Cyber Scene #82 - Breaking News, Cyber and China

Cyber Scene #82 -

Breaking News, Cyber and China

As July heat drives Americans to cool shelter, Washingtonians, particularly those in the three branches of U.S. government, are steaming hot and teaming together on major cyber and tech advances. "Whole-of-Government" is either involved and designated as responsible for cyber security or involved in bipartisan funding and approval of the direction the U.S. Government is taking. The impact extends far beyond the D.C. beltway, reaching out to countless private sector institutions and businesses.

First and most importantly among those involved is the July 2023 publication of the promised (March 2023) National Cyber Security Implementation Plan (NSCIP). A comprehensive, implementable program has been long-awaited by many in and out of U.S. government. Particularly likely pleased is the now-sunsetted, bipartisan, and bicameral Cyberspace Solarium Commission (CSC) co-chaired by Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI). They remain in the Senate and House respectively while CSC continues as a not-for-profit. The link explains how the CSC continues to connect government and the private sector; its 10 commissioners, together with private and public experience, and the 2021 National Defense Appropriations Act (NDAA) which included 25 of CSC's recommendations. One of the top 3, 100-day, must-do issues was the creation of a National Security Director, which began with the Biden Administration. The first director, Chris Inglis, and his acting successor, Kemba Walden, along with White House Cyber Advisor to the President, Anne Neuberger, have played and are playing central roles in the implementation of the plan.

The following discussions address the scope of the implementation plan.

The NSCIP involves 18 agencies, each of which have leadership responsibilities for pieces of the overarching plan. This White House announcement provides both the NSCIP itself (57 pages, but very terse and pointed) and an overview of this monumental move to dealing with cyber and its applications in everyday life.

The five pillars are addressed digestibly as follows. They include the following Strategic Objectives including the designated, responsible entities; Initiative Description; National Cyber Security (NCS) Reference including the responsible agency, contributing entities, and completion dates by quarters. The implementation calls for implementing all objectives by 2026.

The pillars are:

Pillar One: Defend Critical Infrastructure

Pillar Two: Disrupt and Dismantle Threat Actors

Pillar Three: Shape Market Forces to Drive Security and Resilience

Pillar Four: Invest in A Resilient Future

Pillar Five: Forge International Partnerships to Pursue Shared Goals

As an entry to NSCIP implementation, the first pillar, Infrastructure, is perhaps more simply understood across the country. As an example, Cyber Scene will drill down on Infrastructure.

Just prior to the publication of the NSCIP, the issue of Pillar One: Critical Infrastructure, was addressed by CSIS (Center for Strategic and International Studies), a think tank, via Govtech's podcast. The attendees were host Dan Lohrmann with Anne Neuberger, Deputy National Security Advisor for Cyber, and two other governmental leaders (TSA and Homeland Security). Ms. Neuberger begins with the Colonial Pipeline attack as the example of the need for, at a minimum, cyber security measures to protect all U.S. infrastructure. She also displays a three-pronged complex chart of how an infrastructure attack can be avoided across the country. Subsequently, on 16 July after the publication of the NSCIP, Dan Lohrmann also covers Acting NSC Director Kemba Walden's presentation launching the NSCIP. He not only frames her comments, but also adds several additional public coverage sources regarding NSCIP and its impact.

Acting Director Walden notes that the NSCIP's final actions must be achieved by 2026; the Pillars' implementations are paced out 3 months, or quarterly, for deadlines. They note: "The plan encompasses the business sector, besides federal agencies. The 16 sectors designated as critical infrastructure by the U.S. government are largely operated by the private sector in areas such as healthcare, financial services, energy and manufacturing…businesses will be expected to meet new standards set by federal agencies. The Securities and Exchange Commission, for example, is preparing a raft of rules that will impose incident-reporting requirements on listed companies." The Wall Street Journal's James Rundle and Catherine Stupp also provide a longer outlook of NSCIP's impact: "These (NSCIP) rules are also intended to scrutinize board oversight of cyber risk."

In some respects, regulation is working. The White House succeeded in voluntary agreements from eight Big Tech companies to comply with strong national constraints, according to The Hill's Julia Mueller. These techs-- Amazon, Anthropic, Google, Inflection, Facebook parent company Meta, Microsoft and OpenAI--have made the voluntary commitments "geared at managing the risks posed by artificial intelligence" while also "protecting Americans' rights and safety against risks posed by the uncharted technology."

Foreign Affairs has recently published a think piece on "The Race to Regulate Artificial Intelligence." Columbia Law Professor Anu Bradford explains that regarding content, U.S. Big Tech is racing to advance artificial intelligence capabilities amid intense criticism and scrutiny; "Washington is facing mounting pressure to craft AI regulation without quashing innovation." She believes that digital regulation comes in three flavors: "the United States is following a market-driven approach, China is advancing a state-driven approach, and the EU is pursuing a rights-driven approach." However, from a cybersecurity perspective, a market-driven approach may be the most difficult to apply.

It should be noted that some of those U.S. entities to be impacted by the Infrastructure Pillar are looking forward to it. The American Hospital Association (AHA) seems to have embraced the NSCIP, except regarding funding, as would many of the former victims of infrastructure attacks. AHA's National Advisor for Cybersecurity and Risk, John Riggi, stated "In general, these strategically aligned approaches will help protect our nation from foreign cyberthreats, which continue to accelerate in frequency, complexity, and severity." Considering how so many medical facilities have suffered, this quick AHA announcement is not a surprise. The AHA response is an example of many infrastructure sectors that will be impacted by the implementation.

Hacks can be quite ugly according to The Hill, such as that of U.S. Ambassador to China Nicholas Burns. His email, along with those of State and Commerce Departments, was compromised directly following visits to China by the Secretary of State Antony Blinken and Secretary of the Treasury Janet Yellen who have been trying to build bridges with China.

As reported by the New York Times' David McCabe, American officials are concerned about U.S.-based Chinese data centers and those abroad "…gaining access to sensitive data, echoing concerns about Chinese telecom gear and TikTok." This relates to the power and access of cloud computing, cast as the hidden "… engine of the digital economy, enabling services like video streaming and allowing companies to run artificial intelligence programs." These were the very sorts of issues Secretary of State Blinken was working on. And it was his own State Department that was reportedly hacked.

Chinese data centers are not the only tech issue that is under consideration at the White House. According to the Times' Ana Swanson, David McCabe, and Michael Crowley, the Biden Administration is looking at constraints on AI chips being exported to China. Readers may recall the "Chip Wars" discussions in recent Cyber Scenes. This would involve cutting down or out the delivery to China of U.S. produced chips needed for AI and made by companies like Nvidia and Advanced Micro Devices and Intel. The chips are required for powering AI in data centers. This move, of course, is a financial issue for the U.S. companies involved--another angle on regulation.

The chip war continues. The July 4 Economist, in "Full metal straitjacket," describes the point and counterpoint chip war with China bringing out "the big guns:" the export controls on gallium and germanium used by the U.S. in high-end semiconductors. The article goes on to note that China provides 80% of the world's gallium and germanium, with the U.S. getting 50% of its supply from China. China intends to enforce such new rules by the requirement for exporters to seek Chinese government approval and export licenses.

And this is getting worse. On 23 July, the Economist's "China hits back against western sanctions" reports that retaliations are in place, with the Chinese leader himself saying, "we told you so." Just as the U.S. deals with regulatory safeguards as determined by the NSCIP, so too is China creating new laws, also related to the U.S-Taiwan relationship, that will muddy the international Big Tech water. Stay tuned: more will follow even as NSCIP implementation proceeds.