In light of the increase in foreign cyber threats resulting in the theft of intellectual property held by U.S. entities and personal information of U.S. citizens, in addition to disruptions to critical U.S. business operations, the Administration has outlined its strategic objectives to achieve the ultimate goal of securing the U.S. cyberspace against growing foreign threats.
Although the Strategy does not directly create new legal obligations for private sector entities, it does provide a clear signal regarding the direction the Administration intends to take in shaping legal obligations in the coming years. The Administration also emphasized its commitment to making this Strategy more than a thought leadership piece, including announcing coordinated efforts between the Office of the National Cyber Director (ONCD) and its interagency partners to develop and publish a related implementation plan for the Strategy. Private sector entities are well-advised to get ahead of potential new and enhanced cybersecurity efforts and regulations by considering implications for their own information security programs stemming from the Administration’s call for strategic shifts and each of the five “pillars” outlined in the Strategy.
Fundamental Shifts
The Strategy aims to better position U.S. public and private sectors to defend themselves in an evolving threat landscape through two “fundamental shifts” in the allocation of roles, responsibilities, and resources in the cyber environment. First, the Strategy calls for increasing incentives for the owners and operators of critical systems, as well as technology providers that support those systems, to take responsibility for minimizing cybersecurity risks. These organizations, according to the Administration, are most capable and best-positioned to reduce cyber risks. Second, the Strategy calls for a realignment of incentives in favor of long-term investment into the U.S. cybersecurity posture. The Administration is looking to strike a balance between short-term defenses against urgent threats and strategically planning for and investing in a resilient future.
The Five “Pillars”
The Strategy rests on five pillars intended to enhance collaboration between U.S. public and private sector entities, as well as international allies and partners, with the goal of thwarting cyber threats from foreign criminal syndicates and adversarial nation-states.
The most notable components of the pillars for private sector entities are as follows:
- Pillar 1 - Defend Critical Infrastructure. This pillar builds upon the government’s current efforts to protect the nation’s critical infrastructure, while advancing the call to operationalize collaborative defense.
As part of Strategic Objective 1.1, “Establish Cybersecurity Requirements to Support National Security and Public Safety,” this pillar calls for an increased focus on cybersecurity regulations aimed at mitigating threats to U.S. critical infrastructure, the large majority of which is owned by the private sector. While acknowledging past efforts to establish standards in some industries, such as oil and gas pipelines, the Administration states that “today’s marketplace insufficiently rewards – and often disadvantages – the owners and operators of critical infrastructure” that implement robust cybersecurity measures and concludes that “the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.” The Strategy therefore amplifies the need for additional regulations that are operationally and commercially viable and tailored to each sector’s risk profile. In support of this objective, the Administration encourages state and federal regulators to establish requirements intended to harmonize and streamline new and existing cybersecurity regulations and standards that apply to critical infrastructure entities. State and federal regulators are further directed to collaborate in efforts to minimize harm where regulations are in conflict or are otherwise overly burdensome
According to the Administration, new and enhanced cybersecurity regulations should be performance-based and agile enough to adapt as adversaries increase their capabilities and change tactics. While such regulations will define minimum expected cybersecurity practices or outcomes, the Administration will encourage organizations to undertake efforts to exceed these requirements.
Finally, Strategic Objective 1.1 states that new regulations may be necessary in some industries in order to “create a level playing field” so that organizations are not “trapped in a competition to underspend their peers on cybersecurity.” It therefore encourages regulators to “ensure that necessary investments in cybersecurity are incentivized through the rate-making process, tax structures, and other mechanisms.”
Pillar 1 of the Strategy also recognizes the need to “Update Federal Incident Response Plans and Processes” as part of Strategic Objective 1.4, which will leverage the rulemaking efforts by the Cybersecurity and Infrastructure Security Agency (CISA) under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). As recognized by this objective, CIRCIA will enhance the government’s awareness and ability to respond effectively when entities in critical infrastructure sectors report cyber incidents.
- Pillar 2 - Disrupt and Dismantle Threat Actors. This pillar seeks to prevent malicious actors from mounting cyber campaigns that threaten the nation’s security or public safety. The Strategy notably suggests, as part of Strategic Objective 2.1, “Integrate Federal Disruption Activities,” that increased government threat-intelligence gathering could result in the designation of additional criminal syndicate groups as sanctioned entities under U.S. Treasury Department Office of Foreign Assets Control (OFAC) guidance. A proliferation of OFAC sanctions designations could increase strict liability risks for private sector entities considering payments to threat actors in connection with cyberattacks (whether ransomware or other extortion).
Moreover, as part of Strategic Objective 2.2, “Enhance Public-Private Operational Collaboration to Disrupt Adversaries,” the Strategy calls for enhancing public-private collaboration, viewing it as an important measure for dismantling and disrupting cybersecurity threats from criminal syndicates and adversarial nation-states. For instance, the Strategy encourages private sector companies to join non-profits that can serve as hubs for operational collaboration, such as the National Cyber-Forensics and Training Alliance (NCFTA).
Strategic Objective 2.5, “Counter Cybercrime, Defeat Ransomware,” also reaffirms the Administration’s commitment to mounting disruption campaigns against ransomware threat actors, including the targeting of illicit cryptocurrency exchanges. This objective also strongly discourages the payment of ransoms, and encourages the reporting of any ransomware incident if the organization nonetheless chooses to pay such ransom (which will become legally required for some entities under CIRCIA, once CISA completes its rulemaking process).
- Pillar 3 - Shape Market Forces to Drive Security and Resilience. This pillar of the Strategy is aimed at shifting responsibility for cybersecurity to entities that are the best positioned to mitigate risk, and at redirecting the consequences of poor cybersecurity away from the most vulnerable. The Strategy specifically provides that entities that have chosen to make minimal investment in cybersecurity have negatively impacted the broader cyber environment, including with respect to the loss of information relating to consumers. Noting that market forces “have not adequately mobilized industry to prioritize our core economic and national security interests,” the Strategy proposes to hold “stewards of data” accountable for the security of the personal information that is under their control per Strategic Objective 3.1, “Hold the Stewards of Our Data Accountable.” The objective indicates support for legislative efforts aimed at imposing robust and clear limits on organizations’ ability to collect, use, transfer, and maintain personal information, and to similarly provide strong protections for sensitive data, expressly including geolocation and health information. Further, the Administration believes that legislation should also set national requirements to secure personal data consistent with standards and guidelines, such as those issued by the U.S. National Institute of Standards and Technology (NIST).
As a key item, Strategic Objective 3.3, “Shift Liability for Insecure Software Products and Services,” provides that regulators must reshape laws and regulations that govern liability for data loss and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies. The Administration intends to work with Congress to develop legislation to begin to shift liability to those entities that fail to take reasonable precautions to secure their software. Key objectives include preventing software manufacturers and publishers with market power from fully disclaiming liability by contract, and establishing higher standards of care for software in specific high-risk scenarios. Additionally, the Administration also plans to drive the development of an adaptable safe harbor framework to shield companies that securely develop and maintain their software products and services from liability. This safe harbor will draw from current best practices for secure software development, such as the NIST Secure Software Development Framework.
The Strategy will also aim to leverage federal procurement to improve accountability, as outlined in Strategic Objective 3.5, “Leverage Federal Procurement to Improve Accountability.” Specifically, through its Civil Cyber Fraud Initiative, the U.S. Department of Justice will hold entities or individuals accountable that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, misrepresenting their cybersecurity practices or protocols, or violating obligations to monitor and report cybersecurity incidents.
While Strategic Objective 3.6, “Explore a Federal Cyber Insurance Backstop,” briefly addresses the government’s potential assessment of a federal cybersecurity insurance structure aimed at stabilizing the U.S. economy in the event of a catastrophic incident, the Administration appears only to suggest that additional input and consultation will be considered across stakeholders without a clear path forward for cyber insurance.
- Pillar 4 - Invest in a Resilient Future. This pillar primarily addresses public sector calls to action aimed at enhancing the U.S. public and private sector cybersecurity posture.
- Pillar 5 - Forge International Partnerships to Pursue Shared Goals. This pillar provides that the U.S. will develop best practices in coordination with U.S. allies and partners to “shift supply chains to flow through partner countries and trusted vendors.”
Next Steps
Private sector organizations are well-advised to begin assessing the impact of the Strategy on their business, especially as the Strategy implementation aims to focus on accountability mechanisms and shifting liability. In the short term, companies providing software products and services into the U.S. market may wish to evaluate how the Administration’s focus on liability-shifting may impact their development lifecycle, contracting strategy, and overall cyber risk management processes. In addition, organizations may want to consider reviewing anew how their information security policies and procedures align with cybersecurity standards such as those published by NIST (especially as the Administration works toward NIST Cybersecurity Framework 2.0), enhance processes to confirm security-by-design in the development of new products and services, update ransom payment procedures to clearly support compliance with OFAC guidance on payments to sanctioned persons, and implement clear vendor-management policies to help ensure that vendors maintain robust cybersecurity measures that align with the Strategy and are not potentially influenced by adversarial nation-states.
Authored by: Pete Marta, Alaa Salaheldin, A.J. Santiago, Stacy Hadeka, Paul Otto, Tim Bergreen, Katy Milner, Nathan Salminen.