On March 2, 2023,[i] the White House Office of the National Cyber Director (“ONCD”) published the new U.S. National Cybersecurity Strategy (the “Strategy”).[ii] This article highlights key provisions of the Strategy that are relevant to cybersecurity compliance for businesses, internet infrastructure providers and government contractors, as well as a general overview of the United States’ ambitious, collaborative vision for cybersecurity.
Background
The Strategy is released further to President Biden’s Executive Order on Improving the Nation’s Cybersecurity (May 2021, E.O. 14028)[iii] and significant budgetary commitment by Congress in the Bipartisan Infrastructure Deal[iv] to expand Americans’ access to reliable high-speed internet and incentivize domestic innovation and manufacturing in the CHIPS and Science Act, 2022.[v]
The Strategy takes a holistic approach to cybersecurity, recognizing that the continued advancement of technology and increasing dependence on interconnectivity inherently expose essential systems and private businesses to disruptions that threaten the economy, national security, and public safety. It is articulated in 5 pillars, each developed with several strategic objectives.
Pillar 1: Defend Critical Infrastructure
This pillar promotes public-private collaboration in the defense of critical infrastructure such as oil and natural gas pipelines, aviation, rail, and water systems.
It charges the Federal Government to be a model for the rest of the country in cybersecurity. Within a decade, federal enterprise systems are to be redesigned after zero-trust principles – implementing multi-factor authentication, encrypting data, gaining visibility into attack surfaces, and migrating to secure cloud-based services.
The Strategy highlights existing cybersecurity requirements in key sectors and further encourages states and independent regulators to set cybersecurity requirements through their authorities however acknowledging the cost of implementing these requirements and encouraging regulators to consult with businesses to understand how they will be implemented and funded.
The Cybersecurity and Infrastructure Security Agency (“CISA”) is responsible for coordinating critical infrastructure security and resilience and strengthening the National Cyber Incident Response Plan (“NCIRP”). ONCD will lead the integration of federal cybersecurity centers to drive intragovernmental coordination among federal cybersecurity centers.
Pillar 2: Disrupt and Dismantle Threat Actors
The overall goal of this pillar is to conduct disruption campaigns to make criminal cyber activity so unprofitable that threat actors no longer consider it effective or rewarding.
The private sector is encouraged to organize through non-profits to actively share timely information “bidirectionally” and at scale – with the Federal Government and with each other – and collaborate to disrupt adversaries. The Federal Government will review its declassification processes, expand security clearance, and develop processes to facilitate channels for private entities to provide timely feedback and share threat intelligence with the government.
Infrastructure-as-a-Service providers (such as domain registrars, and providers of cloud, hosting, email, and digital services) are required to “make reasonable attempts” to prevent malicious use of US-based infrastructure. IaaS providers are directed to follow a risk-based approach to cybersecurity, guided by EO 13984[vi], “Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities.”
Noting the critical impact of ransomware on key infrastructure, the Strategy provides that the U.S. will strengthen critical infrastructure resilience to withstand ransomware attacks, investigate ransomware crimes and address abuse of virtual currencies to launder ransom payments. The U.S. will also leverage international cooperation to disrupt the ransomware ecosystem and isolate countries that provide safe havens for cyber criminals.
The Strategy discourages payment of ransoms following ransomware attacks to reduce the financial attraction for cyber criminals however, victims of ransomware attacks are encouraged to report incidents to law enforcement and agencies whether they pay a ransom or not. The Strategy does not mention a safe harbor for victims that report but provides that such reporting will help the government support victims, prevent further use of cryptocurrencies to avoid AML/CFT controls, and reduce the likelihood that future ransomware attacks will be successful.
Pillar 3: Shape Market Forces to Drive Security and Resilience
This pillar is particularly instructive for corporate cybersecurity compliance.
The first strategy objective under this pillar is to “hold data stewards accountable”. The Strategy notes that the Biden Administration “supports legislative efforts” to set robust and clear limits for data collection and processing that evolve with threats, consistent with standards and guidelines developed by NIST.
Many Internet of Things (“IoT”) devices are vulnerable because they have inadequate default settings, unnecessarily advanced features susceptible to threats, and they are difficult or impossible to patch or upgrade. The National Strategy reiterates the IoT security labeling programs being developed by NIST and the Federal Trade Commission under EO 14028, “Improving the Nation’s Cybersecurity”, and plans for Federal R&D, procurement, and risk management efforts in the IoT Cybersecurity Improvement Act of 2020. The Strategy anticipates that empowering consumers with the ability to compare the levels of protection offered by IoT products will incentivize the IoT ecosystem to prioritize security by design.
Perhaps the most significant principle in the Strategy, is the shift in responsibility for cybersecurity incidents from end users of vulnerable software products and services to vendors and software makers, described as “stakeholders most capable of preventing bad outcomes”. Software licensors should no longer be able to disclaim liability for cyber incidents by contract where they ignore best practices and ship software with known vulnerabilities or integrate unvetted third party software.
Vendors that sell to the Federal Government make contractual commitments to comply with federal cybersecurity requirements. Where government contractors and grantees are not compliant, they risk being prosecuted under the False Claims Act for “knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cyber incidents and breaches”.
The Strategy anticipates the possibility of catastrophic cyber incidents destabilizing the economy. In preparation for this, the Federal Government will explore a cyber insurance backstop plan that can be called upon to aid recovery, provide certainty to markets and make the U.S. more resilient.
Pillar 4: Invest in a Resilient Future
This pillar of the Strategy emphasizes the need to secure the integrity of the fundamental structure of the internet for security today, and in preparation for revolutionary changes in the tech landscape – such as quantum computing and further advances in artificial intelligence. Mitigating security measures are recommended: fixing Border Gateway Protocol vulnerabilities, encrypting Domain Name System requests, and adopting the IPv6 protocol.
Currently, strong encryption is fundamental to global cybersecurity measures to protect data online, validate end users, authenticate signatures, and verify information. Because quantum computing would potentially break some of the most common encryption standards, the Federal Government will establish a process for timely migration to quantum-resistant cryptography, and the private sector would be expected to follow the government’s lead.
Overall, the US government is committed to federal research and development for cybersecurity, and investments in digital identity solutions balanced against values of privacy, security, civil liberties, equity, accessibility, and interoperability. This pillar also prioritizes cybersecurity for new clean energy infrastructure and mentions the need to develop a national strategy to strengthen the cybersecurity workforce.
Pillar 5: Forge International Partnerships to Pursue Shared Goals
The final pillar looks outward, to leverage the US’ relationship with the global community in protecting its cyberspace. The Strategy seeks to create a world where responsible state behavior in cyberspace is rewarded, and irresponsible behavior is isolating and costly.
The strategic plan for achieving this involves building coalitions to counter cyber threats. In April 2022, the US along with 60 countries signed the Declaration for the Future of the Internet.[vii] Through membership of the Freedom Online Coalition, the Quadrilateral Security Dialogue and future coalitions, the US intends to galvanize international cooperation on cybersecurity and reinforce global norms of responsible state behavior in cyberspace.
The US will help strengthen its international partners’ capacity, and support efforts to secure global supply chains for information, communications and operational technology products and services. To expand the US’ ability to assist its allies and partners in cybersecurity, domestic policies will be established to determine when it would be in the national interest to provide this support, and which agency would be the right vehicle for this purpose.
Conclusion
The Strategy concludes with notes on implementation. The Federal Government will prioritize capturing lessons learned from cyber incidents, such as Log4j[viii], and apply them in implementing the Strategy. Agencies, regulators, and private entities are encouraged to emulate this learning practice.
The White House Office of the National Cyber Director will be responsible for coordinating implementation of the Strategy, under the oversight of National Security Council staff and in coordination with the Office of Management and Budget. The Biden-Harris administration will also work closely with Congress to authorize needed funding for strategic and responsive cybersecurity activities.
Footnotes
[i] White House Briefing on March 2, 2023 https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/
[ii] Full text of National Cybersecurity Strategy https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/
[iii] EO 14028 https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
[iv] Bipartisan Infrastructure Deal https://www.whitehouse.gov/briefing-room/statements-releases/2021/11/06/fact-sheet-the-bipartisan-infrastructure-deal/
[v] CHIPS and Science Act, 2022 https://www.congress.gov/bill/117th-congress/house-bill/4346
[vi] EO 13984 https://www.federalregister.gov/documents/2021/01/25/2021-01714/taking-additional-steps-to-address-the-national-emergency-with-respect-to-significant-malicious
[vii] White House Fact Sheet: Declaration of the Future of the Internet https://www.whitehouse.gov/briefing-room/statements-releases/2022/04/28/fact-sheet-united-states-and-60-global-partners-launch-declaration-for-the-future-of-the-internet/
[viii] Log4J Incident: https://www.cnn.com/2021/12/15/tech/log4j-vulnerability/index.html
Ekene Chuks-Okeke is an LLM student at Cornell Tech. She is a Fellow with the Internet Law and Policy Foundry and a Certified Information Privacy Professional (CIPP/E).
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or misrepresentations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).