On March 2, 2023, the Biden-Harris Administration released its National Cybersecurity Strategy (“Strategy”) intended to “secure the full benefits of a safe and secure digital ecosystem for all Americans.” The National Cybersecurity Strategy aims for the United States over the coming decade to “reimagine cyberspace as a tool to achieve our goals in a way that reflects our values: economic security and prosperity; respect for human rights and fundamental freedoms; trust in our democracy and democratic institutions; and an equitable and diverse society.”
The Strategy replaces the 2018 National Cyber Strategy and builds on the 2021 Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” and on the National Security Memorandum “Improving Cybersecurity for Critical Infrastructure Control Systems.” The Strategy represents a substantial shift from past policies and practices in significant respects.
The Strategy calls for (i) a rebalancing of the responsibility to defend cyberspace in which “the most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem” and (ii) a realignment of incentives to “ensure that market forces and public programs alike reward security and resilience.”
While continuing to promote public-private collaboration that has been central to prior policies, the Strategy places a new emphasis on regulatory oversight and private sector liability. The Strategy asserts that, “while voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has too often resulted in inconsistent and, in many cases inadequate, outcomes.” The Strategy points to NIST’s Cybersecurity Framework and CISA’s recently released Cybersecurity Performance Goals as a potential source of baseline cybersecurity standards. Some of the Strategy’s most significant features in this regard would require the passage of enabling legislation by Congress. Should that happen, the Strategy would have significant consequences for regulated businesses, including critical infrastructure providers, cloud storage and computing providers, software developers, and companies that handle personal identifying information.
The National Cybersecurity Strategy focuses on five pillars:
1. Defend critical infrastructure, including by (i) establishing cybersecurity regulations to secure critical infrastructure, (ii) strengthening public-private sector collaboration, (iii) integrating federal cybersecurity centers, (iv) updating federal incident response plans and processes, and (v) modernizing federal systems in accordance with zero trust principles.
2. Disrupt and dismantle threat actors, including by (i) integrating diplomatic, information, military, financial, intelligence and law enforcement capabilities, (ii) enhancing public-private sector collaborations, (iii) increasing the speed and scale of intelligence sharing and victim notification, (iv) preventing the abuse of U.S.-based infrastructure, and (v) mounting disruption campaigns and other efforts against ransomware operators;
3. Shape market forces to drive security and resilience, including by (i) supporting legislative efforts to limit organizations’ ability to collect, use, transfer and maintain personal information and provide strong protections for sensitive data (e.g., geolocation and health data), (ii) strengthening IoT device security through federal research and development, procurement, risk management efforts and IoT security labeling programs, (iii) developing legislation establishing liability for hardware and software manufacturers and developers, and higher standards of care for software in high-risk scenarios, (iv) using federal grants and other incentives to make investments in critical infrastructure cybersecurity efforts, (v) strengthening cybersecurity contract requirements with government vendors, and (vi) exploring a federal cyber insurance framework;
4. Invest in a resilient future, including by (i) securing the technical foundation of the Internet, (ii) investing in federal cybersecurity research and development in areas such as AI, cloud infrastructure, telecommunications and data analytics used in critical infrastructure, (iii) transitioning vulnerable public networks and systems to quantum-resistant cryptography-based environments, (iv) investing in hardware and software systems that strengthen the resiliency, safety and efficiency of the U.S. electric grid, (v) investing in strong, verifiable digital identity solutions that promote security, accessibility and interoperability, financial and social inclusion, consumer privacy and economic growth, and (vi) strengthening and expanding the nation’s cyber workforce; and
5. Forge international partnerships to pursue shared goals, including by (i) building international coalitions to counter threats to the digital ecosystem, (ii) strengthening international partner capacity, (iii) expanding the U.S.’s ability to assist allies and partners in strengthening cybersecurity, (iv) building coalitions to reinforce global norms of responsible state behavior, and (v) securing global supply chains for information, communications and operational technology products and services that power the U.S. economy.
The Strategy marks the culmination of a process coordinated by the Office of the National Cyber Director (“ONCD”), which serves as a principal advisor to President Biden on cybersecurity policy and strategy, and cybersecurity engagement with industry and international stakeholders. ONCD, in coordination with the Office of Management and Budget, will work to implement the Strategy under the oversight of National Security Council staff. A specific schedule for these implementation efforts has not yet been announced. Interested parties should continue to monitor for legal and regulatory developments and for opportunities for input into related legislative and administrative processes.
The Strategy acknowledges that the dynamic cyber risk environment requires “modern and nimble regulatory frameworks tailored for each sector’s risk profile.” The Strategy directs that standards meet the needs of not only national security, but also the “security and safety of individuals, regulated entities, and their employees, customers, operations, and data.” The Strategy goes on to advocate for privacy legislation imposing “robust, clear limits on the ability to collect, use, transfer, and maintain personal data.” Efforts to move from the current voluntary approach to cybersecurity towards mandatory standards will need to balance a variety of factors and interests.
The Strategy indicates that the federal government will use existing authorities to implement cybersecurity regulations, and work with Congress on legislation to address “gaps” in statutory authorities. It is unclear whether the current Congress will enact broad cybersecurity regulatory authority. However, critical Infrastructure owners should anticipate that the administration will continue to assert existing authority to implement sector-specific cybersecurity standards, as it did with TSA’s rail and pipeline cyber standards and EPA’s guidance on water security. For example, the Strategy notes that DOJ is using authority under the False Claims Act to pursue civil charges against grantees and government contractors who fail to meet cybersecurity obligations.
The Strategy also calls on U.S. defense, intelligence, and law enforcement agencies to go on the offensive, hacking into the computer networks of criminals and foreign governments, in retaliation to, or preempting, their attacks on American networks. This is a continuation of policy changes from the Trump Administration, where the government increasingly engaged in “hack back” attacks on criminal and foreign advanced persistent threats. The Strategy calls on further integrating federal government “disruption activities” so that they become so sustained and targeted that criminal cyber activity is rendered unprofitable and foreign governments no longer see it as an effective means of achieving goals. The U.S. government has the most advanced cyber capabilities in the world. Allowing agencies to use those tools to “defend forward” has the potential to enhance critical infrastructure security.
The Strategy also includes a range of other “strategic objectives.” Of note, these include strengthening cybersecurity in clean energy infrastructure, and working with Congress to increase legal liability for software makers for data losses and harm caused by vulnerabilities.
