Additional Author Lauren N. Williams
The Biden administration released its National Cybersecurity Strategy (“Strategy”) on March 2, 2023.1 The Strategy builds on previous policy actions by the Biden administration that sought to strengthen cybersecurity in critical infrastructure and protect personal data, including through regulatory action, government procurement requirements, and an emphasis on software security. The Strategy calls for (1) a “[r]ebalanc[ing of] the responsibility to defend cyberspace,” under which the “most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem,” with the Strategy notably highlighting the role of cloud services and software providers and (2) a “realign[ment of] incentives to favor long-term investments,” in part to “ensure that market forces and public programs alike reward security and resilience.” While still emphasizing public-private sector collaboration, the Strategy reflects an increased focus on regulatory action and private sector liability. Although many of the Strategy’s proposed changes will hinge on congressional action, if implemented by Congress and the administration, the Strategy would have significant consequences for certain businesses, including owners and operators of critical infrastructure, software developers, cloud providers, government contractors, and businesses that handle personal information. Understanding the Strategy and its potential implications accordingly will be important for companies across sectors.
The Strategy replaces the 2018 National Cyber Strategy and largely builds on the path charted by the 2021 Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” and on the National Security Memorandum “Improving Cybersecurity for Critical Infrastructure Control Systems.” It sets out its priorities within five pillars: (1) defend critical infrastructure, (2) disrupt and dismantle threat actors, (3) shape market forces to drive security and resilience, (4) invest in a resilient future, and (5) forge international partnerships to pursue shared goals. Below we highlight key elements of these pillars that could have important implications for businesses, including:
- Expanded regulation of critical sectors’ cybersecurity practices, including technology and cloud services
- Potential legislative debates over liability frameworks for software security
- Initiatives to increase the speed and scale of collaboration with the private sector to disrupt threat actor groups
- Efforts to harmonize cybersecurity regulations that apply to businesses
Pillar One: Defend Critical Infrastructure
Pillar One aims to set out a regime for “collaborative defense that equitably distributes risk and responsibility, and delivers a foundational level of security and resilience for our digital ecosystem.” It identifies five strategic objectives: (1) establish cybersecurity requirements to support national security and public safety, (2) scale public-private collaboration, (3) integrate federal cybersecurity centers, (4) update federal incident response plans and processes, and (5) modernize federal defenses.
New and expanded regulation is central to this pillar of the Strategy. The Strategy states that “[w]hile voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.” To address this, the Strategy tasks federal agencies with using existing authorities to set minimum cybersecurity requirements for critical sectors. The administration states its intent to work with Congress to pursue legislation to cover areas where gaps in authority are present. The Strategy also notes that the administration “encourage[s]” states and independent regulators to use their authorities to set cybersecurity requirements in a “deliberate and coordinated manner.”
The Strategy identifies cloud-based services as a focus, given many sectors’ reliance on cloud infrastructure. The Strategy states that the administration plans to work with industry, Congress, and regulators to close any “gaps in authorities to drive better cybersecurity practices in the cloud computing industry.” To that end, during a rollout discussion of the Strategy at the Center for Strategic and International Studies (“CSIS”), Acting National Cyber Director Kemba Walden remarked that, since cloud services are a “baseline service across critical infrastructure sectors. . . [,] there needs to be some baseline minimum requirements that are common across all their customer sets.”2
The Strategy does not provide specifics on these intended regulations. Rather, it emphasizes “performance-based” requirements that “leverage existing cybersecurity frameworks, voluntary consensus standards, and guidance” including the Cybersecurity and Infrastructure Security Agency’s (“CISA”) Cybersecurity Performance Goals3 and the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity.4 The Strategy also describes an effort to be led by the Office of the National Cyber Director (“ONCD”), in coordination with the Office of Management and Budget (“OMB”), to harmonize federal cybersecurity regulations, which may be beneficial to cross-sector businesses facing conflicting and duplicative requirements. For example, the Strategy notes that the Cyber Incident Reporting Council will coordinate and deconflict federal incident reporting requirements.
Pillar One also lays out plans to enhance public-private information sharing and access to support from federal agencies during cyber incidents. For example, the Strategy states that the federal government will partner with the private sector to explore enhanced machine-to-machine data sharing that will enable “real-time, actionable and multi-directional” information sharing. This Pillar also describes a plan to increase inter-agency collaboration and integration to improve the private sector’s ability to reach and receive support from the appropriate federal agencies.
Pillar Two: Disrupt and Dismantle Threat Actors
Pillar Two targets “more sustained and effective disruption of adversaries” in pursuit of “mak[ing] malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States.” It states five strategic objectives: (1) integrate federal disruption activities, (2) enhance public-private operational collaboration to disrupt adversaries, (3) increase the speed and scale of intelligence sharing and victim notification, (4) prevent abuse of US-based infrastructure, and (5) counter cybercrime and defeat ransomware.
Pillar Two emphasizes offensive efforts to thwart threat actors and cause sustained disruption to malicious cyber activities. It outlines campaigns spearheaded by the Department of Justice and Department of Defense, noting the important role of the private sector in disruption efforts, including its visibility into adversary activity. To facilitate public-private collaboration in this area, the Strategy declares that the federal government will “increase the speed and scale of cyber threat intelligence sharing to proactively warn cyber defenders and notify victims when the government has information that an organization is being actively targeted or may already be compromised.”
The Strategy describes a plan to engage with cloud and internet infrastructure providers to share information on malicious uses of their services and support victims who report abuses of these services. The Strategy further notes the need for providers to “make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior.”
The role of financial institutions is highlighted as part of efforts to combat ransomware. The Strategy emphasizes continuing and expanding implementation of Anti-Money Laundering and Countering the Financing of Terrorism (“AML/CFT”) controls to combat the use of cryptocurrency to launder ransom payments. More broadly, the Strategy emphasizes that “the Administration strongly discourages the payment of ransoms” because the “most effective way to undermine the motivation of these criminal groups is to reduce the potential for profit.”
Pillar Three: Shape Market Forces to Drive Security and Resilience
Pillar Three reflects a judgment that “market forces alone have not been enough to drive broad adoption of best practices in cybersecurity and resilience.” In the administration’s view, “[i]n too many cases, organizations that choose not to invest in cybersecurity negatively and unfairly impact those that do, often disproportionately impacting small businesses and our most vulnerable communities.” In light of this perspective, Pillar Three seeks to “shape market forces to place responsibility on those within our digital ecosystem that are best positioned to reduce risk.” In doing so, Pillar Three states that the administration “will not replace or diminish the role of the market, but channel market forces productively toward keeping our country resilient and secure.” Pillar Three identifies six strategic objectives to that end: (1) hold the stewards of our data accountable, (2) drive the development of secure Internet of Things (“IoT”) devices, (3) shift liability for insecure software products and services, (4) use federal grants and other incentives to build in security, (5) leverage federal procurement to improve accountability, and (6) explore a federal cyber insurance backstop.
Pillar Three reiterates the administration’s support of legislation regarding the handling of personal data. The Strategy states that the administration “supports legislative efforts to impose robust, clear limits on the ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data like geolocation and health information.” In addition, the Strategy states that this legislation should include national standards for securing personal data that align with NIST standards and guidelines.
The Strategy also highlights a new priority to “shift liability onto those entities that fail to take reasonable precautions to secure their software,” albeit while also acknowledging that “even the most advanced software security programs cannot prevent all vulnerabilities.” The Strategy criticizes vendors that “ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance” as well as those who “leverage their market position to fully disclaim liability by contract.” It describes the desired legislation as limiting the ability of providers to fully disclaim liability by contract and establishing a “higher standard of care for software in specific high-risk scenarios.” The Strategy states that the administration will drive the “development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services,” which will draw from best practices such as the NIST Secure Software Development Framework. (During the CSIS launch event, Deputy National Security Advisor Anne Neuberger said that the administration would learn from existing liability regimes for products, such as vehicle safety standards, as it assesses how to incentivize development of secure software.) Pillar Three also identifies four other steps the administration intends to pursue to enhance software security: (1) encouraging coordinated vulnerability disclosure, (2) promoting the further development of Software Bills of Materials (“SBOMs”), (3) developing a process for mitigating risk from unsupported software, and (4) partnering with the private sector and the open-source software community to invest in the development of secure software. (We discuss similar software security-focused questions in a webinar.)
Pillar Three also highlights existing initiatives on IoT cybersecurity as well as federal procurement requirements under EO 14028. Pillar Three highlights the administration’s work on IoT device labeling, for example, and asserts that “[c]ontracting requirements for vendors that sell to the Federal Government have been an effective tool for improving cybersecurity.” On the latter point, Pillar Three notes that “[c]ontinuing to pilot new concepts for setting, enforcing, and testing cybersecurity requirements through procurement can lead to novel and scalable approaches.” This Pillar also explains that the government will hold companies that fail to meet contractual commitments regarding cybersecurity practices accountable under existing laws such as the False Claims Act.
In addition, Pillar Three addresses cyber incident insurance. The Strategy observes that the existing cyber insurance market might be insufficient in the event of a catastrophic cyber incident. Accordingly, the administration intends to explore “the need for and possible structures of a Federal insurance response to catastrophic cyber events.”
Pillar Four: Invest in A Resilient Future
Pillar Four seeks to help “build a more secure, resilient, privacy-preserving, and equitable digital ecosystem through strategic investments and coordinated, collaborative action.” It states six strategic objectives: (1) secure the technical foundation of the internet; (2) reinvigorate federal research and development for cybersecurity; (3) prepare for our post-quantum future; (4) secure our clean energy future; (5) support development of a digital identity ecosystem; and (6) develop a national strategy to strengthen our cyber workforce.
The Strategy notes the need to develop and implement solutions to secure the technical foundations of the internet, many of which the administration views as “inherently vulnerable.” The Strategy calls for renewed federal investment in research and development in technologies, such as quantum-resistant cryptography-based environments and enhanced digital identity solutions. This pillar also states that ONCD will lead the charge in the implementation of the strategy for an expanded cyber workforce.
Pillar Five: Forge International Partnerships to Pursue Shared Goals
Pillar Five reflects the goal of “a world where responsible state behavior in cyberspace is expected and rewarded and where irresponsible behavior is isolating and costly.” Reflecting the intent to build “a broad coalition of nations working to maintain an open, free, global, interoperable, reliable, and secure Internet,” this pillar identifies five strategic objectives: (1) build coalitions to counter threats to our digital ecosystem; (2) strengthen international partner capacity; (3) expand US ability to assist allies and partners; (4) build coalitions to reinforce global norms of responsible state behavior; and (5) secure global supply chains for information, communications, and operational technology products and services.
This pillar highlights the administration’s commitment to strengthening collaboration with partners to combat threat actors based in foreign countries, establishing policies for providing cyber support to allies, and holding states accountable for violating international law in cyberspace. It also advocates for examining the dependency on foreign products and services that pose a risk to the United States’ digital ecosystem. The Strategy states that “[c]ritical inputs, components, and systems must increasingly be developed at home or in close coordination with allies and partners.” This aligns with existing federal government efforts to secure supply chains, such as the International Technology Security and Innovation Fund established by the CHIPS and Science Act of 2022 to support secure semiconductor and telecommunications supply chains.
The Strategy directs ONCD to coordinate implementation of the Strategy under the oversight of National Security Council staff and in coordination with OMB. The precise pace and course of these implementation efforts remains to be seen. Given the limited availability of details on the potentially significant requirements described in the Strategy, companies should continue to monitor for legal and regulatory developments and for opportunities for private sector input in legislative and administrative processes.