On March 2, the Biden Administration released a new National Cybersecurity Strategy. This is the first administration-wide cybersecurity strategy in five years, and follows a Cybersecurity Executive Order (EO 14028) issued in May 2021 in the aftermath of the SolarWinds and Colonial Pipeline incidents.
The strategy contains five pillars, including defending critical infrastructure, disrupting threat actors, shaping market forces, investing in a resilient future and forging international partnerships.
Why It Matters
The Strategy signals several major policy shifts – some will require legislation, but many can be implemented through existing authorities. These shifts include:
- Cybersecurity regulation. Asserting that “the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes,” the Strategy calls for using existing regulatory authorities (or working with Congress to enact legislation where regulatory gaps exist) to set minimum cybersecurity requirements across critical infrastructure sectors. The call for mandatory standards is not new – then-President Obama voiced support for ultimately unsuccessful Congressional efforts to accomplish this in 2011-2012 – but this is the first time it appears in a formalized executive branch strategy. The 2023 strategy asserts that regulations should be performance-based and leverage existing cybersecurity frameworks, referencing both the U.S. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity and the December 2022 Cybersecurity Performance Goals issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The Office of National Cyber Director and Office of Management Budget are tasked with harmonizing regulations and related assessments.Importantly, the Strategy provides that regulations would define “minimum expected” cybersecurity practices and encourages support for further efforts to exceed these requirements. One way the Administration could do so, as we have previously noted, is by focusing on how regulations could expressly reward companies to go beyond them.
- Liability for software products and services. The Strategy also calls for legislation to shift liability to software providers that fail to take “reasonable precautions” to secure their software, echoing an earlier recommendation from the Congressionally chartered Cyberspace Solarium Commission. “Software makers are able to leverage their market position to fully disclaim liability by contract” according to the Strategy, which goes on to assert: “Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance.” While the prospects for successful legislation are uncertain at best, the Administration may use existing authorities to pursue companies whose defects have contributed to intrusions. For example, the Department of Justice’s Civil Cyber-Fraud Initiative already targets companies who knowingly provide deficient cybersecurity products and services. Regulatory agencies including the Federal Trade Commission and Consumer Financial Protection Bureau have authorities to seek enforcement actions against companies for insufficient data protection security.
- Safe harbor. The call for a liability shift is coupled with support for a “safe harbor” that would shield from liability companies that securely develop and maintain software products and services. There is precedent for shielding providers that invest in security from liability: the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act was enacted by Congress in the aftermath of the 9/11 terrorist attacks to mitigate risk and limit liability for corporations, so they would continue to invest in security capabilities without the fear of being sued for third-party liability in the case of another terror attack. We have called for SAFETY Act coverage to be extended to disruptive cyber events. Given uncertain legislative prospects, the Administration could still implement certain aspects of a safe harbor through a policy statement, for example that good faith, proven conformance to the NIST Secure Software Development Framework (SSDF) will preclude certain Federal enforcement actions.
The strategy also calls for enhanced disruption activities targeting state and criminal actors, including through Cyber Command cyberspace operations. Likewise, it portends a more active international engagement strategy, which will be critical to leveling the playing field and creating opportunities for differentiation for U.S. companies overseas. These are particularly welcome developments in broadening tools to disrupt and defend against nation state attackers.
What to Do About It
- SSDF Alignment. Software providers should be working to assess and conform to the NIST SSDF now. In September 2022, OMB, in accordance with Executive Order (EO) 14028, directed Federal agencies obtain attestations of conformance to SSDF from software vendors within 270 days for “critical software” and a year for other forms of software. While these requirements will technically only apply to federal agency procurements, a broader set of buyers and suppliers across critical infrastructure will view the publications as a “north star” for security expectations. Providers should be on the lookout for a standard self-attestation “common form” being developed now by CISA in consultation with OMB.
- Software Transparency and Vulnerability Discovery. The Strategy’s Safe Harbor provision also spoke about incorporating software transparency, likely in the form of a Software Bill of Materials (SBOM), and vulnerability discovery, which could be achieved in part through “bug bounty” programs, into future safe harbor requirements. Providers should be actively considering how to implement SBOM and bug bounty capabilities if they haven’t already started.
- Know-Your-Customer Expectations for Internet Infrastructure Providers. The Strategy also cites Executive Order 13984, signed by President Trump in his last full day office, which invoked the International Emergency Economic Powers Act (IEEPA) and related authorities to mandate that IaaS providers require enhanced identity verification – also known as “Know Your Customer” – for foreign persons opening accounts with the provider – loosely akin to what banks are required to do for anti-money-laundering purposes. The Strategy hints at potentially expanding KYC and related abuse-prevention measures to other Internet infrastructure providers including domain registrars, hosting and email providers. Internet infrastructure providers should be considering how to implement potential KYC-requirements for certain customers.
- Cyber Performance Goals and Threat-Informed Defense. Many critical infrastructure organizations already use the NIST Cybersecurity Framework to orient their cybersecurity programs, but the Strategy is implicitly saying this must be complemented with more focused prioritization of threat-informed capabilities – hence the reference to CISA CPGs, each of which is explicitly mapped to threat techniques enumerated in the MITRE ATT&CK The Strategy adds that regulations should be agile enough to adapt as adversaries increase capabilities and change tactics – the CPGs accomplish this in part through practices around detecting relevant threats and TTPs (CPG 8.2).
- Identity as a primary attack surface. Seeded throughout the strategy is a recognition that identity and access system weaknesses are increasingly central to successful cyber attacks and digital fraud campaigns, particularly for cloud-centric systems – indeed the above-referenced CPGs start with Account Security. As companies look to manage attack surface for themselves and their customers, identity-centric posture and threat management will be a key component.
- Focus on “effectiveness.” The word “effective” or “effectively” appears over 30 times in the Strategy. Effectiveness is also a primary criteria for obtaining liability protection under the above-referenced SAFETY Act, and would likely feature, at least implicitly, in any safe harbor determination for software providers. For critical infrastructure operators, the CPGs provide that they should invest at least some resources in validating that the controls theoretically in place are there in practice and operating as intended (see CPG 5.6). CISA, the FBI, and the NSA jointly issued guidance where they “recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.” Companies should incorporate threat emulation testing to ensure defenses are operating as intended.
- Insurance. Providers should also expect the insurance markets to take notice of these developments and factor them into underwriting decisions not just for cyber insurance but product liability and related coverages. The Strategy also contained a loose commitment to “explore” the potential for a Federal cyber insurance backstop in the event of catastrophic cyber event, and the Federal Insurance Office has already initiated this process, issuing a request for information in September 2022, but any such initiative would require legislation.
The National Cybersecurity Strategy acknowledges an increasingly perilous cyber threat landscape and reinforces key priorities of the Biden White House and previous administrations. As a result, companies can anticipate more regulatory oversight, heightened duty of care and increased expectations for public-private coordination.