On March 2, 2023, the Biden Administration released its National Cybersecurity Strategy. The Strategy represents the latest push by the Administration to focus on cybersecurity concerns, following the release of Executive Order 14028, Improving the Nation’s Cybersecurity in May 2021. The Strategy lays out the cybersecurity goals and objectives for the federal government and outlines a fundamental change in how the federal government wishes to allocate roles, responsibilities, and resources for cybersecurity. It contemplates placing greater responsibility on industry, particularly owners and operators of systems that hold personal data and technology providers.
The Strategy is broken into five pillars:
- Defend Critical Infrastructure;
- Disrupt and Dismantle Threat Actors;
- Shape Market Forces to Drive Security and Resilience;
- Invest in a Resilient Future;
- Forge International Partnerships to Pursue Shared Goals.
The first pillar builds on efforts seen in recent years to move away from voluntary compliance by industry and increase regulatory requirements, specifically in the critical infrastructure sectors. The federal government will leverage existing regulations to implement additional security requirements and, where additional regulatory authority is necessary, the Administration plans on working with Congress and regulators to address regulatory gaps. The Strategy prescribes that new regulations be performance-based and leverage existing cybersecurity frameworks, voluntary standards, and guidance, including the Cybersecurity and Infrastructure Security Agency’s Cybersecurity Performance Goals and National Institute of Standards and Technology frameworks. The Strategy also encourages regulators to incentivize cybersecurity investments through the rate-making process, tax structures, or other mechanisms.
As part of the third pillar, the Strategy seeks greater accountability for industry responsible for securing personal data, including legislative efforts that would impose clear limits on the “ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data like geolocation and health information.”
Additionally, the Strategy contemplates shifting liability onto software producers that ignore best practices for secure software development, which we have previously discussed here, by calling for legislation establishing such liability and establishing a safe harbor framework to shield responsible companies that are meeting the standards.
The Strategy calls for cloud and other internet infrastructure service providers to make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior, but it is unclear how the government plans to enforce this requirement.
Notably for federal contractors, the Strategy emphasizes that the federal government will use the federal purchasing power and grant-making authority to incentivize security. Federal contractors also are reminded that the government will pursue legal action against companies that knowingly misrepresent their cybersecurity practices or protocols or knowingly violate obligations to monitor and report cybersecurity incidents or breaches through the Department of Justice’s Civil Cyber-Fraud Initiative, previously discussed in greater detail here.
Finally, the Strategy focuses on efforts by the federal government to shore up cybersecurity, including placing continued emphasis on software supply chain risk mitigation, moving federal IT and operational technology systems to implement a zero trust architecture, and preparing for a post-quantum future.
The Administration is developing an implementation plan to be released in the coming months describing how it proposes to address the objectives detailed in the Strategy. Critical infrastructure owners and operators, industry, software producers, and federal contractors should ensure they are in compliance with any applicable regulatory schemes and monitoring for updates that may impact their operations.