On September 6, the White House announced the appointment of Brigadier General (retired) Gregory J. Touhil to the newly created role of Federal Chief Information Security Officer (CISO). As the first U.S. CISO, Brig Gen (ret) Touhil will drive cybersecurity policy, planning, and implementation across the federal government. This represents an important moment in the development of mature cybersecurity governance. Touhil’s move from an agency like Homeland Security also points to the reality that executive buy-in is perhaps the most important component in being a successful practitioner.
Touhil is sufficiently placed to move forward an executive agenda but is unlikely to be a radical reformer. His published work shows him to be a strong performer with a view towards systematic progress rather than a person who will seek to break with history.
The work in front of him is clear cut and has already been set out. The development of a federal effort to develop and embed cybersecurity practices centered in the Federal Cyber Security National Action Plan (CSNAP) is essentially waiting to be implemented. As such, there is clearly a strong alignment between the mission and the manpower.
Sitting alongside of this, the U.S. government has struggled to build a central approach to cybersecurity. This has been particularly evident on the diplomatic front where the efforts of China to build norms around cyberattacks have been relatively successful. The success of China in creating facts on the ground has been achieved at the expense of the United States. The reality of consistent efforts to attack, sometimes successfully, has forced states like the United States to think about cyber strategy under substantial pressure.
Attacks on critical infrastructure offer the CISO and more junior practitioners the chance to frame response a in terms of their utility to immediate circumstances. The threat environment provides an automatic buy-in for this new CISO. This, in turn, increases the demands on those practitioners. The heightened threat environment entails higher expectations. As such, it is often both disheartening and in turn encouraging to operate within the contemporary cyber security environment.
As executives struggle to plan away through the threat landscape and out of future shock to cyber maturity it is easy to lose perspective on the significant gains the United States has made. The CSNAP is highly defensive in orientation and clearly speaks primarily to the domestic audience.
Elements of the CSNAP discuss disrupting opposing forced in cyberspace but the readily is that the document is mostly aimed at increasing cybersecurity maturity across institutions and at the personnel level. This means that the CSNAP is likely to struggle to produce the sort of outcomes in terms of international norms and capability that people naturally expect of a superpower like the United States. The CSNAP is not going to deter China, nor is it seeking to change the threat environment, it is a document designed to assist the United States in living with it. This means that the new CISO will be working to moderate expectations from day one.
This does not mean that the CSNAP is pointed at the wrong audience. Certainly, there is much more the United States needs to do to increase its cybersecurity maturity and there can be no purely offensive strategy in such an asymmetric threat environment. For other countries then, the United States remains a solid leader in developing cybersecurity maturity.
In particular, the U.S. tools on evaluating cybersecurity maturity in critical infrastructure (known as C2M2) is very useful. That being said, the governance supporting toolkits like C2M2 and the new Federal CISO is perhaps where states should look to first in building structures of authority. Currently, almost no countries have a Federal CISO or similar structures of governance supporting their nascent cybersecurity capabilities.
Consistent reporting shows that states make cybersecurity a priority. Further, on any comparative list, the United States is the world leader in the space. This means, that when compared to other develop countries, the United States has been hugely successful in responding to the challenge offered by developing cybersecurity maturity. The gap between that reality and the reality of the cybersecurity threat landscape points to the truth that much more will need to be done to build upon that maturity and turn into the sorts of results that people expect.
The United States faces key barriers in developing its capabilities. Firstly, there is a significant shortage of cybersecurity professionals. Along with this, the United States has failed to shape international norms on what is acceptable state behavior in cyber space. Thirdly, efforts will need to spread into industry so as to ensure that lessons learned in the classified world can be shared, where appropriate. Perhaps more importantly, the United States has significant capability that other states can learn form in order to catch up.
Taken together, the latest efforts on the part of the United States shore up the reality that they are the international leader in the cybersecurity space. Events also point to the fact that these efforts face significant challenges that must be addressed if the gains that have been made can be translated into further progress.