The Biden Administration’s 2023 Cybersecurity Strategy Includes Potentially Significant Implications for the Technology Sector
On March 2, 2023, the Biden administration released the 2023 National Cybersecurity Strategy (the “Strategy”).1 The Strategy acknowledges that the United States “must [effect] fundamental shifts in how . . . [it] allocates roles, responsibilities, and resources in cyberspace.”2To that end, that Strategy highlights two specific shifts that it seeks to accomplish: “rebalance[ing] the responsibility to defend cyberspace” and “realign[ing] incentives to favor long-term investments.”3 Achieving those goals relies on five distinct pillars:
- Defending critical infrastructure.
- Disrupting and dismantling threat actors.
- Shaping market forces to drive security and resilience.
- Investing in a resilient future.
- Forging international partnerships to pursue shared goals.
Importantly, for the technology sector, the Strategy explains that “[i]ndividuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities.”4In light of those limitations, the Strategy seeks to strengthen the nation’s cybersecurity capabilities by
“ask[ing] more of the most capable and best-positioned actors to make our digital ecosystem secure and resilient. In a free and interconnected society, protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as the technology providers that build and service those systems.”5
In press briefings, Acting National Cyber Director Kemba Walden has described the Strategy as “fundamentally reimagining America’s cyber social contract.” From the perspective of the technology sector, the focus on rebalancing cybersecurity risk mitigation responsibilities will have potentially significant practical repercussions as the administration will “focus on points of leverage,” including efforts to place greater burdens on the technology industry through legislative and administrative action.6We discuss below some of the contemplated “points of leverage,” as well as some opportunities the Strategy may present for the technology sector.
Shifting Cybersecurity Burdens to the Technology Industry
Among the more significant elements of the Strategy is its contention that past efforts to rely on market forces to drive enhanced cybersecurity have proven unsuccessful. The Strategy asserts that rather than seeking to enhance cybersecurity capabilities, the industry has chosen not to adopt best practices and instead continues to engage in practices such as shipping products with unsafe default configurations or known vulnerabilities. Similarly, the Strategy states that software providers regularly take advantage of their market power to disclaim liability via agreements thrust upon their consumers. Software is a particular area of focus, with the Strategy noting that cyber weaknesses in software are primary drivers of “systemic risk across the digital ecosystem.”7
In sum, the Strategy concludes that because market forces have generally not been as effective as the administration would like, cyber incidents have disproportionally affected small businesses and individuals. In light of the ineffectiveness of the market, the Strategy clearly articulates the Biden administration’s intent to hold the industry more accountable for cybersecurity and to utilize the government’s purchasing power and grant-making authority, among other means, to better incentivize enhanced cybersecurity efforts. To that end, the administration specifically asserts that it will seek to shift liability onto companies that “fail to take reasonable precautions to secure their software.” According to the Strategy, emphasis will be placed on those organizations best able to prevent cyber-related problems rather than continuing to allow the impact of cyber vulnerabilities to fall on end-users and open-source developers whose products are included in commercial products.
The Strategy proposes legislative solutions that will seek to establish a new liability framework for software products and services. These efforts will seek to establish limits on collecting, using, transferring and maintaining personal data, as well as particular protection for data related to health and location. Included in the desired legislative outcome would be efforts to prevent manufacturers and software providers from disclaiming liability through contracts users have no means to avoid, i.e., click-through agreements and the like. The Strategy does put forward a carrot to go with its legislative stick in the form of a contemplated safe harbor from liability for those companies who achieve compliance with best practices for secure development and maintenance of software products and services. It is of course uncertain whether with a divided federal government the administration will be able to achieve its goals through the legislative process.
Using the Federal Procurement Process to Enhance Accountability
The Strategy notes that Executive Order 14,028 “Improving the Nation’s Cybersecurity”8 took steps to utilize the federal procurement process to strengthen cybersecurity-centric contract requirements and standardize those requirements across agencies. The Strategy builds upon that work by explaining that contractors “must live up to” their commitments to follow best cybersecurity practices.9 Specific reference is made to the Department of Justice’s (DoJ) Civil Cyber-Fraud Initiative10 to hold accountable those companies that put U.S. information or systems at risk by providing deficient systems or products or misrepresenting their cybersecurity capabilities. Although not a direct result of the DoJ initiative, the July 2022 $9 million settlement of a False Claims Act case with Aerojet Rocketdyne illustrates the risk of non-compliance with government contract cybersecurity requirements.11
New Regulations to Secure Critical Infrastructure
In addition to legislative action, the Strategy contemplates new regulations in critical sectors of the economy. According to the Strategy, if enacted, the new regulations will be “performance-based” and will seek to “leverage” existing guidance including that from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST). The focus of the regulations will be on defining minimum expected cyber practices and outcomes. From an industry perspective, active involvement in any rulemaking process will be critical to ensuring that any established minimum requirements are both achievable and reasonable.
Importantly, the Strategy acknowledges that key sectors often rely on the cybersecurity capabilities of third-party service providers, specifically including cloud-based services. The Strategy explains that regulators will be focused on identifying gaps in existing authorities as a means to achieve improved cybersecurity practices in the cloud computing space, as well as other types of third-party service providers. Here too, industry input will be critical as any rulemaking proceeds.
Recognizing that cybersecurity is a global issue with varying standards, the Strategy acknowledges that, to the extent necessary, the United States will work with its global partners to achieve cross-border harmonization of regulations, assessments and audit standards.
Opportunities for the Technology Sector
While the Strategy does seek to implement certain actions that would increase the technology sector’s burden in the cybersecurity space, it also offers some opportunities, including a plan to “reinvigorate” cybersecurity-focused research and development initiatives. Specifically, the Strategy recognizes that investing in research and development efforts focused on developing a stronger cybersecurity architecture with fewer vulnerabilities will pay dividends in the future in terms of more secure products and systems. Consistent with that objective, and as an element of updating the Federal Cybersecurity Research and Development Strategic Plan, the government will seek to implement research and development initiatives aimed at mitigating cybersecurity risks in both existing and next generation technologies. Focus areas will include artificial intelligence, cloud infrastructure, encryption, telecommunications and data analytics, among others. Key nodes within the federal government for those programs will include the National Science Foundation, the Department of Energy and its National Laboratories and other federally funded research and development centers. Public private partnerships with academia and technology companies will also be leveraged in this area.
In addition to investing in cybersecurity-related research and development, the Strategy also focuses on investments aimed at modernizing federal information and operational technology systems. In recent years, the government has expressed a desire to move toward a zero-trust architecture that would include multi-factor authentication, improved oversight of system management and access, and improvements to cloud security. Those enhancements, however, require upgrades that cannot be implemented until the government modernizes its systems. These efforts may lead to increased procurement activity in the technology sector and thus new opportunities for technology companies to increase their government business.
Implementation
The Office of the National Cyber Director is charged with coordinating implementation efforts in conjunction with the National Security Staff and the Office of Management and Budget. It is unclear how quickly these efforts will move forward. In addition, as noted above, certain key elements of the Strategy are focused on legislative and/or regulatory actions. Industries should monitor implementation developments and weigh in when opportunities present themselves.
1Available here: https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf.
8Available here: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.
10Available here: https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.
11Available here: https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity.