Key Takeaways

• The Biden Administration’s much-awaited National Cybersecurity Strategy calls for fundamental change to “the underlying dynamics of the digital ecosystem” and seeks to rebalance responsibility for cybersecurity defense between the federal government and the private sector.  The Strategy will pursue legislative, regulatory and policy objectives based on the theme that “protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.”
• The Strategy seeks to build and enhance collaboration around five pillars: (1) Defend Critical Infrastructure, (2) Disrupt and Dismantle Threat Actors, (3) Shape Market Forces to Drive Security and Resilience, (4) Invest in a Resilient Future, and (5) Forge International Partnerships to Pursue Shared Goals.
• The Administration plans to pursue both privacy and security legislation that would impose limits on the collection, use and transfer of personal data and that would create liability for software products and services, establishing higher standards of care while limiting contractual liability disclaimers. The Administration also will explore a federal cyber insurance backstop to stabilize the economy and aid recovery in the event of widespread, catastrophic cyber incidents.
• In the short term, the Administration is likely to build on policies and programs that are already in place, particularly to increase the scale of disruption and deterrence activities focused on nation-state and criminal threat actors. The Strategy’s more aggressive proposals relating to new legislation imposing liability on data stewards as well as software and other technology providers will take years to enact, if achieved at all. 

The White House recently released its much-awaited National Cybersecurity Strategy (the Strategy), which highlights the Administration’s cybersecurity policy development over the past two years and outlines critical objectives that will take years to achieve. The Strategy builds on the President’s May 2021 Executive Order, which committed the government to modernizing its own cybersecurity defenses, increasing the real-time sharing of threat intelligence across the government and with the private sector, improving government-private sector coordination on incident response and resiliency, and using the Government’s purchasing power to drive improvements in the broader ecosystem.

The Strategy calls for fundamental change to “the underlying dynamics of the digital ecosystem” – where attacking a system is more costly than securing it, sensitive data is properly protected by those best positioned to do so, and “neither incident nor errors cascade into catastrophic, systemic consequences.” It declares that “deepening digital dependencies” between and among organizations and individuals provide value but increase collective insecurity. It notes that data theft and disruptive attacks have grown rapidly, “opening up novel vectors for malicious actors to surveil, manipulate, and blackmail” individuals and organizations alike. It identifies both malign nation-state actors and criminals as threats to national security, public safety and economic prosperity.

With both technological advancement and the threat landscape evolving so rapidly, the Strategy seeks to rebalance responsibility for cybersecurity defense and realign incentives to make long-term investments that increase cyber resiliency. The Strategy calls on “the most capable and best-positioned” actors to bear greater responsibility for cybersecurity, declaring that “protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.” For its part, the Government’s role is to protect its own systems, ensure that private entities are doing likewise, and carry out core governmental functions (diplomacy, law enforcement, intelligence and defense).

The Strategy seeks to build and enhance collaboration around five pillars: (1) Defend Critical Infrastructure, (2) Disrupt and Dismantle Threat Actors, (3) Shape Market Forces to Drive Security and Resilience, (4) Invest in a Resilient Future, and (5) Forge International Partnerships to Pursue Shared Goals.

Pillar I: Defend Critical Infrastructure

The Strategy presents a two-pronged approach to defending critical infrastructure sectors: improving collaborative practices with relevant stakeholders and making the Government’s own systems more resilient. The Strategy outlines five strategic objectives, which focus on establishing cybersecurity requirements to support national security and public safety through greater regulation. The Administration will use existing authorities and seek new legislation where necessary to establish cybersecurity requirements tailored to the risk profile of each critical sector. A forthcoming implementation plan will provide better detail on the regulatory approach for each sector.

Pillar II: Disrupt and Dismantle Threat Actors

The Strategy seeks to increase the Government’s capability and capacity to disrupt malicious cyber activity, dismantle relevant infrastructure and impose costs on threat actors. Disruption will focus on making criminal cyber activity unprofitable and nation-state activity ineffective in achieving its goals.

The Administration acknowledges that the Government must continue to develop technological and organizational platforms that enable continuous, coordinated operations. The Strategy calls for greater public-private operational coordination and recognizes that the private sector “has growing visibility into adversary activity that is often broader and more detailed than that of the Federal Government.” The Government will seek to facilitate more routine collaboration between the public and private sectors, including through use of virtual collaboration platforms that permit faster and more robust bidirectional sharing of information to disrupt adversaries.

The Government intends to seek closer collaboration with U.S.-based cloud and other Internet infrastructure providers to quickly identify malicious use of these systems, make it easier for victims to report abuse of these systems, and make it more difficult for malicious actors to gain access to these resources. The Strategy articulates an expectation that service providers “must make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior.” We expect this objective will manifest in increased governmental data demands and requests for assistance in law enforcement and intelligence investigations directed to technology service providers, including cloud services, domain registrars, hosting and email providers, and other digital services.

The Administration will continue to seek to counter cybercrime – and ransomware in particular – by seeking to cut off profit to threat actors through regulation of victims, dismantling of criminal infrastructure and seizure/forfeiture of illicit proceeds. The Government will focus on enhancing international cooperation in its disruption and prosecutorial efforts, in conjunction with its continued targeting of illicit cryptocurrency transactions and the infrastructure that enables such.

The Administration reiterates the prior governmental view of “strongly discourag[ing] ransom payments” while acknowledging that victims may choose to pay ransoms that are not legally prohibited. In either case, the Strategy states that “victims of ransomware – whether or not they choose to pay a ransom – should report the incident to law enforcement and other appropriate agencies.” We expect to see a continued growth in mandated disclosure of cyber incidents by victim organizations, with greater enforcement focused on failures to disclose at all, or in a timely and complete manner.

Pillar III: Shape Market Forces to Drive Security and Resilience

This pillar contains the greatest shift in prior governmental cybersecurity strategy, particularly for technology service providers. Most significantly, the Strategy will seek to hold the stewards of personal data accountable for its protection; “drive the development of more secure protected devices; and reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies.” The Administration plans to pursue legislation to create liability for software products and services, establishing higher standards of care while limiting contractual liability disclaimers. Such legislation also would include an adaptable safe harbor framework, drawn from the NIST Secure Software Development Framework, for companies that securely develop and maintain their software products and services. The Administration also will encourage broader and coordinated vulnerability disclosure and software supply chain security. On the privacy side, the Strategy cites the need to impose robust, clear limits on the ability to collect, use, transfer and maintain personal data and to provide strong protections for sensitive data like geolocation and health information.

Some of these proposals already have taken root through litigation arising from cyber incidents with broad impact across sectors. For instance, litigation seeking to hold software manufacturers and technology service providers liable for data breaches and cyber extortion incidents impacting myriad commercial customers and end users has survived early dismissal efforts. This is part of a broader push to hold technology providers liable for alleged harms facilitated by their platforms or services, including claims of surveillance and privacy violations, social media addiction, human trafficking and exploitation, and legal and policy challenges to Section 230 immunity. The Administration also doubled down on its commitment to the Civil Cyber-Fraud Initiative, which wields the False Claims Act against federal contractor misrepresentations related to cybersecurity activity.

The Strategy also acknowledges the stress that the threat landscape has placed and will continue to place on the insurance market, particularly with respect to widespread cyber incidents tied to common points of vulnerability. The Administration plans to explore a federal cyber insurance backstop. The Strategy notes that in the event of a catastrophic cyber incident, the Federal Government would be called on to stabilize the economy and aid recovery. Such a backstop would require the U.S. Treasury to accept responsibility for financial exposure risks that insurers and reinsurers face from future catastrophic cyber incidents.

Pillar IV: Invest in a Resilient Future

The Strategy adopts a comprehensive approach to addressing the inherently vulnerable foundations of the Internet, reinvigorating federal research and development, strengthening the cyber workforce, developing a digital identity ecosystem, and preparing for the post-quantum future. The Strategy identifies three essential technologies of focus: computing-related technologies, biotechnologies and biomanufacturing, and clean energy technologies. It also highlights the imperative to prepare for a shift to interoperable quantum-resistant cryptography and verifiable digital identity solutions “that promote security, accessibility and interoperability, financial and social inclusion, consumer privacy, and economic growth.” To accomplish this, the Government will continue to update the Federal Cybersecurity Research and Development Strategic Plan. The Administration also announced an interagency effort to develop a national strategy focused on the cyber workforce, cyber training and education, and digital awareness.

Pillar V: Forge International Partnerships to Pursue Shared Goals

The Strategy concludes with the recognition that cybersecurity objectives must be pursued on a global scale. The United States will promote international cybersecurity partnerships to counter common threats, preserve and reinforce global Internet freedom, protect against transnational digital repression, and build toward a shared digital ecosystem that is more inherently resilient and defensible. Additionally, the United States will work with allies and partners to identify and implement best practices in cross-border supply chain risk management and to shift supply chain flow through partner countries and trusted vendors. This effort will prioritize opportunities to provide higher levels of assurance that digital technologies will be secure and functional, and to attract countries to support the shared vision of an open, free, global, interoperable, reliable and secure Internet.

Conclusion

The National Cybersecurity Strategy builds on a strong cybersecurity policy foundation that has been developed over several decades. Although development and implementation of its more aggressive policy proposals will take years, if that is achieved at all, the Strategy charts a responsible course for adjusting governmental actions to current and future technological developments and interdependency in the United States and around the globe.

[View source.]