Biden Administration to Introduce New National Cyber Strategy for Critical Infrastructure

The Biden administration is reportedly working on a National Cyber Strategy for critical infrastructure that will advocate a more aggressive approach to cybersecurity, placing a greater emphasis on regulation. The administration also may ask Congress to pass legislation to cover areas where executive authority is lacking. The strategy—which is reportedly outlined in a not-yet-public 35-page draft document—is expected to address all areas President Biden considers to be critical infrastructure, including oil and gas pipelines, nuclear power, large energy generation, chemicals, defense, rail and aviation, and water infrastructure.

This strategy follows a press release last October where the administration said it is developing a comprehensive approach to "lock our digital doors" and take aggressive action to strengthen and protect cybersecurity in the United States. The President’s approach is expected to call on agencies to work with industry in developing appropriate regulations to ensure they enhance safety, including mandatory measures, without being unworkable or overly burdensome.

Media sources familiar with the draft plan indicate that the objectives of the National Cyber Strategy include, among others, the following:

• Regulation to support national security and public safety. According to the draft, regulation can "level the playing field" to meet national security needs. The draft also is said to state that "while voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has too often resulted in inconsistent and, in many cases, inadequate outcomes."
• Assigning liability to companies that fail to take adequate precautions to secure their software. At the same time, however, the draft recognizes that even the most advanced software security programs cannot eliminate all vulnerabilities. Accordingly, the plan may offer liability protection— for entities that meet federal standards.
• Regulation of all critical sectors by the executive branch or by Congressional action.
• Authorization for cyber-offensive operations to discourage or prevent attacks.

The Strategy is currently going through the final stages of interagency approval, with over 20 departments and agencies involved. It is expected to be signed by President Biden in the coming weeks.

Takeaway: Following the hard lessons the United States has learned from earlier high-profile breaches, there have long been calls for more comprehensive cybersecurity protection in the United States. However, it remains to be seen if and when the new National Cyber Strategy will be signed by President Biden, and whether meaningful legislation or regulation the follow.

President Biden Signs Quantum Security Preparedness Bill

On December 21, 2022, President Biden signed HR 7535, the Quantum Computing Cybersecurity Preparedness Act, into law. The law is a bipartisan effort to prepare the federal government for the potential that future quantum computers may be able to crack most encryption techniques.

The Office of Management and Budget (“OMB”) is required to prioritize federal agencies’ switchover to post-quantum cryptography by July 5, 2023 – within a year of the National Institute of Standards and Technology (“NIST”) issuing its recent guidelines. OMB must also send Congress a report no later than December 21, 2023, outlining its strategy, asking for funds for the transition to quantum-safe systems, and detailing its efforts to coordinate with international standards organizations and other consortia.

OMB also has six months to work with the National Cyber Director and the director of the Cybersecurity and Infrastructure Security Agency (“CISA”) to “issue guidance on the migration of information technology to post-quantum cryptography.” Each federal agency must establish and maintain a current inventory of information technology in use that is vulnerable to decryption by quantum computers and create a process for evaluating progress on migrating IT systems to post-quantum cryptography within six months of the law being enacted.

Takeaway: Cybersecurity strategies require constant development to keep pace with technologies available to threat actors. The latest concern in this “arms race” is quantum computing, an area in its relative infancy that uses quantum computers that are extremely expensive today. For now, the cyber risks posed by quantum computing are of most concern to governments and companies that are likely to be targeted by nation state actors, but all companies eventually will need to consider strategies for a future date when their encryption techniques may no longer be effective. In the meantime, companies can focus on data minimization strategies to reduce the amount of data that is available to a threat actor and keep abreast of technological developments in this area.

Google Settles Location Data Class Actions

In Q4 of 2022, Google agreed to over half a billion dollars in settlements with U.S. state attorneys general. The states alleged that Google used so called “dark patterns” to entice users into providing location data. For example, the states accused Google of prompting consumers to switch on location tracking so their application would work properly in applications that did not require location data. Additionally, Google was accused of storing consumers’ location data even after consumers disabled the tracking of their location history. This data was allegedly used to build detailed profiles and show consumers targeted advertisements.

On November 14, 2022, Google entered into a $391.5 million settlement with 40 states to resolve an investigation into its location tracking practices in what one attorney general claimed was the largest privacy settlement by state attorneys general in U.S. history.

But four states – Arizona, Indiana, Texas, and Washington – and the District of Columbia were not part of the settlement. Google had previously settled with Arizona for $85 million in October 2022. On December 29, 2022, Google settled with Indiana for $20 million. The next day Google entered into a settlement with the District of Columbia for $9.5 million. The lawsuits with Texas and Washington are still pending. Google has not admitted any wrongdoing in connection with these settlements.

Takeaway: The focus by regulators on these type of actions highlight the importance of transparency and clarity in relation to both the circumstances in which consumers’ personal information is required to enjoy the full benefit of an application and the ways in which personal information is used. Businesses should review their website and app designs to be sure that they are not susceptible to claims that their practices confuse users into providing additional data, or use “nudge techniques” that make it onerous for users to control their data. See Cyber Bits issue 21 for coverage of the FTC’s staff report on the use of “dark patterns."

The TSA is Testing Facial Recognition at 16 U.S. Airports, May Seek Nationwide Rollout

After quietly testing facial-recognition technology at 16 U.S. airports, the U.S. Transportation Security Agency (“TSA”) may expand its use nationwide. In an announcement the TSA explained that the program “compares a live image taken at the [security] checkpoint to a gallery of pre-staged photos that the passenger previously provided to the government (for example, U.S. passport or visa photos).” The main goal of the program is to catch imposters—that is, to confirm that the person in line at the airport is actually the same person named on the ticket or identification. The theory is that computers are better at making this determination than human checkers.

The facial-recognition software underlying the TSA’s program is controversial. San Francisco passed a first-of-its-kind ban on government use of facial recognition in 2019, and at least 16 municipalities across the U.S. have followed suit. One major concern is that the technology may not be all that accurate and may be especially inaccurate at identifying non-white faces. So far, the TSA has released no hard data about whether or how often the system falsely identifies travelers.

Facial-recognition technology also raises major data privacy and cybersecurity concerns about bad actors obtaining access to facial data. According to ISACA, an international organization of IT infrastructure professionals: “[u]nlike many other forms of data, faces cannot be encrypted. Data breaches involving facial recognition data increase the potential for identity theft, stalking, and harassment because, unlike passwords and credit card information, faces cannot easily be changed.” The risks are present when this kind of data is collected by the U.S. government because government databases can be a major target of politically motivated attacks—in 2021 Russian-backed hackers broke into a range of federal government networks.

Takeaway: Although it remains controversial, the use of facial recognition technology by governments and by private sector entities continues to grow. Businesses considering this technology must carefully balance their business needs with the risks associated with use of the technology, and ensure that they are compliant with applicable laws, including regulations that govern the collection and use of biometric data.