On March 2, 2023, the Biden Administration released the 35-page National Cybersecurity Strategy (the “Strategy”) with a goal “to secure the full benefits of a safe and secure digital ecosystem for all Americans.”
Summary and Analysis
The Strategy highlights the government’s commitment to investing in cybersecurity research and new technologies to protect the nation’s security and improve critical infrastructure defenses. It outlines five pillars of action, each of which implicates critical infrastructure entities, from strengthening their cybersecurity processes, to receiving support from the federal government. For example, the Strategy highlights improving the security of Internet of Things (IoT) devices and expanding IoT cybersecurity labels, investing in quantum-resisting systems, developing a stronger cyber workforce, evolving privacy-enhancing platforms, and adopting security practices that are aligned with the National Institute of Standards and Technology (NIST) framework are some other suggested approaches that the private sector could take.
The Strategy makes evident the Administration’s desire to shift the burden of cybersecurity (and its associated costs and liability) from individuals, small businesses, and local government to the entities with the greatest expertise and resources, e.g., large owners and operators of critical infrastructure, vendors and software developers. To that end, we should expect legislation regarding baseline cybersecurity measures and establishing new liabilities for providers of software products and services. Further, the Administration emphasizes its support for legislative efforts for data minimization and increasing protection for sensitive data, which puts additional pressure on Congress to pass a federal privacy law.
The Strategy builds on sustained efforts by the Biden Administration to protect the nation’s critical infrastructure, including:
- The 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) – expands the reporting obligations of covered entities;
- The 2022 Creating Helpful Incentives to Produce Semiconductors (CHIPS) Act – reduces reliance on China-based suppliers of emerging technologies by providing a financial incentive for investment in U.S. semiconductor manufacturing and the creation of collaborative networks for research and innovation;
- President Biden’s 2021 Executive Order – strengthens the nation’s cybersecurity defenses by mandating all federal agencies use basic cybersecurity measures (such as multifactor authentication and requiring new security standards for software makers that contract with the federal government); and
- President Biden’s 2021 national security memorandum – directs his administration to develop cybersecurity performance goals for U.S. critical infrastructure.
The Five Pillars
Replacing the 2018 Trump Administration strategy, which focused on voluntary public-private partnerships and information-sharing practices, the new framework mapped out by the Strategy pushes for a more aggressive and comprehensive regulatory approach. Combining government actions with new requirements for the private sector, which owns the majority of the country’s critical infrastructure, the Strategy aims to tackle some of our nation’s most difficult and complex issues in cybersecurity, software liability, and regulatory programs by centering on the following five pillars:
- Defend Critical Infrastructure;
- Disrupt & Dismantle Threat Actors;
- Shape Market Forces to Drive Security and Resilience;
- Invest in a Resilient Future; and
- Forge International Partnerships to Pursue Shared Goals
I. Defend Critical Infrastructure
The Administration makes clear that this pillar “is vital to our national security, public safety, and economic prosperity.” This pillar focuses on private-public collaboration to equitably distribute risk and responsibility, and includes five strategic objectives:
- Establish Cybersecurity Requirements to Support National Security and Public Safety. Protecting critical services is essential to the American people’s confidence in the nation’s infrastructure and the economy, and the Strategy breaks out three categories of activity to accomplish this objective:
- Establish Cybersecurity Regulation to Secure Critical Infrastructure. To the extent possible, the government plans to use existing authorities to create a set of “minimum expected cybersecurity practices” for the infrastructure sector that are performance-based and adaptable. Where gaps in the law exist, the Administration plans to work with Congress to close them with the goal of ensuring that systems are designed to “fail safely and recover quickly.” The Administration plans to drive improvements in cybersecurity practices in the cloud computing industry and other essential services for these industry sectors.
- Harmonize and Streamline New and Existing Regulations. A key goal of the Strategy is controlling the costs and other burdens of compliance for regulated entities to enable them to commit more resources to cybersecurity. To that end, the Strategy calls for regulators to (1) seek to harmonize regulations, audits, and reporting requirements as they are developed—for example, by leveraging existing international standards where consistent with U.S. policy and law, and (2) work together to minimize instances where existing regulations are in conflict, duplicative, or overly burdensome.
- Enable Regulated Entities to Afford Security. The Strategy provides several strategies to accommodate critical infrastructure sectors with varying capacities to absorb such costs. This includes calling for regulation that will ensure a level playing field that bypasses competition to underspend peers on cybersecurity in sectors with a greater ability to absorb costs. The Strategy also describes how low-margin sectors will likely need incentives to invest in cybersecurity, for example through rate-making processes, tax structures, or other mechanisms.
- Scale Public-Private Collaboration. The Strategy stresses the importance of creating a distributed network of cyber defense, developed by collaboration between defenders and enabled by the automated exchange of information. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) will employ Sector Risk Management Agencies (“SRMAs”) to coordinate with and support critical infrastructure owners to protect the assets they operate. The government plans to invest in developing SRMA capabilities to enable security and resilience improvements across critical infrastructure sectors and support maturation of third-party collaboration mechanisms. Additionally, information sharing and analysis organizations (“ISAOs”), sector-focused information sharing and analysis centers (“ISACs”), and similar organizations will be leveraged to facilitate cyber defense operations. The Strategy also acknowledges that machine-based solutions will be required to improve the sharing of information and coordination of defensive efforts. To accomplish this, CISA and SRMAs will explore technical and organizational mechanisms in partnership with the private sector to enhance and evolve data sharing, and the federal government will deepen its collaborative efforts with software, hardware, and managed service providers which have the capability to provide greater cybersecurity and resilience.
- Integrate Federal Cybersecurity Centers. Federal Cybersecurity Centers will serve as collaborative nodes that bring together capabilities across entities involved with homeland defense, law enforcement, intelligence, and diplomatic, economic, and military missions to drive intragovernmental coordination and support non-federal partners.
- Update Federal Incident Response Plans and Processes. The federal government will aim to present a unified, coordinated, whole-of-government response to cyber incidents when federal assistance is required, including, for example, that CISA will update the National Cyber Incident Response Plan (“NCIRP”). The Strategy discusses how these efforts will harmonize new requirements, such as CIRCIA’s to-be-finalized requirement that covered entities report cybersecurity incidents to CISA within hours in order to strengthen the collective defense, and current efforts by the Cyber Safety Review Board (CSRB), which is comprised of private and public sector cybersecurity leaders and will review incidents and guide industry remediation.
- Modernize Federal Defenses. The Administration will focus on long-term efforts to defend federal systems in accordance with zero-trust principles. In addition, it commits to develop plans to collectively defend federal civilian agencies, modernize federal technology systems, and defend national security systems.
II. Disrupt & Dismantle Threat Actors
Pillar 2 discussed the commitment to use “all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests,” focusing on heading off “sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States.” One of the ways to accomplish this is to make cyber-enabled campaigns unprofitable. There are five strategic objectives for disrupting and dismantling threat actors:
- Integrate Federal Disruption Activities. The Strategy outlines three commitments to integrate the federal government’s disruption efforts. First, the DOD will update its departmental cyber strategy so that it is aligned with “the National Security Strategy, National Defense Strategy, and [the] Strategy” to ensure that cyberspace operations are integrated into other strategic defense efforts. Second, the National Cyber Investigative Joint Task Force (“NCIJTF”) will “expand its capacity to coordinate takedown and disruption campaigns with greater speed, scale and frequency.” Third, the DOD and the intelligence community “commit[s] to bringing to bear their full range of complementary authorities to disruption campaigns.”
- Enhance Public-Private Operational Collaboration to Disrupt Adversaries. To enhance the collaboration between the public and private sectors, the Strategy “encourage[s]” private companies to organize cyber-disruption efforts “through one or more nonprofit organizations that can serve as hubs for operational collaboration with the Federal Government, such as the National Cyber-Forensics and Training Alliance (NCFTA).” The Strategy also commits the government to lowering barriers in the interests of supporting and leveraging collaboration.
- Increase the Speed and Scale of Intelligence Sharing and Victim Notification. One aspect of disruption and dismantling threat actors is to increase the speed and scale of intelligence sharing, both to and from victims. The Strategy commits to “proactively warn cyber defenders and notify victims when the government has information that an organization is being actively targeted or may already be compromised.” Part of implementing this is to “review declassification policies and processes to determine the conditions under which extending additional classified access and expanding clearances.” The Strategy also calls on “SRMAs, in coordination with CISA, law enforcement agencies, and the [Cyber Threat Intelligence Integration Center (CTIIC)to] identify intelligence needs and priorities within their sector and develop processes to share warnings, technical indicators, threat context, and other relevant information with both government and non-government partners.”
- Prevent Abuse of U.S.-Based Infrastructure. The Strategy commits to working with cloud and infrastructure providers to address the full gamut of issues that they may face, from quickly identifying malicious use of such infrastructure, notifying the government in the event of such malicious use, making it easier for victims to report such abuse, and preventing the malicious use in the first place. This strategy also places an expectation on “[a]ll services providers” to “make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior.”
- Counter Cybercrime, Defeat Ransomware. The Strategy calls out ransomware in particular as a threat and identifies four processes to combat it: “(1) leveraging international cooperation to disrupt the ransomware ecosystem and isolate those countries that provide safe havens for criminals; (2) investigating ransomware crimes and using law enforcement and other authorities to disrupt ransomware infrastructure and actors; (3) bolstering critical infrastructure resilience to withstand ransomware attacks; and (4) addressing the abuse of virtual currency to launder ransom payments.” This effort includes contributions from the Counter-Ransomware Initiative (CRI) with 30 other countries and the Joint Ransomware Task Force. It also includes further consideration of international anti-money laundering and combating the financing of terrorism (AML/CFT) standards. To achieve these objectives, the Strategy focuses on mounting “disruption campaigns and other efforts that are so sustained, coordinated, and targeted that they render ransomware no longer profitable.” Accordingly, the Strategy repeats the position that the U.S. government has held for years: “strongly discourag[ing] the payment of ransoms” and encouraging victims to report the incidents to law enforcement and other appropriate agencies.
III. Shape Market Forces to Drive Security and Resilience
Pillar 3 of the Strategy focuses on shaping market forces to reduce risk and strengthen our digital ecosystem to keep our country resilient and secure. To drive broader adoption of best practices in cybersecurity, market forces are important, but the Administration will shape the long-term security and resilience of the digital ecosystem by: increasing accountability, driving development of more secure connected devices, reshaping existing laws, using federal purchasing power to incentivize security, and stabilizing insurance markets against catastrophic risk with the following six strategic objectives:
- Hold the Stewards of our Data Accountable.The Administration supports legislative efforts to protect consumers by imposing limitations on technologies that collect personal information. Failures to protect personal information pass the harm on to consumers, and often the greatest harm falls upon the most vulnerable populations. To protect consumers, legislation should provide strong protections for personal and sensitive data and set national requirements to secure data consistent with the standards and guidelines developed by NIST.
- Drive the Development of Secure IoT Devices.Many IoT devices today are vulnerable to cybersecurity threats and exploitation by bad actors. The Administration will continue to improve IoT cybersecurity through research and development and risk management efforts under the 2020 IoT Cybersecurity Improvement Act and security labeling programs under Executive Order 14028, “Improving the Nation’s Cybersecurity” (the “Cybersecurity Executive Order”) The goal is to expand IoT security labels, allowing consumers to compare protections for different IoT products, and create market incentive for greater security for IoT devices.
- Shift Liability for Insecure Software Products and Services.The Administration will begin to shift liability onto entities that fail to take reasonable precautions to secure their software while at the same time recognizing that even advanced software security programs cannot prevent all vulnerabilities. Legislation will be designed to prevent manufacturers and software publishers from fully disclaiming liability and establish higher security standards, while also providing a safe harbor for companies that do securely develop and maintain their software products and services. These so-called safe harbor provisions will draw from current best practices, such as the NIST Secure Software Development Framework, but will also need to be flexible enough to evolve over time to keep up with technological advancements. The Administration also encourages coordinated vulnerability disclosures and further development of Software Bill of Materials (SBOMs), as well as processes for identifying and mitigating the risk of unsupported software used by critical infrastructure.
- Use Federal Grants and Other Incentives to Build in Security.The Administration is committed to investing in programs to improve infrastructure and the digital ecosystem supporting it, and balancing cybersecurity requirements. The federal government will collaborate with State, Local, Tribal and Territorial (“SLTT”) entities, private sector stakeholders, and other partners to drive investment in secure and resilient products and to fund cybersecurity research, development, and demonstration programs.
- Leverage Federal Procurement to Improve Accountability.One successful method of improving cybersecurity has been to implement specific contracting requirements for federal government vendors. The Cybersecurity Executive Order expands cybersecurity requirements for contracts, ensuring that such standards are strengthened and standardized across federal agencies. The Department of Justice’s (“DOJ’s”) Civil Cyber-Fraud Initiative (CCFA) will hold accountable entities that knowingly: put data at risk through deficient cybersecurity products or services, misrepresent cybersecurity practices or protocols, or violate obligations to monitor and report cyber incidents and breaches.
- Explore a Federal Cyber Insurance Backdrop.The Administration will assess the need for and the potential structure of a federal response to a catastrophic cyber event, which will include analyzing current cyber insurance offerings. Input will be sought from Congress, state regulators, and industry stakeholders to determine if a plan is necessary and how to structure a response to stabilize and aid recovery to prepare for a catastrophic cyber event before one occurs.
IV. Invest in a Resilient Future
The Strategy’s fourth pillar relies on the following five strategic objectives to accomplish the Administration’s commitment to investing in the concept of resilience in the face of near-certain cyber-attacks:
- Cybersecurity Research & Development. The Strategy recognizes that cyber adversaries have been weaponizing American innovation and using it against our country to steal intellectual property, sow dissent, interfere with elections, and undermine our national defenses. Because of this, the Strategy recommends that investment and innovation must go hand-in-hand with cybersecurity efforts, and that it will be critical for our government to harness emerging technologies for cybersecurity purposes as those technological advancements are made.
- Securing the Technical Foundation of the Internet. Acknowledging that the very foundation of the Internet has inherent vulnerabilities that need to be addressed (specifically mentioning the Domain Name System and Border Gateway Protocol), the Strategy prioritizes protection of the multistakeholder model of Internet governance and standards development. Principles such as transparency, openness, and consensus are at the core of our nation’s values and will drive the evolution of more secure technical standards and technologies. Because of the rapid pace at which technologies are advancing, the Strategy advocates for the Federal Research and Development enterprise to direct projects to advance cybersecurity and resilience in areas such as encryption, the protection of industrial control systems, and artificial intelligence.
- Preparing for a Post-Quantum Future. The Strategy recommends preparation for a post-quantum future to protect the encryption systems that undergird the methods by which we protect data, authenticate users, and certify the accuracy of information. The means transitioning the nation’s cryptographic systems to interoperable quantum-resistant systems and advancing the notion of cryptographic agility to address unknown threats arising from quantum computing. This is one area of the Strategy that specifically recommends that the private sector follow the government’s Strategy to prepare for a post-quantum future.
- Development of a Digital Identity Ecosystem. Data breaches, COVID-19 fraud, and identity theft have caused billions in losses for the federal government because we do not yet have a comprehensive, secure, and accessible digital identity system. The Strategy promotes investment in strong, verifiable, privacy-enhancing digital identity platforms that comport with the values of transparency and accountability.
- Strengthen Our Cyber Workforce. Great efforts will be made to address unfilled vacancies for cybersecurity positions in workforces across the nation. The need for cybersecurity professionals across industries means that the federal government will be coordinating a comprehensive strategy for cyber education and training pathways for all persons who wish to develop a career in cybersecurity, with a particular focus on the public’s need to develop and recruit cybersecurity talent to protect critical infrastructure. The Strategy is also committed to addressing the lack of diversity in the nation’s cybersecurity workforce as “both a moral necessity and strategic imperative.”
V. Forge International Partnerships to Pursue Shared Goals
Pillar 5 consists of five strategic objectives that aim to “scale the emerging model of collaboration by national cybersecurity stakeholders to cooperate with the international community” using the following five strategic objectives:
- Build coalitions to counter threats to our digital ecosystem. The U.S. will leverage existing partnerships, intergovernmental forums, and trade agreements to advance shared goals in cyberspace. This includes using a variety of mechanisms, including the Declaration for the Future of the Internet (DFI), the Quadrilateral Security Dialogue (the Quad), the Indo-Pacific Economic Framework for Prosperity (IPEF), the U.S.-EU Trade and Technology Council (TTC), and the Americas Partnership for Economic Prosperity (APEP), among others. Coordination and collaboration with allies and partners are important, particularly in sharing cyber threat information, exchanging model cybersecurity practices, comparing security-specific expertise, driving secure-by-design principles, and coordinating policy and incident response activities.
- Strengthen international partner capacity. As the U.S. builds a coalition to advance shared goals, it will also strengthen capacity of allies and partners that support shared interests in cyberspace. To achieve this goal, the U.S. will “marshal expertise across agencies, the public and private sectors, and among advanced regional partners to pursue coordinated and effective” cyber capacity. The Strategy emphasizes the importance of working with law enforcement and explains distinct actions in which the DOJ, the DOD, and the Department of State (“DOS”) will engage. Specifically, the DOJ will work with law enforcement for more robust cybercrime cooperation, the DOD will strengthen military-to-military relationships to bolster collective cybersecurity posture, and the DOS will coordinate with the whole-of-government to ensure that federal capacity, as well as U.S., allied, and partner interests are strategically aligned.
- Expand U.S. ability to assist allies and partners. The U.S. will provide support to allies and partners to investigate, respond to, and recover from cyberattacks. The U.S. will also establish policies to determine when such support is in the national interest, develop mechanisms to identify and deploy this support, and, when needed, “rapidly seek to remove existing financial and procedural barriers to provide such operational support.”
- Build coalitions to reinforce global norms of responsible state behavior. The U.S. will reinforce political commitments that every member of the United Nations has made to endorse peacetime norms and refrain from cyber operations that may “intentionally damage critical infrastructure” by holding irresponsible states accountable through meaningful and collaborative consequences, such as “diplomatic isolation, economic cost, counter-cyber and law enforcement operations, or legal sanctions, among others.”
- Secure global supply chains for information, communications, and operation technology products and services. The strategy recognizes that complex and globally interconnected supply chains are critical to the nation’s economy. Our dependency on foreign products and services introduces a degree of risk, which must be mitigated through long-term, strategic collaborations between public and private sectors in the U.S. and abroad. The federal government will work with allies and partners to “implement best practices in cross-border supply chain risk management and work to shift supply chains to flow through partner countries and trusted vendors,” making supply chains “more transparent, secure, resilient, and trustworthy.”