Mar 292023

Biden Administration Announces National Cybersecurity Strategy

Alan Charles Raul, Lauren Kitces and Vishnu Tirumala
, ,

On March 1, 2023, the Biden administration announced its long-awaited National Cybersecurity Strategy. The strategy is part of the administration’s efforts to bolster and modernize public and private responses to cybersecurity threats.

The strategy presents its goals through five pillars:

  1. Defend Critical Infrastructure
  2. Disrupt and Dismantle Threat Actors
  3. Shape Market Forces to Drive Security and Resilience
  4. Invest in a Resilient Future
  5. Forge International Partnerships to Pursue Shared Goals

To effectuate these goals, the strategy proposes two fundamental shifts in present cybersecurity policy: (1) rebalancing the risks of cybersecurity threats toward industry and the government rather than end users and (2) realigning incentives to promote long-term investments in resilient, defensible systems.

We provide a summary of the strategy further below but highlight here several key components of the strategy.

First, most of the strategy builds on existing priorities, including incident reporting for critical infrastructure, disrupting ransomware groups and other threat actors, leveraging federal procurement regulations to impose cybersecurity standards, and coordinating cross-sectoral cybersecurity issues via the Cybersecurity and Infrastructure Security Agency (CISA).

Second, the Biden administration is seeking to shift the costs of cyber vulnerabilities from consumers to producers and manufacturers. We previously discussed how this might occur after the President’s May 12, 2021 executive order, “Improving the Nation’s Cybersecurity.” Other administration officials have analogized the effort to placing seatbelts in cars — to shift the burden away from the consumer and onto whichever entity is building the product the consumer uses.

Third, the strategy hints at a few novel proposals that will continue to evolve, such as a federal cyber insurance backstop for certain major cyber events and expanding the ability of the Cyber Safety Review Board to review significant cyber events. The administration also requests additional authorities allowing federal agencies to implement cybersecurity requirements.

Fourth, the administration acknowledges that several of its proposals, such as shifting liability to the producers of software products and services, require legislative action. To this end the strategy reflects the administration’s intentions to push for such laws to be created and passed.

While expansive, the publication of the National Cybersecurity Strategy remains a first step. The administration must now implement it — a task that the White House’s Office of the National Cyber Director will oversee.

***

Summary of Strategy Components

Defend Critical Infrastructure

  • Enact performance-based regulations and guidance to requiring compliance with industry best practices as well as incident reports from critical infrastructure and their service providers.
  • Increase collaboration among the CISA, federal agencies responsible for specific critical sectors, and individual owners and operators of critical infrastructure.
  • Consolidate the federal government’s distinct cyber capabilities to create Federal Cybersecurity Centers that can enable a holistic response.
  • Establish a “call to one is a call to all” policy for incident notification to federal agencies coordinated by CISA. This will also allow federal agencies to understand what resources are available to them after an incident has occurred.
  • Modernize federal systems by replacing legacy systems, migrate to cloud-based services, mitigate the risk of software supply chain, and share certain centralized services.

Disrupt and Dismantle Threat Actors

  • Update the Department of Defense’s cyber strategy to clarify how the department will integrate cyberspace into its defense efforts.
  • Expand the National Cyber Investigative Joint Task Force to coordinate joint takedown and disruption campaigns more frequently, quickly, and on a larger scale.
  • Encourage the private sector to use a nonprofit organizations for operational collaboration with the federal government (i.e., National Cyber-Forensics and Training Alliance).
  • Warn defenders and notify victims earlier when the government has information that an organization is being targeted or is already compromised.
  • Review declassification policies to determine whether expanding clearances or access is necessary to provide actionable intelligence to critical infrastructure owners and operators.
  • Prioritize and enforce a risk-based approach to prevent exploitation of U.S.-based infrastructure through implementation of Executive Order 13984, “Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities.”
  • Disrupt ransomware via encouraging international cooperation, investigating ransomware crimes, and bolstering infrastructure resilience.
  • Target illicit cryptocurrency exchanges that may be financing ransomware operations.

Shape Market Forces to Drive Security and Resilience

  • Hold accountable companies that fail to protect consumer privacy.
  • Support legislation that lays out national requirements on data security consistent with the National Institute of Standards and Technology (NIST).
  • Expand Internet of Things device security labels so that consumers can compare products.
  • Shift liability of software vulnerabilities onto software producers, with an adaptable framework as a safe harbor (like NIST’s Secure Software Development Framework).
  • Use federal grants and procurement regulations to require cybersecurity safeguards for applicants.
  • Consider a federal cyber insurance backstop for catastrophic cyber incidents.

Invest in a Resilient Future

  • Adopt security measures and support nongovernmental standards-developing organizations to mitigate systemic risks.
  • Prioritize research and development to proactively prevent and mitigate cybersecurity risks.
  • Establish a process to transition the country’s cryptographic systems to quantum-resistant cryptography.
  • Prioritize the transition of vulnerable public networks and systems to quantum-resistant cryptography-based environments.
  • Build cybersecurity defenses proactively as the U.S. expands its clean energy infrastructure.
  • Encourage investments in verifiable, consent-based digital identity solutions.
  • Implement a national strategy to develop a cyber workforce.

Forge International Partnerships to Pursue Shared Goals

  • Build international coalitions to share cyberthreat information, exchange model practices, compare sector-specific expertise, and coordinate incident response policies.
  • Strengthen the capacity of like-minded states to secure their own critical infrastructure, share information, and prosecute cybercrimes.
  • Expand U.S. abilities to assist U.S. allies that have been affected by cyber incidents, including the ability to rapidly deploy expertise to respond to cyberattacks.
  • Work with the United Nations and our partners to reinforce global norms regarding responsible state behavior.
  • Secure global supply chains from disruptions and vulnerabilities by increasing U.S. domestic capacity and working with U.S. allies to build transparent and resilient supply chains.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Lauren Kitces

Washington, D.C.

lkitces@sidley.com

Vishnu Tirumala

Washington, D.C.

vtirumala@sidley.com

You might also like
Top 10 Questions on the EU AI Act

The EU AI Act will be the first standalone piece of legislation worldwide regulating the use and provision of AI in the EU, and will form a key consideration in AI governance programs. The AI Act will have a significant impact on many organizations inside and outside the EU, with failure to comply potentially leading to fines of up to 7% of annual worldwide turnover.

Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.

FinCEN Seeks Input on Banks’ Collecting Partial Social Security Numbers for Customer Identification Programs

On March 28, 2024, the Financial Crimes Enforcement Network (FinCEN), in consultation with the U.S. banking agencies and the National Credit Union Administration, issued a request for information (RFI) regarding the customer identification program (CIP) requirement for depository institutions (referred to herein as banks) to collect tax identification numbers (TINs).Comments are due by May 28, 2024.