On May 7, 2024, the Biden Administration released the second version of the National Cybersecurity Strategy Implementation Plan as well as the first Report on the Cybersecurity Posture of the United States. These actions reflect the Administration's continued focus on enhancing the cybersecurity of critical infrastructure and software as well as its work to counter both established threats like ransomware and emerging threats from artificial intelligence. Companies across sectors should continue to monitor how implementation of the National Cybersecurity Strategy and evolving risks affect how best to respond to cyber threats and manage associated legal risks.
THE NATIONAL CYBERSECURITY STRATEGY IMPLEMENTATION PLAN
The Biden Administration released the second version of the National Cybersecurity Strategy Implementation Plan ("Implementation Plan") on May 7, 2024. The first version was published on July 13, 2023. It described more than 65 initiatives to achieve the objectives set forth in the Biden Administration's National Cybersecurity Strategy, which called for (1) rebalancing the responsibility to defend cyberspace towards the "most capable and best-positioned actors" in the public and private sectors and (2) realigning incentives to favor long-term investments in cybersecurity. The second version builds on this goal, discussing 100 initiatives that are separately assigned to 18 federal agencies for implementation. The Office of the National Cyber Director ("ONCD") is responsible for coordinating the execution of the Implementation Plan.
NEW INITIATIVES
The second version added 31 initiatives under each representative "pillar" of the National Cybersecurity Strategy. These additions reflected a focus on supply chain risks, public-private collaboration on cybersecurity issues, ransomware threats, software vulnerabilities, and other areas.
Some of the new initiatives added to the pillars:
- Pillar One, "Defend Critical Infrastructure"
- "Promote adoption of cybersecurity best practices across the healthcare and public health sector"
- "Promote cyber supply chain risk management (C-SCRM) and encourage effective enterprise-wide sharing of supply chain risk information"
- Pillar Two, "Disrupt and Dismantle Threat Actors"
- "Implement the 2023 DoD Cyber Strategy"
- "Increase collaboration between private-sector entities and Federal agencies to disrupt malicious cyber activity"
- "Disrupt ransomware crimes through joint operations"
- Pillar Three, "Shape Market Forces to Drive Security and
Resilience"
- "Assess the feasibility of approaches to understand open-source software security risk"
- "Explore approaches to develop a long-term, flexible, and enduring software liability framework"
- Pillar Four, "Invest in a Resilient Future"
- "Promote secure and measurable software solutions across the building blocks of cyberspace"
- "Drive the development and adoption of cybersecurity principles for electric distribution and distributed energy resources (DER) in partnership with energy sector stakeholders"
- "Promote skills-based hiring practices" for the cyber workforce
- Pillar Five, "Forge International Partnerships to Pursue
Shared Goals"
- "Implement the International Cyberspace and Digital Policy Strategy"
- "Develop guidance for secure development and manufacturing of semiconductors"
GOING FORWARD
As the year progresses, agencies will continue working on the initiatives contained in version two of the Implementation Plan. In a concurrent report (discussed below), ONCD stated that this coordination will require "efforts to enhance the capabilities of Sector Risk Management Agencies, strengthen the national cyber workforce, implement incident reporting requirements directed by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), enhance the speed and scale of adversary disruption campaigns, improve analytics and information sharing mechanisms, continue to invest in quantum information science, and prioritize cybersecurity in foreign assistance mechanisms."
Future actions will likely continue to shape the private sector through new regulatory requirements, guidelines, and opportunities for private sector input.
THE REPORT ON THE CYBERSECURITY POSTURE OF THE UNITED STATES
ONCD concurrently released the 2024 Report on the Cybersecurity Posture of the United States ("Report"). The Report—the first of its kind—discusses five trends in the strategic environment of emerging technologies and cybersecurity risks during the previous year:
(1) evolving risks to critical infrastructure
(2) ransomware
(3) supply chain exploitation
(4) commercial spyware
(5) artificial intelligence
The Report focuses on the United States' current cybersecurity posture, the effectiveness of its cyber policy and strategy, and implementation of that policy and strategy by the federal government, including efforts taken pursuant to the National Cybersecurity Strategy.
RISKS
In the Report, ONCD referenced threats posed by state and non-state actors, risks to critical infrastructure from the People's Republic of China and other foreign adversaries, supply chain exploitation, ongoing attacks from prolific ransomware groups, emerging digital technologies, and other evolving areas of risk to the nation's cybersecurity posture.
STRATEGY
Specific efforts undertaken by the federal government, as highlighted in the Report, include developing cybersecurity requirements for critical infrastructure, disrupting malicious cyber activity, promoting stronger software security, enabling a consumer-focused digital economy, and improving incident response through information sharing and supporting victims.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2024. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.