On March 2, 2023, the White House released its National Cybersecurity Strategy (the Strategy). The Strategy sets out ambitious goals for the federal government to hold countries accountable for irresponsible behavior in cyberspace and to disrupt the networks of criminals behind cyberattacks. It also seeks to establish, harmonize, and streamline regulations to secure critical infrastructure, as well as shift liability to those it considers to be best positioned to implement cybersecurity, such as owners and operators of the systems that hold consumer data and the technology providers that build and service these systems. The role of the private sector and collaboration between the public and private sectors are prominent themes throughout the Strategy, as is international collaboration.
The Strategy organizes the Biden Administration’s cybersecurity vision and strategic objectives into five key pillars: 1) defense of critical infrastructure, 2) disruption and dismantling of threat actors, 3) shaping market forces to drive security and resilience, 4) investments in resilience, and 5) forging of international partnerships to pursue shared goals.
Below are some of the key takeaways for the private sector:
- The Administration states that markets do not currently incentivize secure development and calls on Congress to collaborate to develop legislation to “shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities.” While such legislation would prevent providers from disclaiming liability for failing to put in place adequate security measures and practices, it would also introduce a safe harbor framework that draws from well-known cybersecurity best practices, such as the National Institute of Standards and Technology (NIST) Secure Software Development Framework.
- In addition to legislation that imposes liability on software providers for inadequate security measures, the Administration expresses its support for the implementation of broad consumer privacy legislation imposing limits on companies’ ability to collect, use, transfer, and maintain personal data.
- The Administration also calls upon state and federal regulators to set mandatory cybersecurity requirements for critical infrastructure. It encourages regulators to harmonize new and existing regulations, consider the costs and burdens of implementation, and leverage existing frameworks such as the Cybersecurity and Infrastructure Security Agency (CISA)’s Cybersecurity Performance Goals and the NIST Framework for Improving Critical Infrastructure Cybersecurity to set minimum expected practices.
- The surveillance risks and vulnerabilities of Internet of Things (IoT) devices are highlighted in the Strategy, and the Administration recommits to the development of the IoT security labeling programs to educate the public on security features of IoT devices. It also commits to investing resources into research and development in the IoT space, as well as in quantum computing to combat threats to encryption measures, digital identity systems to protect against fraud, and the protection of new clean energy infrastructure.
- For private entities that contract with the federal government, the Administration reiterates its intent to monitor and enforce contract terms imposing cybersecurity requirements on its contractors and grantees through the Department of Justice’s Civil Cyber-Fraud Initiative.
- Due to its unique visibility into adversary activity, the private sector is called upon to collaborate with the federal government to fight malicious cyber activity. Increased cyber threat intelligence sharing and a call for cloud and infrastructure service providers to adopt methods to verify the identity of foreign users are two examples of collaboration highlighted in the Strategy.
- The Administration also commits to doubling down on the ransomware threat through international cooperation, investigation of ransomware crimes, and targeting the illicit cryptocurrency exchanges used in these crimes. It strongly discourages the payment of ransoms and reminds victims to report ransomware incidents to law enforcement.
- Finally, the Strategy places the onus on CISA to update the National Cyber Incident Response Plan and calls upon the federal government to provide the private sector with clear information detailing the support services it can provide during a cyber incident and explaining how to reach the agencies providing this support.
Next Steps
The Office of the National Cyber Director is coordinating the Administration’s implementation plan for the Strategy, which will be released at a later date.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues, including assisting numerous clients with developing information security programs and responding to security incidents and data breaches. For more information, please contact Beth George, Megan Kayo, Maneesha Mithal, Demian Ahn, Ale Lynberg, or another member of the firm’s privacy and cybersecurity practice.