Earlier this year, the Biden White House released its National Cybersecurity Strategy policy paper. Although it has some very positive goals, such as encouraging longer-term investments in cybersecurity, it falls short in several key areas. And compared with what is happening in Europe, once again the U.S. is falling behind and failing to get the job done.

The paper does a great job outlining the state of cybersecurity and its many challenges. It focuses on four different policy areas: protecting critical infrastructure, disrupting and removing various threats, remaking and improving defensive security markets, and suggesting future cyber investments. The strategy “recognizes that government must use all tools of national power in a coordinated manner to protect our national security, public safety, and economic prosperity,” says the initial press description.

That is a good start, to be sure. But, as Acting National Cyber Director Kemba Walden said during a discussion with journalists at the RSA Conference last week, “The devil’s in the implementation planning process. The word easy doesn’t show up in our strategy at all.”

One place that is ripe for improvement is with the federal government sprawling procurement system. However, as one law firm suggests, there aren’t any new regulations proposed in the paper that will specifically drive better cybersecurity practices and norms. This sprawl – and the resulting complexity — don’t instill any confidence if we will continue to require the lowest-cost bidder to solve our cybersecurity problems.

Speaking of government sprawl, you might be forgiven if you can’t really keep track of all the cyber-oriented initiatives going on right now. The Cybersecurity and Infrastructure Security Agency, or CISA – which is part of the Department of Homeland Security — has a joint cyber defense collaboration between public and private agencies around the world.

This effort has had some early successes, such as sharing threat intel about malware campaigns by Chinese state actors targeting various state and local governments and another effort aimed at improving the security of the 2022 elections. It’s just one of numerous other DHS efforts to strengthen our overall cybersecurity posture, including helping fight commercial fraud (with help from the Immigration and Customs Enforcement), prosecute cryptocurrency transactions (with help from the Secret Service), fund various research efforts such as AI and malware analysis (as part of the DHS science branch) and elsewhere.

The National Security Agency has its own cybersecurity collaboration center. It’s focused on protecting the nation’s defenses and working with various private sector companies to help detect and neutralize threats. For example, last month it worked with the FBI and CISA as well as their counterparts in the U.K. to document the tactics of a Russian state-sponsored attack on Cisco Systems Inc. routers.

Yet many security analysts don’t quite give them the props they deserve, given that NSA-built malware has been exploited over the years — the EternalBlue code that caused the WannaCry ransomware attacks in 2017 being most notable. At the RSA Conference, Adi Shamir (the “S” in the name refers to his initial efforts with the company) referenced “the NSA and other bad guys” in one of his talks.

Then there is the National Institute of Standards and Technology, which is part of the Department of Commerce. NIST keeps various cybersecurity standards, such as this framework document, which was first published way back in 2014. It’s proposing a major overhaul to come out next year. Duo Security’s blog documents what NIST representatives at the RSA Conference said is in store, including updates to other efforts to help improve internet of things security, preserve privacy, strengthen identity management and increase software supply chain security.

And there are numerous cyber law enforcement entities within the Department of Justice, including special units of the FBI, and the State Department to arrest cybercriminals, such as this recent reward to help in bring Denis Kulkov.

These various agencies do make it hard to track an overall cybersecurity through line for the federales, and sadly the national strategy paper doesn’t really assign to-do tasks to the different agencies or even suggest ways that they could cooperate across the board. Plus, the paper doesn’t even put a price on what it would take to fund these various pie-in-the-cyber-sky Great Thoughts.

Another obstacle to better cybersecurity is the crazy-quilt patchwork of privacy regulations that are now being enacted by numerous states. California’s Consumer Privacy Act was the first in 2018, but others have jumped in, including Utah, Colorado, Iowa, Indiana, Virginia and Connecticut. At least 10 other states are getting close with their own laws.

Thats makes it harder for businesses that have a national footprint to craft any meaningful ways to preserve their customers’ privacy. Of course, the EU has had its GDPR regulations for many years that cover most of the entire continent.

If we look at other efforts across the pond, we see the U.K. has a single entity that will review every government departments’ cyber posture under a framework called GovAssure.  That would be nice for the U.S., but it’s unlikely given how we have parceled out various cybersecurity tasks here.

And the EU has its €1.1B Cybersecurity Shield effort that was announced last month. This will connect and share info across national security response centers and aims to be up and running next year. Yes, this is something that we have done in the past but largely on a one-off basis.

Finally, the world has become increasingly interconnected, as documented by the World Economic Forum here. Cyber criminals are more frequently creating the pathways to other global risks, such as failures in public health or critical infrastructures. The good guys (and I am assuming we can finally include the NSA in that category) have to do a better job of cooperating to stop them.

The goal of the White House’s cyber strategy is to make our digital ecosystem more defensible, effective and resilient. Though we should praise this vision, the reality is still a long way off.

Image: TheDigitalArtist/Pixabay