New National Cybersecurity Strategy Promises New Rules and Research

The Biden Administration recently released their National Cybersecurity Strategy to address the complex threats and secure digital technologies. The strategy envisions making the U.S. digital ecosystem – and the technologies that enable it – more defensible, resilient and values-aligned, driving how digital technologies are shaped and how they reinforce key U.S. values.

The strategy seeks to build and enhance shared U.S. cybersecurity collaboration around five pillars:

1. Defend Critical Infrastructure – Involves expanding the use of minimum cybersecurity requirements in critical sectors; harmonizing compliance regulations; enabling public-private collaboration to defend critical infrastructure and essential services; and defending and modernizing federal networks and incident response policy.
2. Disrupt and Dismantle Threat Actors – Involves strategically employing all tools to disrupt adversaries; engaging the private sector in disruption activities; and addressing the ransomware threat through a comprehensive federal approach.
3. Shape Market Forces to Drive Security and Resilience – Involves promoting privacy and the security of personal data; shifting liability for software products and services to promote secure development practices; and ensuring that federal grants promote secure and resilient infrastructure.
4. Invest in a Resilient Future – Involves reducing systemic technical vulnerabilities in the foundation of the Internet and across the digital ecosystem; prioritizing cybersecurity R&D for next-generation technologies such as postquantum encryption, digital identity solutions, and clean energy infrastructure; and developing a diverse and robust national cyber workforce.
5. Forge International Partnerships to Pursue Shared Goals – Involves leveraging international coalitions and partnerships to counter threats to our digital ecosystem; increasing the partner cyber defense capacity; and working with partners to make secure, reliable, and trustworthy global technology supply chains.

The White House Office of the National Cyber Director will be coordinating the ongoing implementation of the strategy.

Industry and Contractor Implications

The strategy clearly indicates that a growing level of cybersecurity rules and requirements for industry and suppliers will be pursued by federal cybersecurity leaders. In the strategy announcement, the White House emphasized  their plan to “rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.”

Under the Defend Critical Infrastructure pillar (#1), the strategy will seek to develop mandatory cybersecurity requirements and regulations for critical infrastructure protection, working with Congress, CISA, relevant regulatory agencies and industry. This impacts cloud service providers and cloud-based cybersecurity, as the strategy notes the benefits of, and reliance upon, cloud-based services, including cloud-based cybersecurity solutions. Migrating federal legacy systems and digital citizens’ services to cloud-based services is noted in the strategy as one means to elevating the cybersecurity posture across federal agencies. The strategy includes working to identify and fill gaps in the cybersecurity of the cloud computing industry and related services. To disrupt threat actors (pillar #2) attacking or exploiting cloud-based infrastructure, the government will work with cloud and other internet providers to improve threat identification, response and information sharing. All these efforts could result in further cyber-related regulations impacting cloud service providers.

The strategy explicitly aims to promote secure software development practices by shifting liability to software product and services creators and suppliers, using the specter of legal and financial liability to drive producers and suppliers to provide secure, resilient products and services (pillar #3). Federal efforts will encourage greater vulnerability disclosures across technologies and sectors, further development of software bill of materials (SBOMs), and the mitigation of risks from unsupported software.

Pillar #3 of the strategy also includes an objective to use federal procurement requirements to raise accountability for the cybersecurity of contracted products and services. We have already seen growing federal efforts to build cybersecurity compliance requirements into contracting policies and provisions, such as the Department of Defense’s evolving Cybersecurity Maturity Model Certification (CMMC) program.

The strategy is not entirely focused on a regulatory approach to increasing cybersecurity. There is also an emphasis on research and development into emerging technologies for cybersecurity (in pillar #4). The strategy calls for federal departments and agencies to direct research, development and demonstration (RD&D) capacity toward addressing cybersecurity needs as part of a (forthcoming) updated Federal Cybersecurity R&D Strategic Plan. Relevant areas include artificial intelligence, operational technologies, industrial controls systems, cloud infrastructure, telecommunications, encrypting, system transparency, and data analytics.

According to an account of the White House press call with news media presenting the strategy, an implementation plan will be will be released publicly in the months ahead.