The U.S. recently rolled out its latest National Cybersecurity Strategy, which was a much-anticipated update to the last one published in 2018 (The White House, 2023b). In the realm of cybersecurity policy, much can change in six years as technologies advance and digitalization becomes more ubiquitous. In fact, the COVID-19 pandemic rapidly accelerated the adoption of digital technologies and forced many users online in ways they had not been before. With the increased usage of digital technologies during the pandemic, there was also an associated increase in cyberattacks, with 81% of global organizations experiencing increased cyber threats (Hall & Rolland, 2022, p. 6). Within this changing threat landscape, individual users end up being those most directly affected as they lose data, experience service outages, and otherwise are impacted by cyberattacks. As governments like the U.S. publish updated national cyber strategies, the question becomes to what extent is the individual citizen prioritized in the policies to ensure a safe online existence.

The cybersecurity of both organizations and citizens is critical for ensuring a safe digital society. Yet the way that individuals, organizations, and governments address cybersecurity vulnerabilities differ, presenting a gap between what is advocated for and what is actually implemented. In a recent report, the cybersecurity policies of the EU and other countries were analyzed to assess the extent to which the citizen is prioritized in the policies. Furthermore, an exclusive survey was conducted by Opinion Way for the International Cybersecurity Forum (FIC) to assess European citizens’ cybersecurity awareness. Ultimately, the results were clear: “While plenty of online security initiatives are available to industry, citizens are often left behind. Serious effort is needed … to improve cybersecurity awareness to empower citizens to ensure their online safety” (Hall & Rolland, 2022, p. 2).

The report “United we stand, divided we fall: Citizens and 21st century cybersecurity,” provides 12 recommendations for how governments can better center the citizen in their cybersecurity policies across three main pillars: education and awareness, support to citizens, and policy and outreach. The recommendations in short are as follows (Hall & Rolland, 2022, pp. 3–5):

Education & Awareness

1. Fund cybersecurity education programs in schools.
2. Establish lifelong learning cybersecurity programs at the community level.
3. Take awareness campaigns beyond education and into adoption.

Support to Citizens

1. Launch cyber toolkits for citizens.
2. Create and promote measures to ensure high cybersecurity standards in all products.
3. Require digital service providers to increase transparency about their security and privacy practices.
4. Create a Cyberscore.

Policy & Outreach

1. Develop an e-social contract.
2. Adopt and implement the Cyber Resilience Act and future regulations expediently.
3. Improve threat information sharing between governments, industry and citizens.
4. Provide funding to support stakeholders to comply with legislation and the introduction of new standards.
5. Promote a local approach to implementing cybersecurity strategies.

These recommendations were compiled after conducting a comprehensive review of current EU cybersecurity related policies and after comparing how cybersecurity policy leaders like the U.S. and Israel approach cybersecurity. Through this review, it was determined that while some countries actively prioritize improving individual cybersecurity awareness and skills in an effort to improve the country’s overall cybersecurity resilience, such an approach was not universal. Instead, many countries prioritize improving the cybersecurity of critical infrastructure and government ministries, arguing that the individual user should not hold more responsibility for a country’s cybersecurity than the owners, operators, and creators of technology. Ultimately, the argument stands that if critical infrastructures – meaning the “assets, systems, and networks that provide functions necessary for our way of life” – are secure, then the individual user is more secure (Cybersecurity and Infrastructure Security Agency (CISA), 2023).

It is this second approach that the U.S. takes in its new Cybersecurity Strategy. In fact, they argue that “end users bear too great a burden for mitigating cyber risks” and that it is the owners, operators, and technology providers that should hold the responsibility for securing the online ecosystem and protecting user data (The White House, 2023a, pp. 4–5). Therefore, the new Cybersecurity Strategy sets as a goal “a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences” (The White House, 2023a, p. 1). They seek to meet this goal through increased collaboration and driving more industry responsibility around five core pillars (The White House, 2023a, p. 4):

1. Defend Critical Infrastructure
2. Disrupt and Dismantle Threat Actors
3. Shape Market Forces to Drive Security and Resilience
4. Invest in a Resilient Future  
5. Forge International Partnerships to Pursue Shared Goals

The Cybersecurity Strategy is ambitious in its goals, and if successfully implemented, it would certainly improve the cybersecurity of American citizens. However, the approach does not include means for empowering the individual citizen to protect their own data and secure their online activities. Hall and Rolland (2022) argue that while there are a multitude of tools available online for individuals to improve their cybersecurity practices, there remains a general lack of awareness of what best practices are and what the individual’s responsibility is for protecting themselves online. In particular, citizens lack resources to inform and help them in the aftermath of experiencing a cyberattack.

To conclude, the 2023 U.S. Cybersecurity Strategy ultimately seeks to protect citizens online by improving the cybersecurity of critical infrastructure and placing more responsibility on technology providers and creators to ensure that users are safe online. This strategy aligns with some of the recommendations from Hall and Rolland (2022), but notably missing are policies designed to empower individuals to take control of their own online security. This could be an opportunity for civil society organizations in the U.S. to renew or establish partnerships with the government to offer better awareness campaigns and develop citizen-centric tools to help individuals be safer online.

References

Cybersecurity and Infrastructure Security Agency (CISA). (2023). Critical Infrastructure Security and Resilience. Cybersecurity & Infrastructure Security Agency: America’s Cyber Defense Agency. Retrieved May 14, 2023, from https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience

Hall, M., & Rolland, A. (2022). United we stand, divided we fall: Citizens and 21st century cybersecurity. FIC Agora. Retrieved May 14, 2023, from https://agora-fic.com/wp-content/uploads/2022/11/Agora_FIC_Livre_DIGITAL_VDEF.pdf

The White House. (2023a). National Cybersecurity Strategy 2023 (pp. 1–35). The Biden-Harris Administration. Retrieved May 14, 2023, from https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf

The White House. (2023b, March 2). FACT SHEET: Biden-Harris Administration Announces National Cybersecurity Strategy. The White House. Retrieved May 14, 2023, from https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/

~ The views represented in this blog post do not necessarily represent those of the Brandt School. ~