On March 2, 2023, the Biden-Harris Administration released the National Cybersecurity Strategy.[i] The highly anticipated Strategy has illuminated that a more overt and aggressive approach to mitigating cyber risks may be necessary to drive real change, leading to the anticipation of increased communication and partnerships between private companies and government agencies.[ii] The new Strategy sets a strategic objective of “enhancing public-private operational collaboration to disrupt adversaries,” including sharing insights between private organizations and government agencies, and the push for private companies to come together and organize their efforts through nonprofit organizations.[iii]
The Strategy highlights the government’s commitment to investing in cybersecurity research and new technologies to protect the nation’s security and improve critical infrastructure defenses. It outlines five pillars of action, each of which implicates critical infrastructure entities, from strengthening their cybersecurity processes, to receiving support from the federal government.[iv] It also makes evident the Administration’s desire to shift the burden of cybersecurity (and its associated costs and liability) from individuals, small businesses, and local government to the entities with the greatest expertise and resources, e.g., large owners and operators of critical infrastructure, vendors and software developers.[v]
Companies evaluating their alignment with the Strategy may also consider their law enforcement and government agency relationships. These include: i) assessing how the Strategy impacts interactions between victim companies and their counsel with the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) when they are seeking assistance with cybersecurity challenges, and ii) the new expectation of agency involvement in the private sector when it comes to cybersecurity.
“Private companies and their legal counsel can take several steps now to ensure they create a positive relationship with agencies ahead of new regulation expected to follow the National Cybersecurity Strategy,” says Brian Hale, a former FBI Assistant Director of the Office of Public Affairs, and current Managing Director in FTI Consulting’s Cybersecurity practice, and who is experienced in helping companies with cybersecurity challenges from both a government and private sector perspective. Some of these actions include:
- Form Connections. Be familiar with the lead cybersecurity FBI agent(s) in the local FBI Office – find a local field office here – before an incident occurs and develop a relationship.
- Attend Outreach Events. Agencies like the FBI and CISA often host outreach events to meet with companies and counsel in their area or participate as panelist and presenters at industry functions.[vi]
- Keep Track of Announcements. Stay up to date with the latest messaging released from the FBI, CISA, and other agencies regarding cybersecurity best practices and regulations. This also includes remaining current on any potential threats and new requirements announced that can help prepare organizations for cybersecurity incidents.
- Leverage Industry Groups, such as InfraGard. This nonprofit is a partnership between the FBI and the U.S. private sector, created to protect critical infrastructure and with a common goal of “advancing national security.”[vii] Learn more here.
Through plans to increase defense of critical infrastructure and partner on sector-specific cybersecurity requirements, the National Cybersecurity Strategy emphasizes that relationships and communication between the public and private sectors remains paramount in achieving the common goal of minimizing cybersecurity risk. Plans to shift more responsibility for cybersecurity onto the best-positioned organizations to handle this risk, like government agencies, will result in better protection from threat actors for individuals and small businesses, but will only be successful if proper streams of information and trust between the public and private sectors are established.
Furthermore, the Strategy encourages the forging of international partnerships to pursue shared goals. This includes building coalitions to counter threats to the digital ecosystem, strengthening international partner capacity, expanding U.S. ability to assist allies and partners, building coalitions to reinforce global norms of responsible state behavior, and securing global supply chains for information, communications, and operation technology products and services.
Whether an organization is in the public or private sector, its cybersecurity program will undoubtedly be impacted by the National Cybersecurity Strategy.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals. FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2023 FTI Consulting, Inc. All rights reserved. fticonsulting.com
Crowell & Moring LLP is an international law firm with offices in the United States, Europe, MENA, and Asia. Drawing on significant government, business, industry and legal experience, the firm helps clients capitalize on opportunities and provides creative solutions to complex litigation and arbitration, regulatory and policy, and corporate and transactional issues. The firm is consistently recognized for its commitment to pro bono service and its programs and initiatives to advance diversity, equity and inclusion.
[i] “National Cybersecurity Strategy,” The White House (March 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf.
[viii] “Biden Administration Releases Comprehensive National Cybersecurity Strategy,” Crowell & Moring (March 6, 2023), https://www.crowell.com/en/insights/client-alerts/biden-administration-releases-comprehensive-national-cybersecurity-strategy.