Overview of the National Cybersecurity Strategy
The Biden-Harris Administration has unveiled its highly anticipated National Cybersecurity Strategy — a sweeping and ambitious document calling for "fundamental changes to the underlying dynamics of the digital ecosystem." The Strategy sets numerous strategic objectives, ranging from defending federal government systems from cyber threats, increasing public-private collaboration on cyber resilience, shaping cybersecurity norms through federal procurement, and bolstering international law enforcement efforts to stop cyber criminals, to imposing mandatory cybersecurity standards for critical infrastructure operators, pursuing federal data privacy legislation, developing "know your customer"-style rules for cloud infrastructure providers, and limiting software vendors' ability to disclaim liability for software vulnerabilities. We summarize key objectives of the Strategy and provide takeaways for businesses looking to anticipate developments in federal cybersecurity regulation.
Overview
These five key "pillars" are the foundation of the Biden Administration's National Cybersecurity Strategy:
- Defend Critical Infrastructure
- Disrupt and Dismantle Threat Actors
- Shape Market Forces to Drive Security and Resilience
- Invest in a Resilient Future
- Forge International Partnerships to Pursue Shared Goals
For each pillar, the Strategy identifies a set of "strategic objectives," pursuit of which requires two "fundamental shifts" in the nation's approach to cybersecurity: rebalancing cybersecurity responsibilities away from end users and smaller organizations and placing them on "the most capable and best-positioned actors" in the public and private sectors, namely "the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems"; and realigning incentives in both government programs and private sector markets to encourage long-term research, development and implementation investments in cyber resilience.[1]
Key Takeaways
The Strategy is aspirational and in some places highly so. The document proposes several foundational changes — and at least one seismic shift — in how cybersecurity is regulated at the federal level. Many such changes would require major legislative enactments and are unlikely to come to fruition, at least any time soon. Still, companies should review the Strategy to better understand the federal government's cybersecurity priorities and to anticipate some of the proposals that are more likely to materialize.
Key takeaways from the National Cybersecurity Strategy include:
- Possible New Cybersecurity Requirements for Some Critical Infrastructure Sectors. At least some private sector operators of critical infrastructure may soon face new or strengthened cybersecurity requirements. Where rulemaking authority already exists, federal agencies may leverage that authority to issue new or stronger cybersecurity rules. Following the 2021 cyberattack against Colonial Pipeline, the Transportation Security Administration (TSA) exercised its more than 20-year-old authority to regulate pipeline cybersecurity and issued mandatory cyber directives for the first time (we discuss the evolution of the TSA directives here and here). The TSA has since issued cyber directives for rail and other surface transit operators as well and may pursue broader cybersecurity regulations for the industries it regulates (we discuss recent TSA rulemaking activity here). Other agencies may follow suit in exercising existing authority to issue cyber rules. Agency rulemaking authority is largely sectoral, meaning that new cybersecurity rules likely will apply to operators in certain sectors but not others. This could result in a regulatory patchwork, which perhaps is one reason the Strategy calls for an effort to harmonize and streamline new and existing cybersecurity regulations.[2]
- Building on CIRCIA. Efforts to regulate critical infrastructure cybersecurity may build on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and forthcoming implementing rules from CISA (we analyze both here). For example, the administration may seek to have entities that are required to notify of cyber incidents under the CISA rules adopt the National Institute of Standards and Technology's (NIST) Cybersecurity Framework (which currently is undergoing a revamp), the CISA Cross-Sector Cybersecurity Performance Goals, or other frameworks or requirements. New cross-sector cybersecurity requirements for critical infrastructure likely would require a new congressional enactment. While there appears to be at least some political consensus on developing cybersecurity rules for critical infrastructure, it is difficult to say whether Congress will enact such requirements.
- Possible New Cybersecurity Requirements in Government Contracts. The Strategy calls for the federal government to continue using its sprawling procurement system to drive cybersecurity practices and norms. However, the Strategy does not propose any new or enhanced requirements. Even so, examining and developing cybersecurity rules of government contractors has been a priority for the administration, and it is likely that the federal government will continue to add such rules to its procurement regulations. Executive Order (EO) 14028, "Improving the Nation's Cybersecurity," which President Biden issued in May 2021, directs the government to pursue various amendments to the Federal Acquisition Regulation (FAR) and its supplements to standardize cybersecurity requirements in government contracts and require reporting of cyber incidents by contractors, among other things (we discuss EO 14028 here). The government's regulatory agenda for 2023 includes an effort to amend the (FAR) "to standardize common cybersecurity contractual requirements across federal agencies."
- KYC for IaaS. Cybercriminals frequently misuse legitimate cloud-based infrastructure-as-a-service (IaaS) to launch attacks. In doing so, cybercriminals may use fake identities to create cloud accounts, pay for cloud services with stolen payment cards, quickly create and then delete virtual servers used for their attacks, and take other steps to operate in obscurity. The Strategy calls for the implementation of a Trump-era executive order, which directs the Secretary of Commerce to propose "know your customer"-type rules requiring IaaS providers to collect information about foreign users' identities, source of payment, and other details.[3]
- IoT Security Labeling Program. The National Cybersecurity Strategy also looks to build on provisions of EO 14028 directing NIST and the Federal Trade Commission (FTC) to develop a consumer labeling program for Internet-of-things (IoT) security practices (we discuss the executive order here and NIST's work on developing the labeling program here).[4] Likened to the Energy Star program for energy efficiency, the IoT consumer labeling program is intended to help consumers more easily identify IoT devices that implement specified cybersecurity safeguards.
- Proposed Cyber Liability Shifting for Software and Technology Providers. No provision of the strategy has received as much attention as the proposal to shift liability for cybersecurity vulnerabilities to software and other technology providers that "fail to take reasonable precautions to secure their software…."[5] Specifically, the Strategy calls for legislation that would prohibit providers from fully disclaiming liability for vulnerabilities while providing a safe harbor for companies that follow secure development and maintenance practices. Legislation of this kind would force massive shifts in software and technology markets, including in how cloud-services providers and their customers apportion responsibility for the security of cloud platforms, and could subject technology providers to devastating liability. Given the potential consequences of such legislation and the general difficulty of getting bills through Congress, this provision of the strategy is perhaps the least likely to be implemented.
- Support for Federal Privacy and Security Legislation. The Strategy appears to take a strong stand in favor of federal privacy legislation as well as federal security requirements based on NIST guidance and standards.[6] Even so, the prospects of a federal privacy law passing Congress are unclear as various proposals have circulated for years without significant action.
Summary of the Five Pillars
Here we summarize the National Cybersecurity Strategy's five pillars and the strategic objectives of each.
Pillar 1: Defend Critical Infrastructure
Pillar 1 is a clarion call for a "collaborative" public-private model for defending the nation's critical infrastructure from advanced cyber threats, particularly those from nation-state and related actors.[7] The core of this proposed model is the establishment of mandatory cybersecurity standards for critical infrastructure operators (Strategic Objective 1.1), which the strategy says are necessary for effective public-private collaboration. These requirements are to be "performance-based" and leverage existing frameworks such as the CISA Performance Goals and the NIST Cybersecurity Framework.
Pillar 1 also contemplates measures to enhance collaboration among CISA and federal agencies responsible for coordinating cybersecurity efforts among specific critical infrastructure sectors, information sharing and analysis organizations (ISAOs), and sector-focused information sharing and analysis centers (ISACs) (Strategic Objective 1.2). Pillar 1 further speaks to the U.S. government's role in protecting its own systems and maintaining its capabilities, including the integration of federal cybersecurity centers, updating agencies' incident response plans, and modernizing federal defenses through continued adoption of a zero trust architecture strategy and migration of federal systems to the cloud (Strategic Objectives 1.3, 1.4 and 1.5) (we discuss the federal government's zero trust strategy here and additional cloud migration efforts here).[8]
Pillar 2: Disrupt and Dismantle Threat Actors Through Cadre of Initiatives
For Pillar 2, the federal government will use "all instruments of national power" to disrupt and dismantle threat actors capable of inflicting damage on the U.S. digital ecosystem. Specifically, Pillar 2 sets forth initiatives designed to improve intelligence sharing, execute disruption campaigns against cyber attackers at scale, prevent misuse and compromise of U.S.-based computing infrastructure, and thwart global ransomware campaigns.
Perhaps the most notable proposal in Pillar 2 is the development of KYC-type rules for U.S. IaaS providers. Pillar 2 seeks to prevent malicious actors' abuse of U.S.-based Internet infrastructure, including cloud services, hosting and email providers, domain registrars and others (Strategic Objective 2.4), including through the implementation of Executive Order (EO) 13984, "Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities." EO 13984, issued by President Trump in 2021, directs the Secretary of Commerce to propose rules requiring U.S. IaaS providers to collect information about a foreign customer's identity, means and source of payment for service, IP addresses used, and other account information. Under Pillar 2, the administration will "prioritize adoption and enforcement of a risk-based approach to cybersecurity across [IaaS] providers that addresses known methods and indicators of malicious activity…."[9]
Pillar 2 also includes proposals to integrate the activities of various federal agencies to disrupt cyber criminals (Strategic Objective 2.1), enhance public-private operational collaboration to disrupt attackers (Strategic Objective 2.2), increase the speed of scale of intelligence sharing within the government and between the public and private sectors (Strategic Objective 2.3) and countering ransomware, including through the 35-nation Counter Ransomware Initiative (CRI), the federal government's Joint Ransomware Taskforce (JRTF), and continued targeting of illicit cryptocurrency exchanges through anti-money laundering and terrorist financing regulations and enforcement (Strategic Objective 3.5) (we discuss the federal government's "whole of government" anti-ransomware and related cryptocurrency initiatives here).[10]
Pillar 3: Shape Market Forces to Drive Security and Resilience
Pillar 3 focuses on strategies and policies to shape market forces and place responsibility on those within the U.S. digital ecosystem that are "best positioned" to reduce cybersecurity risks. Two strategic objectives identified for Pillar 3 already have gained significant attention since the Strategy was published.
First, the Strategy appears to take a firm stand in favor of federal privacy legislation. It seeks to "[h]old stewards of our data accountable," including through "legislative efforts to impose robust, clear limits" on personal data collection and use and "strong protections" for sensitive personal data like geolocation and health data (Strategic Objective 3.1). The Strategy also supports requiring that personal data be secured using standards and guidelines from NIST.[11]
Second, perhaps no strategic objective has garnered more attention than the one to shift liability onto software providers that "fail to take reasonable precautions to secure their software…." (Strategic Objective 3.3). The strategy suggests liability as a way of incentivizing vendors to pay more attention to cybersecurity and calls for legislation to "prevent manufacturers and software publishers with market power from fully disclaiming liability by contract and establish higher standards of care for software in specific high-risk scenarios." This objective also envisions a liability safe harbor for companies that securely develop and maintain their devices and software. Further, the administration intends to encourage further development of software bills of materials (SBOMs) and processes for identifying and remediating vulnerable software used by critical infrastructure.[12]
Pillar 3 also looks to continue the work of EO 14028, "Improving the Nation's Cybersecurity," in developing an IoT security labeling program to help consumers more easily compare the security of IoT products and identify those that meet certain security criteria (Strategic Objective 3.2).[13] Moreover, Pillar 3 calls for the federal government to use its massive procurement system to drive cybersecurity practices (Strategic Objective 3.5).[14] The administration intends to further develop cybersecurity requirements in federal contracts and continue to use its Civil Cyber-Fraud Initiative (CCFI) to pursue civil actions against contractors who knowingly put information or systems at risk by providing deficient cybersecurity products or services or misrepresenting their compliance with federal cyber rules (we discuss the CCFI here). Additional proposals for Pillar 3 involve use of federal grants and other incentives for security research, development and investment (Strategic Objective 3.4)[15] and exploring a federal cyber insurance "backstop" for catastrophic cyber events (Strategic Objective 3.6).[16]
Pillar 4: Invest in a Resilient Future
Pillar 4 seeks a comprehensive approach to investing in the cybersecurity of current and future infrastructure. Objectives of Pillar 4 include securing the "technical foundation of the Internet" by mitigating vulnerabilities in core Internet communications protocols (Strategic Objective 4.1), prioritizing migration of vulnerable public networks to systems using quantum-resistant cryptography (Strategic Objective 4.3), accelerating the transition to clean energy technologies (Strategic Objective 4.4), encouraging the development of secure digital identity solutions (Strategic Objective 4.5), working to strengthen the nation's cybersecurity workforce (Strategic Objective 4.6), and focusing federally funded research investments on three families of critical technologies: computing-related technologies, including microelectronics, quantum information systems and artificial intelligence; biotechnologies and biomanufacturing; and clean energy technologies (Strategic Objective 4.2).[17]
Pillar 5: Forge International Partnerships to Pursue Shared Goals
Pillar 5 focuses on strengthening international partnerships to better counter and mitigate global cyber threats. Pillar 5 details strategies for expanding international partner law enforcement efforts (Strategic Objective 5.1), strengthening the capacity of partner nations to build cyber resilience (Strategic Objective 5.2), expanding the nation's ability to support allies and partners in combatting cyber threats (Strategic Objective 5.3), building coalitions to reinforce cybersecurity norms for state actors (Strategic Objective 5.4) and securing global supply chains for IT, communications and operational technology (OT), including by building on the National Strategy to Secure 5G, two Trump-era executive orders to secure technology supply chains, and efforts to run critical supply chains through the United States and allied nations (Strategic Objective 5.5).[18]
Conclusion
While the Strategy is ambitious, some of its proposals already are controversial, and many of its boldest objectives may never come to fruition. Even so, the Strategy is important for understanding the administration's priorities and anticipating cybersecurity developments at the federal level. DWT's Privacy and Security team will continue to monitor the Biden Administration's rollout and implementation of its National Cybersecurity Strategy.
[1] National Cybersecurity Strategy, 4-5 (March 2023). The White House announced publication of the Strategy with an accompanying Fact Sheet available here: https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy.
[2] National Cybersecurity Strategy, 9. "Our strategic environment requires modern and nimble regulatory frameworks for cybersecurity tailored for each sector's risk profile, harmonized to reduce duplication, complementary to public-private collaboration, and cognizant of the cost of implementation." Id. at 8.
[3] Id. at 16-17.
[4] Id. at 20.
[5] Id. at 20.
[6] Id. at 19-20.
[7] Id. at 7.
[8] Id. at 10-13.
[9] Id. at 16-17.
[10] Id. at 14-18.
[11] Id. at 19-20.
[12] Id. at 20-21.
[13] Id. at 20.
[14] Id. at 22.
[15] We discuss a recent effort by the Federal Energy Regulation Commission (FERC) to incentive adoption of cybersecurity practices in the electric grid here.
[16] National Cybersecurity Strategy, 21-22.
[17] Id. at 23-28.
[18] Id. at 33.