On March 1, the White House released its National Cybersecurity Strategy (NCS), providing a road map to address cyber threats and secure the U.S.’s digital ecosystem for the future.[1] Specifically, the White House aims to enhance the digital ecosystem’s defensibility, resilience and alignment with U.S. values.

Importantly, the NCS adopts two fundamental shifts in how the U.S. allocates roles, responsibilities and resources in cyberspace.[2] The first fundamental shift involves the “most capable and best-positioned actors” – instead of individuals, small businesses, state and local governments, and infrastructure operators – shouldering the responsibilities of defending cyberspace and improving cybersecurity. These actors may include owners/operators of systems holding data that make our society function and technology providers that build and service these systems.

The second fundamental shift incentivizes long-term investments over short-term interests. This involves more attention toward ensuring market forces and public programs at least reward security and resilience and on coordinating research and development investments in cybersecurity.

Overall, the NCS seeks to build and enhance collaboration across the digital system based on five pillars: (1) defend critical infrastructure, (2) disrupt and dismantle threat actors, (3) shape market forces to drive security and resilience, (4) invest in a resilient future, and (5) forge international partnerships to pursue shared goals. Of the five pillars mentioned above, pillar 3 appears to most heavily impact the private sector in terms of liability.

One of pillar 3’s strategic objectives is to (i) hold stewards of personal data accountable via legislative efforts that impose clear limits on their ability to collect, use, transfer and maintain personal data, and (ii) provide strong protection for sensitive data like geolocation and health information.[3] Another strategic objective of pillar 3 is to accelerate the development of Internet of Things (IoT) security labeling programs previously set forth under Executive Order 14028.[4] In doing so, consumers may be armed with crucial information necessary to compare cybersecurity protections of IoT products (e.g., control systems, fitness monitors, etc.) thereby creating market incentives to help improve security across the entire IoT ecosystem. A further strategic objective of pillar 3 is to shift liability for insecure software products and services to software developers.[5] The White House seeks to work with Congress and the private sector to develop legislation establishing liability for software products and services.

This may be an opportune time for entities impacted by the NCS to review, forecast and potentially rebalance their intellectual property (IP) portfolio strategy and spend allocation. For example, entities planning to improve their cybersecurity features for software and IoT product offerings may benefit from early consideration, appropriation of necessary resources and coordinated IP protection.

[1] See National-Cybersecurity-Strategy-2023.pdf (whitehouse.gov).

[2] Id. at 4-5

[3] Id. at 19-20

[4] Id.

[5] Id. at 20-21

[View source.]