On March 2, 2023, the Biden-Harris Administration released the National Cybersecurity Strategy.1 The highly anticipated Strategy has illuminated that a more overt and aggressive approach to mitigating cyber risks may be necessary to drive real change, leading to the anticipation of increased communication and partnerships between private companies and government agencies.2 The new Strategy sets a strategic objective of "enhancing public-private operational collaboration to disrupt adversaries," including sharing insights between private organizations and government agencies, and the push for private companies to come together and organize their efforts through nonprofit organizations.3
The Strategy highlights the government's commitment to investing in cybersecurity research and new technologies to protect the nation's security and improve critical infrastructure defenses. It outlines five pillars of action, each of which implicates critical infrastructure entities, from strengthening their cybersecurity processes, to receiving support from the federal government.4 It also makes evident the Administration's desire to shift the burden of cybersecurity (and its associated costs and liability) from individuals, small businesses, and local government to the entities with the greatest expertise and resources, e.g., large owners and operators of critical infrastructure, vendors and software developers.5
Companies evaluating their alignment with the Strategy may also consider their law enforcement and government agency relationships. These include: i) assessing how the Strategy impacts interactions between victim companies and their counsel with the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) when they are seeking assistance with cybersecurity challenges, and ii) the new expectation of agency involvement in the private sector when it comes to cybersecurity.
"Private companies and their legal counsel can take several steps now to ensure they create a positive relationship with agencies ahead of new regulation expected to follow the National Cybersecurity Strategy," says Brian Hale, a former FBI Assistant Director of the Office of Public Affairs, and current Managing Director in FTI Consulting's Cybersecurity practice, and who is experienced in helping companies with cybersecurity challenges from both a government and private sector perspective. Some of these actions include:
- Form Connections. Be familiar with the lead cybersecurity FBI agent(s) in the local FBI Office – find a local field office here – before an incident occurs and develop a relationship.
- Attend Outreach Events. Agencies like the FBI and CISA often host outreach events to meet with companies and counsel in their area or participate as panelist and presenters at industry functions.6
- Keep Track of Announcements. Stay up to date with the latest messaging released from the FBI, CISA, and other agencies regarding cybersecurity best practices and regulations. This also includes remaining current on any potential threats and new requirements announced that can help prepare organizations for cybersecurity incidents.
- Leverage Industry Groups, such as InfraGard. This nonprofit is a partnership between the FBI and the U.S. private sector, created to protect critical infrastructure and with a common goal of "advancing national security."7 Learn more here.
Through plans to increase defense of critical infrastructure and partner on sector-specific cybersecurity requirements, the National Cybersecurity Strategy emphasizes that relationships and communication between the public and private sectors remains paramount in achieving the common goal of minimizing cybersecurity risk. Plans to shift more responsibility for cybersecurity onto the best-positioned organizations to handle this risk, like government agencies, will result in better protection from threat actors for individuals and small businesses, but will only be successful if proper streams of information and trust between the public and private sectors are established.
Furthermore, the Strategy encourages the forging of international partnerships to pursue shared goals. This includes building coalitions to counter threats to the digital ecosystem, strengthening international partner capacity, expanding U.S. ability to assist allies and partners, building coalitions to reinforce global norms of responsible state behavior, and securing global supply chains for information, communications, and operation technology products and services.
Whether an organization is in the public or private sector, its cybersecurity program will undoubtedly be impacted by the National Cybersecurity Strategy.
For a more detailed summary and analysis of the National Cybersecurity Strategy, Crowell examines the Strategy in a March 2023 client alert.8
1. "National Cybersecurity Strategy," The White House (March 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf.
6. "Community Relations," Federal Bureau of Investigation (March 2023), https://www.fbi.gov/how-we-can-help-you/outreach.
7. "Welcome to InfraGard," InfraGard (March 2023), https://www.infragard.org/.
8. "Biden Administration Releases Comprehensive National Cybersecurity Strategy," Crowell & Moring (March 6, 2023), https://www.crowell.com/en/insights/client-alerts/biden-administration-releases-comprehensive-national-cybersecurity-strategy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.