04/29/2023: This story was updated to include comments from former National Cyber Director Chris Inglis and McCrary Institute director Frank Ciluffo.
SAN FRANCISCO — Acting National Cyber Director Kemba Walden has had a busy 2023.
Two weeks before her office completed a years-long effort to refresh and overhaul the U.S. National Cyber Strategy in March, then-NCD Chris Inglis retired from government, leaving Walden in charge of implementing one of the most ambitious efforts around federal cyber policy we’ve seen.
She and her staff barely had time to exhale before diving right back into a laborious process of developing an implementation plan for the strategy, while also getting Walden acclimated to the new role, engaging with private industry and state and local governments, and kicking off discussions inside and outside of government around how to incorporate nascent sectors like space into national cyber policy.
Inglis told SC Media that the strategy was the culmination of his work and that "it was time" for him to leave, noting that he praised Walden as eminently qualified to execute the implementation in his resignation letter sent to President Joe Biden in February.
"It was time. I did what I had come to do. More importantly, Kemba was superbly prepared and qualified to take the helm and pick up the pace for the work that must be done to build upon ONCD's formative 'first chapter,'" Inglis said in an email.
Walden took time during the RSA 2023 Conference to meet with reporters, give an update on where implementation work stands and discuss other priorities that ONCD plans to pursue over the coming year.
Click here for all of SC Media's coverage from the RSA Conference 2023
The administration is also continuing to explore ways to use existing regulatory authorities to improve baseline cybersecurity practices in the private sector and critical infrastructure, and Walden said ONCD is in the midst of conducting a gap analysis to figure out where existing authorities leaves room for new rules or other non-regulatory approaches.
Software liability…but not yet
One of the most ambitious and talked-about ideas to come out of the National Cyber Strategy involves pushing for new laws that would make software developers legally liable when their products contain easily exploitable vulnerabilities, with a corresponding safe harbor regime that would shield companies who adhere to (as yet undefined) best practices around secure software development.
However, Walden said it’s unlikely that the administration will make a legislative push for the proposal on Capitol Hill during this Congress, where both Republicans and Democrats each control one chamber with razor-thin margins, and where GOP leaders have repeatedly pledged to block new regulations on industry, including around cybersecurity.
“I don’t think we’re ready for a software liability regime from the White House into Congress now. I think this is going to take some time, we have to be thoughtful about this — and intentional — because this is complicated,” said Walden. “I’m optimistic we are going to be able to do this, we’ve done it before, but we have to be thoughtful. And [while] I’m not going to be perfect, I want to make sure I’m damn near it before launching something.”
She said that the administration is well aware of the current political realities in Congress and the private sector around the issue, noting that the word “easy” does not appear anywhere in the section of the strategy that deals with software liability. The strategy was explicitly designed to have a 10-year shelf life to ensure that ideas remain relevant to the technological landscape and allow time for difficult conversations and consensus-building around some of the more contentious ideas.
And Walden said the administration is not resting on its laurels or waiting for a more favorable Congress in the meantime. ONCD and other members of the administration are currently having discussions with software developers, with members and staff on the Hill, lawyers, and other stakeholders, along with studies in government to flesh out how such a statute might work in practice, or if there are other ways to accomplish the same goals without new laws.
One of those engagements was a conversation this week at a software liability workshop hosted by Stanford University, meeting with a group of attorneys and professors who are examining how historical approaches to product liability might be applied to the software space.
“This is a long-term project in my mind, and it might not be that we need to take congressional action. It might be that we find other tools — I don’t know what they are…right now, but I want to be thoughtful about it,” she said.
Making space for “space” in cybersecurity policy
In addition to working on an implementation plan for the National Cyber Strategy, ONCD is currently ensconced in a series of discussions with interagency partners and outside stakeholders around cybersecurity policy for the space sector.
Much of that focus revolves around implementing Space Policy Directive 5, a document issued under the Trump administration that outlines a series of cybersecurity principles for protecting the space sector. The government will hold a series of regional technical workshops with companies in the space sector to get feedback on SPD-5 and other space-related cyber rules.
In March, ONCD co-hosted a space systems cybersecurity forum along with the National Space Council where senior government officials, space industry leaders and C-Suite executives received a classified threat and vulnerability briefing that delved into “very specific threat information, and very specific targeted vulnerability information” to help inform business risk strategies.
Walden will also visit “Space Beach” — an industry and government innovation hub for space operations located in Long Beach, California — to discuss threats like the 2022 hack of satellite communications provider ViaSat at the outset of the Russian invasion and how government and industry can cooperate to make space systems more resilient to cyber threats.
That incident resulted in “strong agreement” among government and industry officials that a comprehensive cybersecurity plan for the space sector is both necessary and urgent.
“That first shot [showed] there’s a spillover effect from this war in cyber, and so I need to address that."
The administration is also mulling over an idea that has been floated by the Cyberspace Solarium Commission and later the McCrary Institute: designating the space sector as critical infrastructure. The White House is currently working on a rewrite of Presidential Policy Directive 21, which originally established 16 separate sectors of critical infrastructure, and Walden said ONCD is a participant in those discussions.
Frank Ciluffo, director of the McCrary Institute for Cyber and Critical Infrastructure Security and one of the authors on the report told SC Media earlier this month that designating space as critical infrastructure was both a national security and commercial imperative for a rapidly growing sector.
While chunks of terrestrial and orbital space IT infrastructure are already classified as critical infrastructure under other sectors, the McCrary Institute has argued that a specific designation would cover the rest and codify the sector’s importance and unique challenges in the minds of policymakers.
"The fact that it’s not designated as critical infrastructure I think takes away from the ability to prioritize the sector and signal not only to U.S. companies but also allies and our adversaries that space is a priority, but also to streamline some of our integration to be able to work the public-private sets of issues," Ciluffo said.
When asked by SC Media what the primary benefits would be of such a designation, Walden said it might help as a framing device for policymakers, but that many of the efforts you might expect that to lead to are already underway.
“What I will say is that designating something as critical infrastructure just as a way to frame how we do policy and nothing more, it just frames a way of thinking … so the benefits of having something designated as critical infrastructure really [is] being able to organize and have people at the table having policy conversations. We’re doing that anyway, whether space systems are designated or not,” she said.
Learning to play nice
Inglis’ exit was marked by a report from Bloomberg that he clashed with Anne Neuberger, White House deputy national security advisor for cyber and emerging threats, over cooperation while developing the national cyber strategy and overlapping job roles.
Walden said she and Neuberger are both “busy” and “focused on cyber,” but they talk regularly and are working in a policy area that is big enough for both ONCD and the NSC to contribute to.
“We’re two grownups working in the White House on the same issue and there’s plenty to go around,” she said, later adding: “I have a great relationship with [Cybersecurity and Infrastructure Security Agency director] Jen [Easterly], I have a great relationship with Ann, and there’s a lot of work to go on.”