The U.S. National Cybersecurity Strategy: An Interview with Jim Halpert

James Halpert (Office of the National Cyber Director, USA)

Established by Congress in 2021, the Office of the National Cyber Director (ONCD) advises the president of the United States on cybersecurity policy and strategy. More specifically, the ONCD’s mission is to advance national security, economic prosperity, and technological innovation through cybersecurity policy leadership. In carrying out its directive, the ONCD works closely with White House and interagency government partners at all levels, its international allies and partners, non-profits, academia, and the private sector, to shape and coordinate federal cybersecurity policy.

Recently, the ONCD released the White House’s new National Cybersecurity Strategy. Although many of the Strategy’s proposed changes will hinge on congressional action, if implemented by Congress and the administration, the Strategy would have significant consequences for certain businesses, including owners and operators of critical infrastructure, software developers, cloud providers, government contractors, and businesses that handle personal information. Therefore, understanding the Strategy and its potential implications will be key for companies across all sectors.

James Halpert is a renowned cybersecurity expert and privacy lawyer. In August 2022, Mr. Halpert was appointed General Counsel of the Office of the National Cyber Director. Prior to taking this role, he was partner in the law firm DLA Piper, where he built the firm’s cybersecurity practice, advised dozens of clients on their cybersecurity programs, and counseled clients through more than 700 security incidents. Mr. Halpert helped draft almost all the state, private, security, and breach notice laws enacted over the past 15 years, the National Association of Corporate Directors’ Handbook on Cyber Risk, and two major U.S. federal privacy laws. He is an honors graduate of Yale College and Harvard Law School, and also studied in Paris.

Below is an excerpt from Mr. Halpert’s Brand & New podcast interview. It includes some minor edits to improve readability.

For those who are not familiar, could you please explain the purpose of the ONCD and share some of its core missions?
The Office of the National Cyber Director was created at the beginning of 2021 by the U.S. Congress to coordinate cyber defensive operations across the U.S. government. The U.S. government is vast and even more complicated in structure than the governments of many other large countries. Doing this coordination well was deemed very important by Congress.

We are a startup—a pretty well-developed startup in the Executive Office of the President, coordinating with many different parts of the government. We’ve been charged with developing the National Cyber Strategy, and also, other things like coordinating implementation of improved defenses of U.S. government systems, doing extensive outreach to the private sector about cybersecurity, and developing a strategy to expand and improve the U.S. cybersecurity workforce, which is a key employment need. That gives you some idea of what we’re doing.

We are organized with four principal lines of effort. One is aimed at ensuring that budget priorities in cybersecurity are adequately accounted for in the president’s budget. We’re helping agencies review what their needs are with regard to budgets to maintain a strong cybersecurity posture. We’re helping to develop cybersecurity strategies. We’re coordinating the U.S. government cyber defense and then oversight of national regulation in cybersecurity and outreach in coordination with the private sector. We help lead the response to major national cyber incidents when they arise. We also follow new developments in technology and are charged with thinking ahead about what the challenges are going to be in cybersecurity.

The Office spearheaded the development of the president’s National Cybersecurity Strategy, which President Biden issued on March 2. This strategy replaces the 2018 National Cyber Strategy and largely builds on the path started by the 2021 executive order, improving the nation’s cybersecurity. To what extent does this approach to cybersecurity differ from that of previous administrations?
The strategy aimed to build on some very good and thoughtful initiatives about information sharing with regard to cyber threats and preparation of the federal government for cyberattacks. We aim higher to try to change two key problems that we see in cyber defense across the globe. The first is that responsibility for cyber defense unfortunately falls on the people who are least able to defend themselves, which includes individuals. It includes state and local governments in the United States, and it also includes corporations that are not experts in cyber defense. They procure increasingly complex software and hardware and use various service providers, none of whom has significant responsibility, at least in the United States, legal responsibility, in the event of a cyber incident. They are able to disclaim by contract, cybersecurity liability in the event of a cyber incident. We are focused on that as an area of improvement.

The second dimension of the problem of cybersecurity that our strategy focuses on is improving the capabilities of defense and not accepting that attackers can launch attacks without consequences. This involves two key features.

The first is having much better collaboration between the U.S. government, the U.S. private sector, international allies, and the international private sector actors in attributing and in defending using current threat intelligence about cyberattacks.

The other side of it is to not wait for attackers to hit us. When we identify an attacker, we can reach out and disable its capability to attack. These two elements both improve the cybersecurity features of software and hardware that is released. And, secondly, forming a much more proactive approach to cyberattacks can make a significant difference in defending against attacks.

One other point I would add is that it’s important to be prepared in advance for cybersecurity developments or technology developments that will open up vulnerabilities. A good example is quantum computing, which can easily crack most of the current encryption methods. We need to prepare for that great increase in computing power if we want encryption to be a good defensive measure in cybersecurity.

That gives you an idea of the really significant proactive changes that the U.S. government has committed to doing and that we encourage our allies to do as well.

Let’s focus on one of the core pillars of the strategy, namely, securing critical infrastructure. What are some of the cyber security standards and best practices that the White House is developing with the private sector to improve the security of critical infrastructure? And what are the plans for promoting cybersecurity awareness and education among critical infrastructure owners and operators?
The critical infrastructure security promotion is a major focus. The consequences of attacks can be much more serious. The major thing that we’re doing in addition to the two to three shifts that I just described, which certainly apply in this sector, is to focus. I’ll give you one example of that: Most hardware and software used in the general marketplace is also used in critical infrastructure. Just by generally securing hardware and software, there can be a significant benefit here.

More specifically, the United States has a sector-specific system of regulations, which, oddly, China has as well. It’s somewhat less centralized than under European directives, for example, or regulations. One of the things we’re very focused on is to fill gaps in cybersecurity regulation in certain sectors that are generally not regulated and quite weak in their cybersecurity.

The second thing that we’re focused on as part of this is to try to harmonize minimum cybersecurity requirements across critical infrastructure. This is very important because it will reduce the cost both of the technologies and of the insurance mechanisms to ensure that the companies are actually following what those minimum standards are. We’re doing a lot of work to develop a consensus on harmonization of cybersecurity standards, working with, in particular, regulators in the United States and critical infrastructure sectors to encourage them to all work together and develop a common framework for what the minimum is in each sector. Again, this should reduce the costs of those solutions and generally improve security.

On the other hand, we are also mindful that in sectors like the nuclear and medical device sectors, the minimum is not enough. Under this plan, we would hope to see regulators be able to go beyond that common minimum, to clearly articulate—based upon risks that they know well—what else needs to be done to establish adequate security. The baseline would be the same, and that’s important.

Cybersecurity is a global issue with threats at the international level and solutions to be implemented in partnership with other nations. How is the United States working with other countries and international organizations to coordinate responses to cyber incidents in an efficient way?
There was an announcement last month of the arrest of a malware network that was principally based in Russia. It was the product of a seven-country investigation. There’s a lot of work that goes into something like that. Cyberattacks are carried out in many different countries. The attacker may not have, for example, bank accounts in the country that they’re attacking, but they may well have bank accounts in other countries that are part of an alliance, informal or formal, to pursue bad actors in cyberspace. Another example is the counter ransomware initiative, which the United States and Australia have launched and which has broad participation.

I’ll point to one other very significant element in the United States, which is the development of a Cybersecurity Bureau in the State Department that is coordinating and working with others around the world. I’d also add that our cybersecurity strategy is something that we’ve had lots of conversations about with other national cybersecurity authorities, sometimes Home Affairs, sometimes on the law enforcement side. In all these conversations, there’s a lot of interest in the two pillars that I just described to shift the burden of defense or share it more equitably.

What is your main challenge as General Counsel of the Office of the National Cyber Director?
Issues like harmonizing regulations and changing liability rules for software, and large software, and hardware providers to critical infrastructure are major changes in the U.S. laws. Thinking about how to achieve this, winning support, and advocating for it with other parts of the government and the private sector is probably the hardest part of the job, but also the most rewarding. These measures really could improve—and we expect will improve—our cybersecurity posture globally in the coming years.

The other main challenges are associated with being a startup in the White House, which is pretty unusual. Its most recent new office in the White House, I believe, was created in 1988 when I was a young man! There’s a lot of work to establish the policies, the structures to work out collaboration protocols with other agencies and other parts of the White House. That’s the other principal part, which is really interesting as well, establishing the role of this Office and its function across government for many, many years to come. It’s both hard and gratifying.

Listen to the full Brand & New podcast.

Although every effort has been made to verify the accuracy of this article, readers are urged to check independently on matters of specific concern or interest.

© 2023 International Trademark Association