Late last week, the White House released their latest National Cybersecurity Strategy, which has seemingly been in development since the beginning of the Biden administration. This strategy document was highly anticipated, especially since the last time a National Cyber Strategy was released was back in September 2018 by the Trump administration. While the release of the strategy has received criticism for having been delayed, the document provides worthwhile insight into the administration’s top cybersecurity priorities and remains timely due to ongoing shifts and prevalence of the cyber threat landscape.
The administration’s new strategy focuses on five key pillars: 1) critical infrastructure defense, 2) action against threat actors, 3) market changes to bolster cybersecurity, 4) necessary investments to build defenses, and 5) greater international coordination and collaboration. Within this broad framework, the strategy also included a slate of very targeted recommendations – many of which would need action from Congress in order to be implemented, and others that will require further executive action.
Several members of Congress have already offered their feedback on the document – with Democrats largely stating their support, while Republicans praised some portions of the strategy but criticized others. Criticism from Republicans has largely centered on concerns surrounding the implementation of more regulations and greater bureaucratic pressure on the cyber ecosystem, which could lead to greater confusion and more burden for the cyber industry. However, Democrats have asserted that such a “full-court press” is necessary in order to meet the moment and adequately strengthen cyber defenses across the full breadth of impact.
As Congress weighs action on the administration’s cybersecurity priorities (especially in advance of tomorrow’s release of President Biden’s FY 2024 budget request), here are the top takeaways from the National Cyber Strategy:
Further shift towards mandates: Up until this year, implementation of cybersecurity standards has largely focused on voluntary compliance and information sharing. However, the recommendations in the new strategy mark a greater shift towards minimum mandates that would hold more entities responsible for adherence to cyber regulations. This is particularly impactful for critical infrastructure owners and operators, who will be required to meet mandatory standards set forward by the agencies of jurisdiction.
NEXT STEPS: Federal agencies of jurisdiction will be directed to craft minimum security guidelines for various critical infrastructure sectors. The administration has stated that they will prioritize harmonization of these requirements across sectors.
Potential for high impacts related to liability: One of the strategy’s proposals that has received a high level of backlash is a request to Congress to pass comprehensive legislation that would hold software companies liable for vulnerable and insecure code in their products. The administration has signaled that this is a key long-term goal for them to shift the responsibility for cyber insecurities back to those that developed the software.
NEXT STEPS: Implementation of this recommendation would require congressional action, and it seems unlikely that there would be any level of bipartisan support for such a proposal. However, the administration is interested in acting through standards-setting agencies to advance software liability reform at some level.
Greater coordination among all stakeholders: A consistent theme throughout the document is a call for greater collaboration among the full range of actors in the cybersecurity landscape – including coordination with state and local governments, greater leveraging of public-private partnerships, more partnerships with like-minded international allies, and more harmony among various sectors. The strategy places this at the top of the priority list throughout implementation of all of its proposed actions – ranging from standards creation to cyber workforce development initiatives.
NEXT STEPS: The strategy emphasizes that the administration is committed to harmonizing cybersecurity planning across all levels of government, with significant opportunity for feedback and involvement from industry and other stakeholders. It remains to be seen how this process will work given the various entities within the federal government that are focused on cybersecurity, and how they will handle increasing scrutiny surrounding their jurisdictions.