[co-author: Scott Heirs]
Background
On March 2, 2023, the White House Office of the National Cyber Director released the National Cybersecurity Strategy (the “Strategy”).[1] While the Strategy carries no legal force in and of itself, it sets forth a bold roadmap for transitioning the United States’ cybersecurity approach from a largely voluntary, public-private partnership model to a much more regulated, mandatory framework. The Strategy observes that “the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes,” (Strategy, at 8), and signals the Administration’s priorities for cyber regulations and policy in both the public and private sectors. In the coming months, the newly created White House Office of the National Cyber Director will release a more detailed “implementation plan” which will contain more specifics on how the Administration intends to affect this paradigm shift.
The Strategy represents a potential sea change in federal policy and companies should be prepared for heightened regulatory enforcement and legislative changes across a number of next-generation technology and critical infrastructure sectors. .
Key Aspects of Strategy
At a high level, the Strategy calls for two fundamental shifts: (1) to rebalance the responsibility to defend cyberspace by shifting the burden to the most capable actors, and (2) to realign incentives to favor long-term investments in cybersecurity. To that end, the Strategy is organized around five pillars: (1) Defend Critical Infrastructure, (2) Disrupt and Dismantle Threat Actors, (3) Shape Market Forces to Drive Security and Resilience, (4) Invest in a Resilient Future, and (5) Forge International Partnerships to Pursue Shared Goals.
The first pillar calls for the federal government to expand regulation of cybersecurity in critical infrastructure sectors by leveraging existing authorities (including those granted to agencies like the Treasury Department, Department of Homeland Security, and Environmental Protection Agency), working with Congress on new legislation, and encouraging states and independent regulators to use their own authorities. Notably, the first pillar instructs leaders to “work to ensure federal regulations are not in conflict, duplicative, or overly burdensome in order to reduce the burden of compliance.” (Strategy, at 9). This will be especially important in the context of minimum cybersecurity requirements and incident reporting laws, including the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA); CIRCIA was passed last year and is still undergoing rulemaking and will require entities in critical sectors to promptly report significant cyber incidents or ransomware attacks within a matter of hours after discovering them. The first pillar guides regulators to “drive the adoption of secure design principles, prioritize the availability of essential services, and ensure that systems are designed to fail safely and recover quickly.” (Strategy, at 8-9) These regulations should “define minimum expected cybersecurity practices or outcomes” but leave room for entities to exceed these requirements.
The second pillar aims to foster public-private collaboration to render threat actors incapable of mounting sustained cyberattacks that can threaten U.S. national security, tasking the Department of Defense with updating its own cyber strategy and strengthen its coordination with foreign and domestic civilian, law enforcement, and intelligence partners. The call for enhanced information-sharing also extends to private entities, as the Strategy seeks to increase the speed and scale of the government’s intelligence sharing with the private sector, including for entities actively targeted by malicious actors.
The third pillar seeks to shift liability for data losses and privacy violations to the organizations that hold data or create software and fail to take reasonable precautions. The Strategy frames this issue as placing the accountability for cyber incidents on the stakeholders most capable of taking action to prevent bad outcomes rather than on end-users. Additionally, the third pillar calls for the government to support legislative efforts that would impose limits on the collection, use, transfer, and maintenance of personal data, with strong protections for sensitive data like geolocation and health information.
The fourth pillar calls for fostering next-generation technologies and infrastructure, noting an investment gap in public and private investments in cybersecurity. This pillar also emphasizes significant government spending in R&D, with a “focus on securing three families of technologies that will prove decisive for U.S. leadership in the coming decade: computing-related technologies, including microelectronics, quantum information systems, and artificial intelligence; biotechnologies and biomanufacturing; and clean energy technologies” (Strategy, at 25). Most notably, the pillar also calls for the implementation of the Congressionally-directed National Cyber-Informed Engineering Strategy instead of “patchwork of security controls” (Strategy, at 26), again evidencing the Strategy’s attempt to create a more unified federal regulatory approach to cybersecurity.
The fifth pillar, which is focused on cyber diplomacy, seeks to forge international partnerships and coalitions to counter cyber threats through joint preparedness, response, and cost imposition.
Takeaways
The Strategy represents a significant departure from the United States’ approach to cybersecurity in the preceding two decades. The Strategy sends a clear signal that that the United States intends to increase its focus on cybersecurity, especially for those entities in critical infrastructure sectors. This inevitably means that private actors can expect to face increased scrutiny, whether in the form of audits, certifications, compliance reviews, regulatory investigations, or enforcement actions. At the same time, the Strategy promises that the Administration will incentivize private sector cybersecurity improvements through grants, federal procurement authority, research and development funding, and other measures (Strategy, at 21-22).
Changes in the legal framework will not happen overnight. Efforts to implement the Strategy, whether working with Congress to close gaps in statutory authorities or broadening the use of existing authorities to expand regulations, will take time and face the usual legislative and rulemaking hurdles. As a benchmark, CIRCIA was passed in March 2022 with broad bipartisan support but will not take effect until 2024 at the earliest. In the meantime, private entities within priority sectors, like energy and technology should make good use of this opportunity to engage with federal regulators and policymakers in Congress to ensure that the new regulatory standards “are operationally and commercially viable.” (Strategy, at 8).
