On March 2, 2023, the Biden Administration released the 35-page National Cybersecurity Strategy (the "Strategy") with a goal "to secure the full benefits of a safe and secure digital ecosystem for all Americans."
Summary and Analysis
The Strategy highlights the government's commitment to investing in cybersecurity research and new technologies to protect the nation's security and improve critical infrastructure defenses. It outlines five pillars of action, each of which implicates critical infrastructure entities, from strengthening their cybersecurity processes, to receiving support from the federal government. For example, the Strategy highlights improving the security of Internet of Things (IoT) devices and expanding IoT cybersecurity labels, investing in quantum-resisting systems, developing a stronger cyber workforce, evolving privacy-enhancing platforms, and adopting security practices that are aligned with the National Institute of Standards and Technology (NIST) framework are some other suggested approaches that the private sector could take.
The Strategy makes evident the Administration's desire to shift the burden of cybersecurity (and its associated costs and liability) from individuals, small businesses, and local government to the entities with the greatest expertise and resources, e.g., large owners and operators of critical infrastructure, vendors and software developers. To that end, we should expect legislation regarding baseline cybersecurity measures and establishing new liabilities for providers of software products and services. Further, the Administration emphasizes its support for legislative efforts for data minimization and increasing protection for sensitive data, which puts additional pressure on Congress to pass a federal privacy law.
The Strategy builds on sustained efforts by the Biden Administration to protect the nation's critical infrastructure, including:
- The 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) - expands the reporting obligations of covered entities;
- The 2022 Creating Helpful Incentives to Produce Semiconductors (CHIPS) Act - reduces reliance on China-based suppliers of emerging technologies by providing a financial incentive for investment in U.S. semiconductor manufacturing and the creation of collaborative networks for research and innovation;
- President Biden's 2021 Executive Order - strengthens the nation's cybersecurity defenses by mandating all federal agencies use basic cybersecurity measures (such as multifactor authentication and requiring new security standards for software makers that contract with the federal government); and
- President Biden's 2021 national security memorandum - directs his administration to develop cybersecurity performance goals for U.S. critical infrastructure.
The Five Pillars
Replacing the 2018 Trump Administration strategy, which focused on voluntary public-private partnerships and information-sharing practices, the new framework mapped out by the Strategy pushes for a more aggressive and comprehensive regulatory approach. Combining government actions with new requirements for the private sector, which owns the majority of the country's critical infrastructure, the Strategy aims to tackle some of our nation's most difficult and complex issues in cybersecurity, software liability, and regulatory programs by centering on the following five pillars:
- Defend Critical Infrastructure;
- Disrupt & Dismantle Threat Actors;
- Shape Market Forces to Drive Security and Resilience;
- Invest in a Resilient Future; and
- Forge International Partnerships to Pursue Shared Goals.
I. Defend Critical Infrastructure
The Administration makes clear that this pillar "is vital to our national security, public safety, and economic prosperity." This pillar focuses on private-public collaboration to equitably distribute risk and responsibility, and includes five strategic objectives:
- Establish Cybersecurity Requirements to Support
National Security and Public Safety. Protecting
critical services is essential to the American people's
confidence in the nation's infrastructure and the economy, and
the Strategy breaks out three categories of activity to accomplish
this objective:
a) Establish Cybersecurity Regulation to Secure Critical Infrastructure. To the extent possible, the government plans to use existing authorities to create a set of "minimum expected cybersecurity practices" for the infrastructure sector that are performance-based and adaptable. Where gaps in the law exist, the Administration plans to work with Congress to close them with the goal of ensuring that systems are designed to "fail safely and recover quickly." The Administration plans to drive improvements in cybersecurity practices in the cloud computing industry and other essential services for these industry sectors.
b). Harmonize and Streamline New and Existing Regulations.A key goal of the Strategy is controlling the costs and other burdens of compliance for regulated entities to enable them to commit more resources to cybersecurity. To that end, the Strategy calls for regulators to (1) seek to harmonize regulations, audits, and reporting requirements as they are developed—for example, by leveraging existing international standards where consistent with U.S. policy and law, and (2) work together to minimize instances where existing regulations are in conflict, duplicative, or overly burdensome.
c) Enable Regulated Entities to Afford Security. The Strategy provides several strategies to accommodate critical infrastructure sectors with varying capacities to absorb such costs. This includes calling for regulation that will ensure a level playing field that bypasses competition to underspend peers on cybersecurity in sectors with a greater ability to absorb costs. The Strategy also describes how low-margin sectors will likely need incentives to invest in cybersecurity, for example through rate-making processes, tax structures, or other mechanisms.
- Scale Public-Private Collaboration.
The Strategy stresses the importance of creating a distributed
network of cyber defense, developed by collaboration between
defenders and enabled by the automated exchange of information. For
example, the Department of Homeland Security's Cybersecurity
and Infrastructure Security Agency ("CISA") will employ
Sector Risk Management Agencies ("SRMAs") to coordinate
with and support critical infrastructure owners to protect the
assets they operate. The government plans to invest in developing
SRMA capabilities to enable security and resilience improvements
across critical infrastructure sectors and support maturation of
third-party collaboration mechanisms. Additionally, information
sharing and analysis organizations ("ISAOs"),
sector-focused information sharing and analysis centers
("ISACs"), and similar organizations will be leveraged to
facilitate cyber defense operations.
The Strategy also acknowledges that machine-based solutions will be required to improve the sharing of information and coordination of defensive efforts. To accomplish this, CISA and SRMAs will explore technical and organizational mechanisms in partnership with the private sector to enhance and evolve data sharing, and the federal government will deepen its collaborative efforts with software, hardware, and managed service providers which have the capability to provide greater cybersecurity and resilience.
- Integrate Federal Cybersecurity
Centers. Federal Cybersecurity Centers will serve as
collaborative nodes that bring together capabilities across
entities involved with homeland defense, law enforcement,
intelligence, and diplomatic, economic, and military missions to
drive intragovernmental coordination and support non-federal
partners.
- Update Federal Incident Response Plans and
Processes. The federal government will aim to present
a unified, coordinated, whole-of-government response to cyber
incidents when federal assistance is required, including, for
example, that CISA will update the National Cyber Incident Response
Plan ("NCIRP"). The Strategy discusses how these efforts
will harmonize new requirements, such as CIRCIA's
to-be-finalized requirement that covered entities report
cybersecurity incidents to CISA within hours in order to strengthen
the collective defense, and current efforts by the Cyber Safety
Review Board (CSRB), which is comprised of private and public
sector cybersecurity leaders and will review incidents and guide
industry remediation.
- Modernize Federal Defenses. The Administration will focus on long-term efforts to defend federal systems in accordance with zero-trust principles. In addition, it commits to develop plans to collectively defend federal civilian agencies, modernize federal technology systems, and defend national security systems.
II. Disrupt & Dismantle Threat Actors
Pillar 2 discussed the commitment to use "all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests," focusing on heading off "sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States." One of the ways to accomplish this is to make cyber-enabled campaigns unprofitable. There are five strategic objectives for disrupting and dismantling threat actors:
- Integrate Federal Disruption
Activities. The Strategy outlines three
commitments to integrate the federal government's disruption
efforts. First, the DOD will update its departmental cyber strategy
so that it is aligned with "the National Security Strategy,
National Defense Strategy, and [the] Strategy" to ensure that
cyberspace operations are integrated into other strategic defense
efforts. Second, the National Cyber Investigative Joint Task Force
("NCIJTF") will "expand its capacity to coordinate
takedown and disruption campaigns with greater speed, scale and
frequency." Third, the DOD and the intelligence community
"commit[s] to bringing to bear their full range of
complementary authorities to disruption campaigns."
- Enhance Public-Private Operational Collaboration to
Disrupt Adversaries. To enhance the collaboration
between the public and private sectors, the Strategy
"encourage[s]" private companies to organize
cyber-disruption efforts "through one or more nonprofit
organizations that can serve as hubs for operational collaboration
with the Federal Government, such as the National Cyber-Forensics
and Training Alliance (NCFTA)." The Strategy also commits the
government to lowering barriers in the interests of supporting and
leveraging collaboration.
- Increase the Speed and Scale of Intelligence
Sharing and Victim Notification. One aspect of
disruption and dismantling threat actors is to increase the speed
and scale of intelligence sharing, both to and from victims. The
Strategy commits to "proactively warn cyber defenders and
notify victims when the government has information that an
organization is being actively targeted or may already be
compromised." Part of implementing this is to "review
declassification policies and processes to determine the conditions
under which extending additional classified access and expanding
clearances." The Strategy also calls on "SRMAs, in
coordination with CISA, law enforcement agencies, and the [Cyber
Threat Intelligence Integration Center (CTIIC)to] identify
intelligence needs and priorities within their sector and develop
processes to share warnings, technical indicators, threat context,
and other relevant information with both government and
non-government partners."
- Prevent Abuse of U.S.-Based
Infrastructure. The Strategy commits to working with
cloud and infrastructure providers to address the full gamut of
issues that they may face, from quickly identifying malicious use
of such infrastructure, notifying the government in the event of
such malicious use, making it easier for victims to report such
abuse, and preventing the malicious use in the first place. This
strategy also places an expectation on "[a]ll services
providers" to "make reasonable attempts to secure the use
of their infrastructure against abuse or other criminal
behavior."
- Counter Cybercrime, Defeat Ransomware. The Strategy calls out ransomware in particular as a threat and identifies four processes to combat it: "(1) leveraging international cooperation to disrupt the ransomware ecosystem and isolate those countries that provide safe havens for criminals; (2) investigating ransomware crimes and using law enforcement and other authorities to disrupt ransomware infrastructure and actors; (3) bolstering critical infrastructure resilience to withstand ransomware attacks; and (4) addressing the abuse of virtual currency to launder ransom payments." This effort includes contributions from the Counter-Ransomware Initiative (CRI) with 30 other countries and the Joint Ransomware Task Force. It also includes further consideration of international anti-money laundering and combating the financing of terrorism (AML/CFT) standards. To achieve these objectives, the Strategy focuses on mounting "disruption campaigns and other efforts that are so sustained, coordinated, and targeted that they render ransomware no longer profitable." Accordingly, the Strategy repeats the position that the U.S. government has held for years: "strongly discourag[ing] the payment of ransoms" and encouraging victims to report the incidents to law enforcement and other appropriate agencies.
III. Shape Market Forces to Drive Security and Resilience
Pillar 3 of the Strategy focuses on shaping market forces to reduce risk and strengthen our digital ecosystem to keep our country resilient and secure. To drive broader adoption of best practices in cybersecurity, market forces are important, but the Administration will shape the long-term security and resilience of the digital ecosystem by: increasing accountability, driving development of more secure connected devices, reshaping existing laws, using federal purchasing power to incentivize security, and stabilizing insurance markets against catastrophic risk with the following six strategic objectives:
- Hold the Stewards of our Data
Accountable.The Administration supports legislative
efforts to protect consumers by imposing limitations on
technologies that collect personal information. Failures to protect
personal information pass the harm on to consumers, and often the
greatest harm falls upon the most vulnerable populations. To
protect consumers, legislation should provide strong protections
for personal and sensitive data and set national requirements to
secure data consistent with the standards and guidelines developed
by NIST.
- Drive the Development of Secure IoT
Devices.Many IoT devices today are vulnerable to
cybersecurity threats and exploitation by bad actors. The
Administration will continue to improve IoT cybersecurity through
research and development and risk management efforts under the 2020
IoT Cybersecurity Improvement Act and security labeling programs
under Executive Order 14028, "Improving the Nation's
Cybersecurity" (the "Cybersecurity Executive Order")
The goal is to expand IoT security labels, allowing consumers to
compare protections for different IoT products, and create market
incentive for greater security for IoT devices.
- Shift Liability for Insecure Software Products and
Services.The Administration will begin to shift
liability onto entities that fail to take reasonable precautions to
secure their software while at the same time recognizing that even
advanced software security programs cannot prevent all
vulnerabilities. Legislation will be designed to prevent
manufacturers and software publishers from fully disclaiming
liability and establish higher security standards, while also
providing a safe harbor for companies that do securely develop and
maintain their software products and services. These so-called safe
harbor provisions will draw from current best practices, such as
the NIST Secure Software Development Framework, but will also need
to be flexible enough to evolve over time to keep up with
technological advancements. The Administration also encourages
coordinated vulnerability disclosures and further development of
Software Bill of Materials (SBOMs), as well as processes for
identifying and mitigating the risk of unsupported software used by
critical infrastructure.
- Use Federal Grants and Other Incentives to Build in
Security.The Administration is committed to investing
in programs to improve infrastructure and the digital ecosystem
supporting it, and balancing cybersecurity requirements. The
federal government will collaborate with State, Local, Tribal and
Territorial ("SLTT") entities, private sector
stakeholders, and other partners to drive investment in secure and
resilient products and to fund cybersecurity research, development,
and demonstration programs.
- Leverage Federal Procurement to Improve
Accountability.One successful method of improving
cybersecurity has been to implement specific contracting
requirements for federal government vendors. The Cybersecurity
Executive Order expands cybersecurity requirements for contracts,
ensuring that such standards are strengthened and standardized
across federal agencies. The Department of Justice's
("DOJ's") Civil Cyber-Fraud Initiative (CCFA) will
hold accountable entities that knowingly: put data at risk through
deficient cybersecurity products or services, misrepresent
cybersecurity practices or protocols, or violate obligations to
monitor and report cyber incidents and breaches.
- Explore a Federal Cyber Insurance Backdrop.The Administration will assess the need for and the potential structure of a federal response to a catastrophic cyber event, which will include analyzing current cyber insurance offerings. Input will be sought from Congress, state regulators, and industry stakeholders to determine if a plan is necessary and how to structure a response to stabilize and aid recovery to prepare for a catastrophic cyber event before one occurs.
IV. Invest in a Resilient Future
The Strategy's fourth pillar relies on the following five strategic objectives to accomplish the Administration's commitment to investing in the concept of resilience in the face of near-certain cyber-attacks:
- Cybersecurity Research &
Development. The Strategy recognizes that
cyber adversaries have been weaponizing American innovation and
using it against our country to steal intellectual property, sow
dissent, interfere with elections, and undermine our national
defenses. Because of this, the Strategy recommends that investment
and innovation must go hand-in-hand with cybersecurity efforts, and
that it will be critical for our government to harness emerging
technologies for cybersecurity purposes as those technological
advancements are made.
- Securing the Technical Foundation of the
Internet. Acknowledging that the very
foundation of the Internet has inherent vulnerabilities that need
to be addressed (specifically mentioning the Domain Name System and
Border Gateway Protocol), the Strategy prioritizes protection of
the multistakeholder model of Internet governance and standards
development. Principles such as transparency, openness, and
consensus are at the core of our nation's values and will drive
the evolution of more secure technical standards and
technologies.
Because of the rapid pace at which technologies are advancing, the Strategy advocates for the Federal Research and Development enterprise to direct projects to advance cybersecurity and resilience in areas such as encryption, the protection of industrial control systems, and artificial intelligence.
- Preparing for a Post-Quantum
Future. The Strategy recommends preparation
for a post-quantum future to protect the encryption systems that
undergird the methods by which we protect data, authenticate users,
and certify the accuracy of information. The means transitioning
the nation's cryptographic systems to interoperable
quantum-resistant systems and advancing the notion of cryptographic
agility to address unknown threats arising from quantum computing.
This is one area of the Strategy that specifically recommends that
the private sector follow the government's Strategy to prepare
for a post-quantum future.
- Development of a Digital Identity
Ecosystem. Data breaches, COVID-19 fraud,
and identity theft have caused billions in losses for the federal
government because we do not yet have a comprehensive, secure, and
accessible digital identity system. The Strategy promotes
investment in strong, verifiable, privacy-enhancing digital
identity platforms that comport with the values of transparency and
accountability.
- Strengthen Our Cyber Workforce. Great efforts will be made to address unfilled vacancies for cybersecurity positions in workforces across the nation. The need for cybersecurity professionals across industries means that the federal government will be coordinating a comprehensive strategy for cyber education and training pathways for all persons who wish to develop a career in cybersecurity, with a particular focus on the public's need to develop and recruit cybersecurity talent to protect critical infrastructure. The Strategy is also committed to addressing the lack of diversity in the nation's cybersecurity workforce as "both a moral necessity and strategic imperative."
V. Forge International Partnerships to Pursue Shared Goals
Pillar 5 consists of five strategic objectives that aim to "scale the emerging model of collaboration by national cybersecurity stakeholders to cooperate with the international community" using the following five strategic objectives:
- Build coalitions to counter threats to our digital
ecosystem. The U.S. will leverage existing
partnerships, intergovernmental forums, and trade agreements to
advance shared goals in cyberspace. This includes using a variety
of mechanisms, including the Declaration for the Future of the
Internet (DFI), the Quadrilateral Security Dialogue (the Quad), the
Indo-Pacific Economic Framework for Prosperity (IPEF), the U.S.-EU
Trade and Technology Council (TTC), and the Americas Partnership
for Economic Prosperity (APEP), among others. Coordination and
collaboration with allies and partners are important, particularly
in sharing cyber threat information, exchanging model cybersecurity
practices, comparing security-specific expertise, driving
secure-by-design principles, and coordinating policy and incident
response activities.
- Strengthen international partner
capacity. As the U.S. builds a coalition to
advance shared goals, it will also strengthen capacity of allies
and partners that support shared interests in cyberspace. To
achieve this goal, the U.S. will "marshal expertise across
agencies, the public and private sectors, and among advanced
regional partners to pursue coordinated and effective" cyber
capacity. The Strategy emphasizes the importance of working with
law enforcement and explains distinct actions in which the DOJ, the
DOD, and the Department of State ("DOS") will engage.
Specifically, the DOJ will work with law enforcement for more
robust cybercrime cooperation, the DOD will strengthen
military-to-military relationships to bolster collective
cybersecurity posture, and the DOS will coordinate with the
whole-of-government to ensure that federal capacity, as well as
U.S., allied, and partner interests are strategically
aligned.
- Expand U.S. ability to assist allies and
partners. The U.S. will provide support to
allies and partners to investigate, respond to, and recover from
cyberattacks. The U.S. will also establish policies to determine
when such support is in the national interest, develop mechanisms
to identify and deploy this support, and, when needed,
"rapidly seek to remove existing financial and procedural
barriers to provide such operational support."
- Build coalitions to reinforce global norms of
responsible state behavior. The U.S. will
reinforce political commitments that every member of the United
Nations has made to endorse peacetime norms and refrain from cyber
operations that may "intentionally damage critical
infrastructure" by holding irresponsible states accountable
through meaningful and collaborative consequences, such as
"diplomatic isolation, economic cost, counter-cyber and law
enforcement operations, or legal sanctions, among
others."
- Secure global supply chains for information, communications, and operation technology products and services. The strategy recognizes that complex and globally interconnected supply chains are critical to the nation's economy. Our dependency on foreign products and services introduces a degree of risk, which must be mitigated through long-term, strategic collaborations between public and private sectors in the U.S. and abroad. The federal government will work with allies and partners to "implement best practices in cross-border supply chain risk management and work to shift supply chains to flow through partner countries and trusted vendors," making supply chains "more transparent, secure, resilient, and trustworthy."
We would like to thank Kate Growley, Crowell & Moring International LLC's Director, for assisting us with this alert.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.