Last week, the Biden-Harris administration released its National Cybersecurity Strategy, renewing the U.S. government’s vision and objectives for realizing a safe and secure digital ecosystem this decade. Microsoft shares the strategy’s vision and believes focused work across its objectives can fundamentally enhance the nation’s cyber readiness. We’re especially encouraged by the administration’s focus on public-private collaboration, both in welcoming input during the strategy’s development and in recognizing the need for “unprecedented levels” of deep and enduring collaboration going forward.
We are steadfast in our commitment to working with the U.S. government, and others that share the administration’s strategic vision around the world, to rapidly strengthen our collective cyber-risk posture while also helping to ensure our future resiliency. Microsoft will continue to build secure products and services through our innovative engineering practices while also offering customers security services powered by AI and other breakthrough technologies, helping to protect individuals, businesses and governments. We welcome further opportunities to contribute to the strategy’s implementation and to help strengthen America’s cybersecurity capabilities.
We also look forward to partnering to enhance the public-private partnerships that the strategy recognizes as foundational to achieving its objectives. We need new ways to address urgent risks, but we also need renewed commitments to innovative and sustained partnerships to embark on the iterative, multi-year efforts needed to achieve the strategy’s goals.
At Microsoft, we agree that cybersecurity is a team sport
The scale and efficiencies achieved by threat actors collaborating in the dynamic cybercrime economy make enhancing our teamwork even more imperative. Governments, industry and other ecosystem partners need to work together more effectively than threat actors do, outmatching their specialization and innovation. Or, as former National Cyber Director Chris Inglis has often put it: “You have to beat all of us to beat one of us.”
Collective, coordinated implementation efforts will be required. As Kemba Walden, Acting National Cyber Director, and Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, highlighted as they launched the strategy last week: “A strategy is only as good as its implementation” – and while whole-of-government, agency-driven implementation efforts have already begun, there’s lots more to be done and a “sense of urgency” must be reflected in pursuing those next steps.
Across the strategy’s five pillars, our collective efforts must be outcomes-focused. We will need to explore more agile ways to collaborate on pilots and other initiatives that can help us anticipate challenges, gain insights and prioritize investments to achieve desired outcomes most effectively.
For example, we welcome the strategy’s aim to ensure that technology providers are accountable for using security best practices when developing and managing software and digital products. As our Chief Information Security Officer (CISO) Bret Arsenault described last year, Executive Order (EO) 14028 helped accelerate our ongoing investments in software supply chain security, both for Microsoft and the broader software ecosystem. We look forward to the continuing efforts of the Office of Management and Budget, the Federal Acquisition Regulatory Council, and agencies to implement EO 14028 Section 4 requirements in a way that enhances federal supply chain risk management. We also believe that near-term pilots for delivering and using software bill of materials (SBOM) information and other artifacts could help identify additional approaches for enhancing security outcomes. Likewise, near-term pilots or other initiatives could help demonstrate the impact of the administration’s complementary modernization goals, reinforcing the importance of urgent investments. We also look forward to working with NIST and other agencies as the concepts of “secure by design” and “secure by default” industry requirements are defined more concretely while ensuring they remain outcomes focused.
Microsoft’s collaboration with federal partners to disrupt and dismantle threat actors, a key pillar of the strategy, also demonstrates the value of iterative efforts and partnership. Our Digital Crimes Unit has been fighting cybercrime, protecting individuals and organizations, and increasing cyber criminals’ operational costs since 2008. In recent years, our growing collaboration on disruptions with law enforcement, security firms, researchers and others has increased our scale and impact. We are actively working on new actions to disrupt criminals and protect the digital ecosystem, consistent with the goals of the strategy.
Each disruption of cybercrime infrastructure brings forward lessons learned, and we know that faster collaboration among invested defenders with a shared threat context means we can align efforts and have a much broader impact, protecting more people and organizations while criminals are forced to regroup. To facilitate more agile “threat-specific collaboration,” we support the strategy’s goal of leveraging nonprofit hubs and temporary cells that effectively bring together trusted operators.
Our digital future depends on our ability to partner on improving cybersecurity outcomes, and we welcome the administration’s comprehensive strategy and its vision for collaboration. As a next step, Microsoft will continue to reflect on each of the strategy’s five pillars, and we look forward to engaging with others in the community on the “shared purpose and priorities” articulated by the strategy. An ongoing dialogue is foundational to agile teamwork and collective defense.