us otherwise. From a national security perspective, technology is not simply a tool or a product, but a possible vulnerability. The great opportunities — and great threats — of highly networked technologies are no longer limited to military drone systems or corporate-level cybersecurity; they are present in Gmail inboxes, where employees must discern phishing scams from legitimate emails. They are the purview of students in classrooms learning to identify facts from misinformation and users in under-resourced communities just now getting broadband access. The stakes of digital literacy are high. In a sense, everyone now plays a role in national security.

Public interest technologists — researchers, educators, students, advocates, entrepreneurs, and more — operate at many different layers of technology to make its design, deployment, and governance work in the public interest. PIT practitioners use technologies that already exist, flawed as they are, to envision and create a future in which technology serves people and communities, not the other way around. These goals are aligned with those of cybersecurity: to secure the digital environment, allowing individuals and communities to pursue their highest potential. The tools we leverage are built on a complex network of hardware, software, and code, and it’s important to understand the policy and regulations that govern these building blocks.

With that in mind, here’s what you need to know about recent developments in federal cybersecurity policy.

Two Major Shifts in Cyber Policy Strategy

The National Cybersecurity Strategy, released in March 2023, lays out a road map for how the Biden administration aims to build a digital ecosystem that is “defensible, resilient, and aligned with [U.S.] values.” It outlines two shifts in roles and responsibilities, both of which align with core values of PIT.

The first shift, recognizing that everyone who engages in the digital ecosystem has a part to play in defending it, is that cross-sector collaboration is crucial. Creating lasting and equitable cybersecurity requires expertise from all domains and all communities.

The second shift involves reshaping incentives to prioritize investment in both short- and long- term cybersecurity resilience and defense. Practically speaking, we must defend the cybersecurity systems that we currently have while laying groundwork for the future. This encompasses such activities as investing in the semiconductor supply chain and incentivizing the market to create products that are secure by design.

In addition, the forthcoming Cybersecurity Workforce Strategy will aim to strengthen the cybersecurity talent pipeline, while upskilling federal workers to better defend critical infrastructure against cyberattacks. We cannot sustainably secure and defend cyberspace in the absence of a vision to address the existing cyber workforce gap (in 2022–2023, over 660,000 cybersecurity jobs in the U.S. were unfilled). Universities, as well as apprenticeships and other training programs, are naturally positioned to foster a new generation of public interest cybersecurity experts who are both proficient in emerging technologies and able to think critically about the societal impact of the technologies they develop.

Who Will Implement the Strategy?

The Office of the National Cyber Director (ONCD) is the principal office advising the White House on cybersecurity. The Cybersecurity and Infrastructure Security Agency (CISA) is tasked with defending and securing critical infrastructure, such as the energy or medical sector, through capacity building, public-private partnerships, and advisories. The National Initiative for Cybersecurity Education (NICE) coordinates the cybersecurity workforce ecosystem and sets education and professional standards for cybersecurity professionals.

In combination, these offices operationalize the security of our digital ecosystem by projecting and planning for the challenges ahead, ensuring that critical infrastructure withstands cyberattacks, and preparing the cyber workforce to meet the risks of the future. These agencies benefit from feedback from PIT practitioners, both as consumers of technology and advocates for their positive impact on society. To share your expertise, it’s important to leverage opportunities such as requests for public comments or official visits to your universities.

Both CISA and NICE have adopted a posture of regular public engagement. CISA has 10 regional offices and often, by request, sends representatives to speak on a variety of topics for public and private organizations. NICE, which created the standards and categorizations of cybersecurity roles, regularly solicits public comments to update its framework. Its latest request is on the NICE website.

Cyber Policy Priorities in 2023

Understanding the concerns and priorities of policymakers can help PIT practitioners build relationships and coalitions. Here’s what’s on the policymaker agenda.

At the top is the challenge of how to govern data: not only the processes and technicalities of how to secure user data, but also the geopolitical dimensions of data sovereignty, as illustrated by U.S. security concerns with the Chinese-owned social media platform TikTok. California’s Proposition 24 and the Colorado Privacy Act are state-level attempts to provide more transparency to consumers about how their data is being utilized, require businesses to disclose data usage, and limit collection of customer information. As of this writing, data privacy is governed by several piecemeal federal laws, but the proposed American Data Privacy and Protection Act would be the most comprehensive data privacy policy at the federal level.

Another challenge is how to regulate generative AI and other emerging technologies. The Biden administration published the Blueprint for an AI Bill of Rights in 2022 before the release of ChatGPT, signaling that the federal government has been considering the risks and rewards of automated technologies for some time. Congressional testimonies in the House and Senate and White House meetings in June and July reflect this urgency. But it’s not just AI: quantum computing and AR/VR are likely to grow, and cybersecurity experts and technologists need to work to understand how to protect the human interest within these technologies as well as the new vulnerabilities they create in national security.

PIT & Cyber Policy as Natural Allies

Too often, efforts to regulate technology happen only after it has done irreversible damage. Public interest technology is not just about top-down regulation. It is about questioning who designs the product, what rules are written in the code, and how user data is secured. It is, in other words, implicated in national security. The bridges we build — or neglect to build — between PIT practitioners and policymakers will determine whether public interest technology trickles up into federal cybersecurity policy.

While technical and policy expertise remain important, national security is too all-encompassing and too important to remain exclusive to those experts. In our digitally networked world, national security is a shared responsibility. That is the challenge, and the opportunity.

Bridget Chan (she/her) is the program manager for #SharetheMicinCyber at New America, where she works to elevate the perspectives of a new, diverse generation of cybersecurity leaders. Prior to joining New America, Chan served as a program and management analyst intern at the U.S. Government Accountability Office and worked at ORS Impact, a consulting firm in Seattle specializing in impact monitoring and evaluation and strategic planning.