On March 2, 2023, the Biden Administration released its National Cybersecurity Strategy, which aims to address the growing cybersecurity concerns in the United States. This follows the release of Executive Order 14028, Improving the Nation’s Cybersecurity, in May 2021.
The Strategy outlines the government’s goals and objectives for cybersecurity, signaling a fundamental shift in how it plans to allocate roles, responsibilities, and resources for cybersecurity. The following are the key highlights of the National Cybersecurity Strategy.
The Five Pillars of the Strategy
The National Cybersecurity Strategy is organized into five pillars:
- Defend Critical Infrastructure,
- Disrupt and Dismantle Threat Actors,
- Shape Market Forces to Drive Security and Resilience,
- Invest in a Resilient Future,
- and Forge International Partnerships to Pursue Shared Goals
These pillars are aimed at enhancing the nation’s cybersecurity posture and fostering greater accountability and cooperation among key stakeholders.
Increased Responsibility for Industry
The Strategy seeks to place greater responsibility on industry, particularly owners and operators of systems that hold personal data and technology providers. It aims to move away from voluntary compliance by industry and increase regulatory requirements, particularly in critical infrastructure sectors.
The government will leverage existing regulations to implement additional security requirements and work with Congress and regulators to address regulatory gaps. The Strategy prescribes that new regulations be performance-based and leverage existing cybersecurity frameworks, voluntary standards, and guidance.
Emphasis on Performance-Based Regulations
The National Cybersecurity Strategy encourages regulators to incentivize cybersecurity investments through the rate-making process, tax structures, or other mechanisms.
The third pillar of the Strategy seeks greater accountability for industry responsible for securing personal data, including legislative efforts that would impose clear limits on the “ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data like geolocation and health information.”
Shift of Liability onto Software Producers
The Strategy also contemplates shifting liability onto software producers that ignore best practices for secure software development. It calls for legislation establishing such liability and establishing a safe harbor framework to shield responsible companies that are meeting the standards.
Federal Government’s Efforts to Strengthen Cybersecurity
The National Cybersecurity Strategy focuses on efforts by the federal government to shore up cybersecurity. This includes placing continued emphasis on software supply chain risk mitigation, moving federal IT and operational technology systems to implement a zero trust architecture, and preparing for a post-quantum future. Federal contractors are reminded that the government will pursue legal action against companies that knowingly misrepresent their cybersecurity practices or protocols or knowingly violate obligations to monitor and report cybersecurity incidents or breaches.
In conclusion, the Biden Administration’s National Cybersecurity Strategy aims to strengthen the nation’s cybersecurity posture by promoting greater accountability and cooperation among key stakeholders. Critical infrastructure owners and operators, industry, software producers, and federal contractors should ensure they are in compliance with any applicable regulatory schemes and monitoring for updates that may impact their operations.