On March 1, 2023, the Biden administration announced its long-awaited National Cybersecurity Strategy. The strategy is part of the administration’s efforts to bolster and modernize public and private responses to cybersecurity threats.
The strategy presents its goals through five pillars:
- Defend Critical Infrastructure
- Disrupt and Dismantle Threat Actors
- Shape Market Forces to Drive Security and Resilience
- Invest in a Resilient Future
- Forge International Partnerships to Pursue Shared Goals
To effectuate these goals, the strategy proposes two fundamental shifts in present cybersecurity policy: (1) rebalancing the risks of cybersecurity threats toward industry and the government rather than end users and (2) realigning incentives to promote long-term investments in resilient, defensible systems.
We provide a summary of the strategy further below but highlight here several key components of the strategy.
First, most of the strategy builds on existing priorities, including incident reporting for critical infrastructure, disrupting ransomware groups and other threat actors, leveraging federal procurement regulations to impose cybersecurity standards, and coordinating cross-sectoral cybersecurity issues via the Cybersecurity and Infrastructure Security Agency (CISA).
Second, the Biden administration is seeking to shift the costs of cyber vulnerabilities from consumers to producers and manufacturers. We previously discussed how this might occur after the President’s May 12, 2021 executive order, “Improving the Nation’s Cybersecurity.” Other administration officials have analogized the effort to placing seatbelts in cars — to shift the burden away from the consumer and onto whichever entity is building the product the consumer uses.
Third, the strategy hints at a few novel proposals that will continue to evolve, such as a federal cyber insurance backstop for certain major cyber events and expanding the ability of the Cyber Safety Review Board to review significant cyber events. The administration also requests additional authorities allowing federal agencies to implement cybersecurity requirements.
Fourth, the administration acknowledges that several of its proposals, such as shifting liability to the producers of software products and services, require legislative action. To this end the strategy reflects the administration’s intentions to push for such laws to be created and passed.
While expansive, the publication of the National Cybersecurity Strategy remains a first step. The administration must now implement it — a task that the White House’s Office of the National Cyber Director will oversee.
Summary of Strategy Components
Defend Critical Infrastructure
- Enact performance-based regulations and guidance to requiring compliance with industry best practices as well as incident reports from critical infrastructure and their service providers.
- Increase collaboration among the CISA, federal agencies responsible for specific critical sectors, and individual owners and operators of critical infrastructure.
- Consolidate the federal government’s distinct cyber capabilities to create Federal Cybersecurity Centers that can enable a holistic response.
- Establish a “call to one is a call to all” policy for incident notification to federal agencies coordinated by CISA. This will also allow federal agencies to understand what resources are available to them after an incident has occurred.
- Modernize federal systems by replacing legacy systems, migrate to cloud-based services, mitigate the risk of software supply chain, and share certain centralized services.
Disrupt and Dismantle Threat Actors
- Update the Department of Defense’s cyber strategy to clarify how the department will integrate cyberspace into its defense efforts.
- Expand the National Cyber Investigative Joint Task Force to coordinate joint takedown and disruption campaigns more frequently, quickly, and on a larger scale.
- Encourage the private sector to use a nonprofit organizations for operational collaboration with the federal government (i.e., National Cyber-Forensics and Training Alliance).
- Warn defenders and notify victims earlier when the government has information that an organization is being targeted or is already compromised.
- Review declassification policies to determine whether expanding clearances or access is necessary to provide actionable intelligence to critical infrastructure owners and operators.
- Prioritize and enforce a risk-based approach to prevent exploitation of U.S.-based infrastructure through implementation of Executive Order 13984, “Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities.”
- Disrupt ransomware via encouraging international cooperation, investigating ransomware crimes, and bolstering infrastructure resilience.
- Target illicit cryptocurrency exchanges that may be financing ransomware operations.
Shape Market Forces to Drive Security and Resilience
- Hold accountable companies that fail to protect consumer privacy.
- Support legislation that lays out national requirements on data security consistent with the National Institute of Standards and Technology (NIST).
- Expand Internet of Things device security labels so that consumers can compare products.
- Shift liability of software vulnerabilities onto software producers, with an adaptable framework as a safe harbor (like NIST’s Secure Software Development Framework).
- Use federal grants and procurement regulations to require cybersecurity safeguards for applicants.
- Consider a federal cyber insurance backstop for catastrophic cyber incidents.
Invest in a Resilient Future
- Adopt security measures and support nongovernmental standards-developing organizations to mitigate systemic risks.
- Prioritize research and development to proactively prevent and mitigate cybersecurity risks.
- Establish a process to transition the country’s cryptographic systems to quantum-resistant cryptography.
- Prioritize the transition of vulnerable public networks and systems to quantum-resistant cryptography-based environments.
- Build cybersecurity defenses proactively as the U.S. expands its clean energy infrastructure.
- Encourage investments in verifiable, consent-based digital identity solutions.
- Implement a national strategy to develop a cyber workforce.
Forge International Partnerships to Pursue Shared Goals
- Build international coalitions to share cyberthreat information, exchange model practices, compare sector-specific expertise, and coordinate incident response policies.
- Strengthen the capacity of like-minded states to secure their own critical infrastructure, share information, and prosecute cybercrimes.
- Expand U.S. abilities to assist U.S. allies that have been affected by cyber incidents, including the ability to rapidly deploy expertise to respond to cyberattacks.
- Work with the United Nations and our partners to reinforce global norms regarding responsible state behavior.
- Secure global supply chains from disruptions and vulnerabilities by increasing U.S. domestic capacity and working with U.S. allies to build transparent and resilient supply chains.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.