Nexus Podcast: Adm. Mike Rogers on the National Cybersecurity Strategy

The Biden administration’s first National Cybersecurity Strategy, released on March 2, coalesced the White House various executive orders and proposals around the security of critical infrastructure in the United States. 

The 39-page document consists of five pillars, and hammers home a number of consistent themes, including the need for resilient systems, the need for a shift in liability solely away from end users and onto technology providers, and the desire to disrupt state actors and cybercrime gangs. 

In this episode of the Nexus podcast, Adm. Michael S. Rogers, USN (Ret.) joins to share his insight into the strategy, where it hits, and where it misses. 

Subscribe and listen to the Nexus podcast on your favorite platform.

One missed opportunity Rogers points out is the lack of mention of the crisis in Ukraine, and the resilience lessons that can be taken away from the ongoing war with Russia. 

“I would argue the current situation in Ukraine represents some of the greatest cyber activity we’ve seen, and it also shows you how you can create cyber resilience in the face of that type of significant activity,” Rogers said. “I’ll be honest and very direct: It disappointed me that the document didn’t say ‘Hey let’s take a look at some real-world scenarios and how we can learn from them.  I think the situation in Ukraine offers a very compelling model about how we can do things differently to enhance our cyber resilience.”

The strategy is constructed in five pillars, starting with defending critical infrastructure, disrupting and dismantling threat actors, shaping market forces to drive resilience, investments in a resilient future, and the need for international partnerships to drive success. 

Those pillars emphasize not only the need to defend critical infrastructure from attack, but also stand up and continue to operate in the face of successful penetration by an adversary, Rogers said. 

“We need to start thinking about cybersecurity much more from a risk and a public harm perspective,” Rogers said. “If you look at it through the lens, there should be a greater willingness on the part of government to take a more aggressive regulatory or legal role.” This thought is at the heart of Pillar 1 in the document, and Rogers hopes that the government partners with private sector owners of critical infrastructure, and not impose regulation in isolation. 

Throughout the podcast, Rogers also discusses the government’s promise to invest in the cyber workforce, which is particularly relevant to operational technology asset owners and operators, many of whom are operating under relatively small budgets and levels of expertise, yet serve a vast majority of smaller communities throughout the country. 

Rogers also shares his insights on shifting liability toward technology providers, and the role of cyber insurance moving forward, among other facets of the national strategy.