Acting US National Cyber Director: ‘We're allowing the adversary to set our agenda’

The White House’s acting national cyber director warned this week at the CyberUK conference in Belfast that “fixating on security is a distraction, one our adversaries are all too happy for us to adopt.”

Kemba Walden, who took the reins of the key White House office in February, said “cyberspace’s true purpose is to enable all of the other amazing things that we want to do,” from helping distribute renewable energy through to empowering educators, and enabling “collaboration, commerce, and cultural exchange.”

“Securing ourselves against threats is not the only thing that matters when it comes to cyberspace, it’s not even the main thing,” she said. “If we build a defensible and resilient cyber foundation, we can pursue our boldest goals with confidence.”

Walden, who previously served as principal deputy national cyber director, was elevated to her current role just weeks before the Biden administration released a landmark national cyber strategy. Now it is up to Walden and her counterparts to put it into action.

In between her numerous meetings in Belfast, The Record sat down with Walden to discuss her mandate in her new job and her vision for cyberspace — as well as whether she would accept a nomination to permanently serve as national cyber director.

The Record: The White House recently released its national cyber strategy. What have you been telling partners at CyberUK about why the strategy is designed the way it is?

Kemba Walden: I’m excited about our national cybersecurity strategy. It has two forward-looking and, in my view, progressive ideas in it. The first is that we recognize that cybersecurity risk is currently borne primarily by individuals, communities, small and medium businesses. So we are making every opportunity we can to shift that cybersecurity risk, the burden, from those that are least capable of handling it to those that are more capable of handling it. So that's large enterprises, that's producers, that's the federal government like me, to be able to bear that cybersecurity risk and buy it down.

The second large principle in that space is that we are thinking about how to strategically invest in resilience. What are the tools that we need in order to build the cyberspace that we want to have, regardless of the threat? Cybersecurity underpins everything that we do in our daily lives, it underpins our online banking, it underpins gaming, it underpins even watching cat videos. Cybersecurity enables all of that. Our refrigerators are connected these days, so how do we secure that space, so that we're able to do the things that that cyberspace is meant for us to do? So the strategy itself is divided into five pillars, but it really is a collection of tools that we have in order to rebalance that risk that I talked about, and also shape the strategic investments.

TR: What are the risks if it fails?

KW: So the risk is that the individual bears cybersecurity risk, right? At the end of the day, it's that we will cause schools, will cause my children, to bear the risk of clicking on a nefarious link. That is a problem. I want schools, for example, to be about the business of educating our children, and not necessarily going toe-to-toe with a nation-state actor. That's the world that we are trying to avoid by thinking in an affirmative way, in a positive way, about what we want cyberspace to deliver. And so we are making strategic investments in rebalancing that cybersecurity burden, and making investments in resilience, not just in the technology that cyberspace is reliant on, but also the people that are in cyberspace, and the roles and responsibilities, the doctrine, who's responsible for what.

TR: Why does the strategy focus on what we can do as defenders rather than on addressing the adversary directly?

KW: You know, we're getting great at defense, and we have to defend, right? We can defend all day, every day, but the end result is that if we're losing more slowly, we're still losing. Okay? That means that we're allowing the adversary to set our agenda. From a strategic principle, that is not where we need to be at this moment in time. We need to get ahead of the adversary, we need to develop a cyberspace that is defensible, yes, but also resilient, so that when our defenses fail — and they will sometimes — that it's not catastrophic, that downtime is short, that uptime is swift, right? That is where we're trying to achieve. We're setting our own agenda rather than having the adversary set the agenda for us.

TR: In your previous career you focused on financially-motivated criminal threats, rather than nation-state ones. Which do you think is the most pressing concern today?

KW: I would say it almost doesn't matter what the threat is, whether it's a nation-state actor, whether it's a cybercriminal actor, whether it's a natural disaster of some sort that cuts all the power lines. The idea is how do we make sure that our systems are resilient against any threat? But you know, I'm not Pollyannaish about this, we still have to defend. What are the digital skills, what are the cybersecurity skills, what's the workforce that we have behind that? Those are the things that I'm focused on. But ultimately, my objective, my North Star, is to make sure that we have a defensible, resilient digital ecosystem, full stop.

TR: In your keynote you spoke about how values shape technology and how technology can amplify our values. Your office has said its priority is allowing individuals and communities to thrive and prosper. What does that technology look like?

KW: So, a couple of answers there. I'm in an international context here at CyberUK and that's on purpose. My security in the United States is fully dependent upon the U.K.'s cybersecurity, it's fully dependent upon Germany's cybersecurity, it's fully dependent upon Nigeria's cybersecurity, right? So even though I'm the national cyber director, meaning that it's domestic in nature, it has to be reflective of the other economies around the world, and making sure that we are aligned with our values and what we expect for our cyberspace to deliver, that it's open, interoperable, and values-aligned. What do I mean by allowing communities to thrive and prosper? I mean just that. I want to make sure that cyberspace, the tool that we use as cyberspace, allows communities to be able to develop new business, to be able to educate children, to be able to have better agricultural farming techniques, right? I want all of it to happen in a safe way. In my experience, communities really don't develop well unless they feel safe. And that is true in the analog world. Now that we're in a digital ecosystem, that is true in a digital world too.

TR: Do you feel like your objective is supported by international partners?

KW: Absolutely. It has to be. Like I said, our security in the U.S. is fully dependent upon security of other countries around the world.

TR: Is there anyone that you wish could do more or would do better to push towards that shared objective?

KW: I think we're collectively rowing in the same direction. We all could do more, we could all do better. I think we are in a space right now where we're finding the common North Star among allies in particular, but even among competitors, we're finding areas of mutual interest or we're moving forward in the right direction.

TR: Do you think there's a lot of competition among what were historically called middle ground states to adopt that vision?

KW: So I've been hearing quite a bit from my counterparts and other countries, particularly here at this conference and others, like Munich Security Conference a few months ago, that there is a common ground. Every country that I've spoken with wants their communities to be able to thrive and prosper. They have the same objective. What enables that objective is the values that we build into our shared digital ecosystem. So we find common ground, or you find areas of mutual interest, and drive in that space.

TR: Finally, you're currently the acting national cyber director. Would you like to be the full director?

KW: Listen, I am so thrilled to come to work every day, whether I'm acting or in any other capacity, to do the work of the national cyber director's office. Right now, for me, the priorities are developing our implementation plan and making sure that the national cyber strategy functions in the way that we anticipate that it functions, to build the digital skills and workforce strategy because people are central to making sure that we have a safe, secure digital ecosystem. But if the president decides to nominate me, I am fully on board. If he decides to nominate someone else, I'm fully supportive.