Securing the Future: The McCrary Institute Cybersecurity Roadmap

The McCrary Institute's cybersecurity roadmap presents 40 recommendations for the new administration to to strengthen the nation's cyber defenses. 

With the election less than a month away, the policies that each candidate proposes are becoming more immediately important. Cybersecurity is an increasingly important subject that must be addressed, no matter who gets sworn in on Inauguration Day. POLITICO was the first to obtain the proposed action plan by the McCrary Institute at Auburn University. The plan was written by 40 experts in national security, cybersecurity, technology and policy over the course of nine months. The diverse backgrounds of the task force behind the cybersecurity report helped when weighing what recommendations to include and also helped make the roadmap more bipartisan. 

The plan has eight critical themes:

• Unifying the Regulatory Landscape: There needs to be an extensive review of cybersecurity laws to find any gaps or discrepancies. The new administration should also put a cross-agency task force in charge of harmonizing the regulations and make a set of cybersecurity standards that work for specific sectors.
  
  
• Synergy in Cyber Protection: There needs to be more authority in the Office of the National Cyber Director (ONCD), as well as in the Cybersecurity and Infrastructure Security Agency (CISA). Collaboration between all levels of government also must be improved.
  
  
• Deterrence and Cost Imposition in Cyberspace: The new government should create a comprehensive offensive strategy to disrupt adversaries, a designation process for state sponsors of cybercrime, and strengthen our ability to identify bad actors and hold them accountable. 

• Resilience in Cybersecurity: An exhaustive system to identify and prioritize critical assets is needed, along with sector-specific cybersecurity rules for IT and OT systems. a national-level exercise program to test and advance the nation’s cyber resilience.
   
• Cyber Statecraft: To improve the international cyberspace, the US should encourage an open, interoperable Internet worldwide, improve international cooperation on cybersecurity standards, and fortify the State Department’s cyber diplomacy efforts.

• Building Cyber Capacity: In order to close the national cyber skills gap, there needs to be a national K-12 cybersecurity curriculum. The incoming administration should also expand programs like CyberCorps and Scholarship for Service and develop flexible volunteer systems and employment arrangements to make use of private sector expertise. 

• Securing the Future: As new, transformative technology continues to be released, the government should make a unified national list of critical and emerging technologies, strengthen supply chain security for critical technologies, and make a transition plan for  quantum-safe cryptography. 

• Foundations of Cyber Resilience: Sector Risk Management Agencies should have a much larger budget, and the National Institute of Standards and Technology (NIST)  similarly requires more funding support as it develops cybersecurity standards. The report also recommends that the government robustly plans for the Continuity of the Economy. 

Each section comes with specific recommendations for the incoming administration, totaling 40 instructions for the new government. The top three recommendations for the first 100 days are to appoint a “high-level task force” for harmonizing cybersecurity regulations, to “initiate a comprehensive review of our national cybersecurity strategy”, and to “launch a national initiative to address the cybersecurity workforce shortage”.  

Given the broad scope of this cybersecurity report, it can be a useful set of guidelines for whichever nominee is elected. Some cybersecurity experts expect that there won’t be much change in how cyber agencies are valued, with Chris Inglis, the nation’s first and former national cyber director saying “I have no doubt that a Trump administration, like a Harris administration, would continue to give value to cyber as an element underpinning our business resilience, things that individual citizens do, and of course national security. I would be very surprised if an oncoming administration of any political persuasion didn’t immediately say, ‘I’m glad you’re here, let’s make use of you going forward.’”

Even so, cybersecurity has already had an uncertain year. The end of the Chevron Doctrine puts more pressure on agencies to make cyber regulations clear and consistent as their interpretations of the laws may not be prioritized. The US-Russia Prisoner Swap released some prominent Russian cybercriminals, even while the US is working to secure its elections from influence from Russia and Iran. 

Former Rep. John Katko (R-N.Y.), a previous ranking member of the House Homeland Security Committee with jurisdiction over CISA, says the nation’s cybersecurity situation is perilous: “We’re in a pre 9/11 posture with respect to cyber and unless and until we acknowledge the nature and quality of that threat and act upon it with the recommendations in this report, we’re gonna remain very vulnerable as a nation and an economy.” With this warning in mind, it is critical that the next president acts quickly on the recommendations in this report.