On March 2, the Biden Administration released a new National Cybersecurity Strategy. This is the first administration-wide cybersecurity strategy in five years, and follows a Cybersecurity Executive Order (EO 14028) issued in May 2021 in the aftermath of the SolarWinds and Colonial Pipeline incidents.

The strategy contains five pillars, including defending critical infrastructure, disrupting threat actors, shaping market forces, investing in a resilient future and forging international partnerships.

Why It Matters

The Strategy signals several major policy shifts – some will require legislation, but many can be implemented through existing authorities. These shifts include:

Cybersecurity regulation. Asserting that “the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes,” the Strategy calls for using existing regulatory authorities (or working with Congress to enact legislation where regulatory gaps exist) to set minimum cybersecurity requirements across critical infrastructure sectors. The call for mandatory standards is not new – then-President Obama voiced support for ultimately unsuccessful Congressional efforts to accomplish this in 2011-2012 – but this is the first time it appears in a formalized executive branch strategy. The 2023 strategy asserts that regulations should be performance-based and leverage existing cybersecurity frameworks, referencing both the U.S. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity and the December 2022 Cybersecurity Performance Goals issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The Office of National Cyber Director and Office of Management Budget are tasked with harmonizing regulations and related assessments.Importantly, the Strategy provides that regulations would define “minimum expected” cybersecurity practices and encourages support for further efforts to exceed these requirements. One way the Administration could do so, as we have previously noted, is by focusing on how regulations could expressly reward companies to go beyond them.

Safe harbor. The call for a liability shift is coupled with support for a “safe harbor” that would shield from liability companies that securely develop and maintain software products and services. There is precedent for shielding providers that invest in security from liability: the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act was enacted by Congress in the aftermath of the 9/11 terrorist attacks to mitigate risk and limit liability for corporations, so they would continue to invest in security capabilities without the fear of being sued for third-party liability in the case of another terror attack. We have called for SAFETY Act coverage to be extended to disruptive cyber events. Given uncertain legislative prospects, the Administration could still implement certain aspects of a safe harbor through a policy statement, for example that good faith, proven conformance to the NIST Secure Software Development Framework (SSDF) will preclude certain Federal enforcement actions.

The strategy also calls for enhanced disruption activities targeting state and criminal actors, including through Cyber Command cyberspace operations. Likewise, it portends a more active international engagement strategy, which will be critical to leveling the playing field and creating opportunities for differentiation for U.S. companies overseas. These are particularly welcome developments in broadening tools to disrupt and defend against nation state attackers.

What to Do About It

SSDF Alignment. Software providers should be working to assess and conform to the NIST SSDF now. In September 2022, OMB, in accordance with Executive Order (EO) 14028, directed Federal agencies obtain attestations of conformance to SSDF from software vendors within 270 days for “critical software” and a year for other forms of software. While these requirements will technically only apply to federal agency procurements, a broader set of buyers and suppliers across critical infrastructure will view the publications as a “north star” for security expectations. Providers should be on the lookout for a standard self-attestation “common form” being developed now by CISA in consultation with OMB.

The National Cybersecurity Strategy acknowledges an increasingly perilous cyber threat landscape and reinforces key priorities of the Biden White House and previous administrations. As a result, companies can anticipate more regulatory oversight, heightened duty of care and increased expectations for public-private coordination.

This analysis was also posted at The Chertoff Group