On March 2, the Biden Administration released a “National Cybersecurity Strategy,” which it says takes a comprehensive approach to securing cyberspace for all and ensuring the United States is in the best position to take advantage of all the benefits that our digital future holds. The Strategy consists of five “pillars”: Infrastructure, threat actors, the market, plans for the future, and international collaboration.  Here is a summary:

Pillar I:  Defending Critical Infrastructure

Pillar I of the Strategy seeks to

• Establish cybersecurity regulations where they currently do not exist and harmonize existing regulations.
• Identify and close the “gaps in authorities to drive better cybersecurity practice in the cloud computing industry and for other essential third-party services.”
• Enhance coordination between the Cybersecurity & Infrastructure Security Agency and U.S. owners and operators of critical infrastructure, and to deepen collaboration with software, hardware, and managed service providers to promote greater security and resilience.
• Provide guidance on how private sector partners can reach federal agencies for support during cyber incidents, and for advice regarding the support that the federal government can provide.
• Modernize federal systems to include multi-factor authentication and access, encryption and more.

Pillar II:  Disruptions and Dismantling of Threat Actors

This Pillar includes

• Improved integration of threat disruption by the U.S. Department of Justice and federal law enforcement agencies with that of private industry, and international allies and partners.
• Encouraging private sector entities to coordinate on disruption activities.
• Increasing government reporting to potential victims of cyber incidents.
• Working with cloud and other internet infrastructure providers to combat abuse of U.S.-based infrastructure and placing the onus on “[a]ll service providers” to “make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior.”

Pillar III:  Shaping Market Forces to Drive Security and Resilience

Pillar III would

• Hold “the stewards of our data accountable” for cybersecurity risks, provide incentives for the development of secure connected devices (IoT), and shift liability to the “stewards” for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks that software and digital technologies create.
• "[D]evelop legislation establishing liability for software products and services,” and a “safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.”
• Use federal procurement to ensure that contractual requirements for cybersecurity are strengthened and standardized across federal agencies.
• Assess the need for a federal insurance response to catastrophic cyber events, after obtaining input from Congress, state regulators, and industry stakeholders.

Pillar IV:  Investing in a Resilient Future

This pillar includes

• “Cleaning up” systemic risks and implementing a strategy to combat autocratic regimes that seek to change the Internet.
• Identifying, prioritizing, and promoting research and development projects to advance cybersecurity and resilience.
• Preparing the public and private sector for the eventuality of quantum computing, which threatens the encryption methods currently used to protect data, “validate end users, authenticate signatures, and certify the accuracy of information.”
• Building cybersecurity into government investments in new energy infrastructure that could strengthen the United States’ electric grid, as well as development of a digital identity ecosystem to combat identity theft and fraud.
• Developing a national strategy to enhance the expertise and diversity of the nation’s cyber workforce.

Pillar V:  Forging International Partnerships to Pursue Shared Goals

The last pillar includes

• Advancing common cybersecurity interests, sharing cyber threat information, developing new law enforcement mechanisms, and coordinating policy and incident response activities internationally.
• Relying on U.S.-based products and services or those developed in coordination with trusted allies and partners.

Strategy takeaways

According to the Strategy, a lot of work is needed to meet its objectives, including the following:

• Increased federal regulation of businesses involved with the digital ecosystem of the nation’s infrastructure.
• Regulations shifting liability to software companies, cybersecurity products or services companies, and other companies that put U.S. systems at risk by knowingly providing deficient products, services, or misrepresenting their practices or protocols. This includes violations of their obligation to monitor and report cyber incidents and breaches. Other regulatory action would include establishing a “safe harbor” for companies that securely develop and maintain software products and services.
• Coordination with insurance industry stakeholders to develop a federal response to a potential catastrophic cyber event.
• Investment in cyber education and training to promote a diverse workforce and fulfill the need for individuals with expertise in cybersecurity.
• Investments in and modernization of critical infrastructure, and development of a digital identity ecosystem to combat identity fraud.
• Continued coordination between U.S. law enforcement and its partners and allies.
• Countering the threat of ransomware attacks by addressing the abuse of virtual currencies, securing critical infrastructure, international cooperation, and criminal investigations into threat actor groups.

If you are interested in ways that your organization can become better prepared to address the ever-changing landscape of cybersecurity and data privacy, contact us at BreachResponse@constangy.com.