The White House released its National Cybersecurity Strategy on 2 March 2023, announcing its goals and priorities for protecting cyberspace and information technologies. The strategy will guide federal departments’ and agencies’ protection of U.S. cybersecurity interests. The strategy also addresses other audiences, to include Congress, state and local governments, and the private sector.
These changes in strategy will impact Florida substantially. Between our state’s tourism industry, ports, other critical infrastructure, space industry, defense industrial base, and the technologies supporting them, the strategy’s implementation should be followed closely by government and private network operators, many of whom should seek to become involved with the federal government’s implementation process.
The strategy is outlined in five pillars: Defend Critical Infrastructure, Disrupt & Dismantle Threat Actors, Shape Market Forces to Drive Security & Resilience, Invest in a Resilient Future, and Forge International Partnerships to Pursue Shared Goals. Florida will be impacted primarily by the first three. The most significant strategic goals are shifting liability for cybersecurity to organizations most likely to prevent them and a redefined relationship between government and private entities for national cyber defense.
Regarding shifting cybersecurity accountability, the strategy “ask[s] more of the most capable and best-positioned actors to make our digital ecosystem secure and resilient.” This could include organizations such as internet service providers, cloud providers, and software developers. Disavowing liability through licensing or contractual agreements has led to a rush to market at the expense of security.
If implemented, Florida’s information technology industries will need to increase security investment and efforts, possibly delaying product delivery. The strategy acknowledges, however, that no product can be made completely secure, and that technology development will be affected by liability changes: “Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers….”
How the duty of care is established will affect Florida’s businesses, to include the size and management of cybersecurity budgets and the potential for post-breach litigation by employees, customers, and third-party vendors. A business’s valuation may be impacted by these factors, a few for better, many for worse. Businesses should take note of the strategy’s invitation to participate in “[a] collaborative process between industry and regulators [which] will produce regulatory requirements that are operationally and commercially viable….” Florida’s organizations should accept this invitation.
The call to redefine the government/private sector cybersecurity relationship is an overdue acknowledgment that most of the U.S.’s capacity to defend cyberspace is in the private sector’s control. Unlike conflicts where only militaries have the tools necessary to compete effectively, and civilians are often absent from contested areas, private sector cybersecurity professionals constantly face the world’s most capable and sophisticated threat actors. Nation-state hackers have targeted civilian cyber assets for information gathering, influence campaigns, operational interference, and even destruction. The strategy notes that “[t]he private sector has growing visibility into adversary activity.” Because of constitutional protections, private sector visibility is not only growing, it is often exclusive.
The most capable federal organizations operating in cyberspace have virtually no authority to examine U.S. cyberspace for adversary activity. Those that do may only exercise it under narrow circumstances. General Paul Nakasone, leader of U.S. Cyber Command and the National Security Agency, testified before Congress, “It’s not the fact that we can’t connect the dots. We can’t see all the dots.” The dots the U.S. Government can’t see are often visible to private network operators. Bi-directional information sharing will increase the federal government’s ability to secure cyberspace. More importantly, it will enable the private sector to understand threats and defend networks only they can access.
Florida’s critical infrastructure organizations also will see changes soon. The Cyber Incident Reporting for Critical Infrastructure Act, passed with strong bipartisan support by Congress in 2022, requires covered organizations to report certain incidents to the Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA).
As CISA implements these requirements, affected entities may face additional expenses. However, the strategy acknowledges, “Different critical infrastructure sectors have varying capacities to absorb the costs of cybersecurity.” Federal officials’ expectations and regulations should be adjusted accordingly. Whatever the additional expense may be, critical infrastructure organizations and the broader American community also stand to gain. Rapidly sharing information will increase the likelihood of successful cybersecurity and law enforcement responses, help the intelligence community learn about the most capable malicious cyber actors, and aid U.S. Cyber Command’s operations to counter them. It will also help affected organizations recover quickly and prevent future incidents.
The strategy also seeks collaborative solutions for Florida’s academic, public, and private sector cybersecurity challenges—an area where Cyber Florida has already made significant progress on several fronts. Research and development efforts “to advance cybersecurity and resilience in areas such as artificial intelligence, operational technologies and industrial control systems, cloud infrastructure, telecommunications, encryption, system transparency, and data analytics used in critical infrastructure” will be pursued through partnerships with academic institutions, manufacturers, technology companies, and federal and state governments. Additionally, a workforce and education initiative will recruit and train qualified cybersecurity experts to sustain the U.S. economy’s reliance on information technology. With reports that Florida has over nearly 40,000 unfilled cybersecurity positions (Cyberseek.org), this effort is an essential building block to the state’s safety.
Given the Florida private sector’s enormous national security contributions, the Defense Industrial Base and other government contractors should know the cybersecurity requirements of agencies they do business with. The U.S. government “… will use Federal purchasing power and grant-making to incentivize security.” Government contractors will be accountable for their contractual commitments, and cybersecurity performance may be a critical aspect of future contract award evaluations.
It is important to note that the strategy is a statement of intent and policy, not obligation. It creates no legal or regulatory requirements on its own. Requirements will need to be implemented through federal legislation or regulation, which are being pursued because, as the strategy asserts, “market forces alone have not been enough to drive broad adoption
“It’s not the fact that we can’t connect the dots. We can’t see all the dots.”
—General Paul Nakasone
of best practices.” Regulations will take time to develop, and passing new statutes is never guaranteed. Nevertheless, Florida’s state, local, and private sector interests will be affected immediately based on changes in federal practice.
The strategy seeks to place new responsibilities on many while recognizing that every network faces different threats and is supported by varying levels of resources. The strategy also offers opportunities to gain additional resources. The risks that come with additional responsibility and rewards that come with additional resources make the strategy’s implementation effort worthy of monitoring. To take full advantage of the strategy’s opportunities and avoid its risks, Florida’s organizations should seek involvement with federal regulatory processes and develop relationships with federal entities and business associations sharing information relevant to their sectors. Cyber Florida is committed to being a partner to and advocate for Florida’s critical infrastructure community throughout this process.
The Florida Center for Cybersecurity, also known as Cyber Florida, was created by the State in 2014 to enable Florida to become a national leader in cybersecurity policy, cybersecurity education, academic and practical research, and community outreach and engagement. Funded by the State and hosted by the University of South Florida, we work with all 12 institutions in Florida’s State University System and other public and private partners to achieve our mission. We work to build pathways that will establish a robust pipeline of future cybersecurity professionals and address our nation’s critical cyber workforce shortage. We enable state-of-the-art research that contributes to our nation’s competitive edge and facilitates the development of local, state, and national policy. We leverage our vast network of experts to make insightful program and policy recommendations at the local, state, and national levels. Lastly, we engage millions of Floridians through awareness campaigns, host events and workshops, and provide resources to help protect those populations and organizations most vulnerable to cybercrime.
Kurt Sanger retired from the U.S. Marine Corps after more than 23 years as a criminal defense counsel and prosecutor, advisor to the Afghan National Army, and international law instructor. From 2014 to 2022, Kurt served as an attorney for U.S. Cyber Command, finishing as the Command’s Deputy General Counsel. He is the Founder and Director of Integrated Cybersecurity Partners, LLC, an information technology and national security consultancy, and is a non-resident Senior Associate with the Center for Strategic and International Studies, a Washington, DC, think tank. Kurt joined Cyber Florida as an advisor in January 2023.
Learn more at cyberflorida.org/press-room
