White House Pivots on Cyber: Voluntary Compliance Carrots Are Being Replaced By Big Regulatory Sticks
The White House released the long-anticipated National Cybersecurity Strategy on March 2, 2023 setting out five (5) pillars articulating key themes and Administration priorities. Coming more than two years into the Biden Administration, the strategy supersedes the last National Cyber Strategy, released by the Trump Administration in September 2018. Having been working in the cyber policy space for decades, we see major changes in store for the private sector as the Executive Branch implements this strategy, alongside the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and updates to the NIST Framework for Improving Critical Infrastructure Cybersecurity.
The Biden Administration Moves To Regulatory Requirements To Address Cybersecurity
The overall message of the new National Cybersecurity Strategy is clear: the Biden Administration believes that the U.S. can no longer rely on voluntary collaboration and vigilance against cyber threats so the Administration must shift responsibility to industry through regulations when the market has allegedly failed to incentivize cybersecurity. That means we are moving from the public private partnership model into increased regulations on critical infrastructure because the Administration is convinced that voluntary standards are simply not enough.
The National Cybersecurity Strategy seeks to solidify the Office of the National Cyber Director (ONCD) as the lead federal agency for harmonizing cyber regulations, but can it successfully reign in and deconflict between competing departments and agencies who have now been mandated to leverage their unique authorities to promulgate cyber regulations and enhance cybersecurity?
The Biden Administration says its goal is a defensible, resilient digital ecosystem where it is costlier to attack systems than to defend them, where sensitive or private information is secured and protected, and where neither incidents nor errors can cascade into catastrophic events. So, the public private partnership model is out and the big government regulatory approach is in.
To realize its goal of putting the U.S. on a path to resilience in cyberspace, the White House says it seeks to make two fundamental shifts in how the U.S. allocates roles, responsibilities, and resources in cyberspace.
First, the White House wants to “rebalance” the responsibility to defend cyberspace to the most capable and best-positioned actors to be better stewards of the digital ecosystems. The Biden Administration thinks that “industry and government must drive effective and equitable collaboration to correct market failures, minimize the harms from cyber incidents to society’s most vulnerable, and defend our shared digital ecosystem.”
Second, the White House seeks to realign incentives to favor long-term investments to make cyberspace more resilient and defensible over the long term. To do so, the strategy outlines how the Federal Government will use “all tools” available “to reshape incentives and achieve unity of effort in a collaborative, equitable, and mutually beneficial manner.”
Let’s review the five (5) pillars of the new National Cyber Strategy to see how this is likely to play out:
In Pillar 1, the Strategy Offers Ambitious Goals to Defend Critical Infrastructure
Pillar 1 starts out with the lofty goal of operationalizing an enduring and effective model of collaborative defense that “equitably distributes risk and responsibility” and then quickly jumps to the need for regulatory frameworks focused on achieving security and business continuity. That’s because the Biden Administration believes that the nation requires cyber regulations to support national and economic security and safety because reliance on voluntary cybersecurity standards in the marketplace has failed. The nation needs mandatory cyber requirements, the theory goes, because the market has inadequately incentivized industry to invest in cybersecurity. To address this deficit, the Administration seeks to leverage existing unique authorities to close gaps in cyber regulations to secure critical infrastructure. What this means is more regulations by department and agencies, independent regulators, and states to “close gaps” in regulations.
But don’t worry, the Biden Administration will seek to coordinate, de-conflict, and harmonize federal incident reporting requirements working through the Department of Homeland Security (DHS) Cyber Incident Reporting Council (CIRC).
The security of federal systems receives attention, and the strategy notes ongoing efforts “to implement a zero trust architecture strategy and modernize IT and OT infrastructure.” Federal system security has been a perennial challenge and federal contractors face an increasing array of obligations. In light of recent public recognition of federal security challenges and breaches, the federal government may not be the “model” that the White House envisions for “critical infrastructure across the United States for how to successfully build and operate secure and resilient systems.”
Pillar 2 Calls for Several Initiatives to Disrupt and Dismantle Threat Actors, Which Will Impact the Private Sector
The Administration seeks to use “all instruments of national power” to disrupt and dismantle threat actors threatening our country to make malicious actors incapable of mounting sustained cyber-enabled campaigns. The White House wants to build on previous successful disruption efforts by enabling greater collaboration by public and private sector partners to improve intelligence sharing, execute disruption campaigns at scale, and deny adversaries use of U.S.-based infrastructure, and thwart global ransomware campaigns.
Pillar 2 reaffirms that the Department of Justice (DOJ) will lead federal efforts to integrate federal disruption activities and increase intelligence sharing and victim notification through the Federal Bureau of Investigation (FBI) and the National Cyber Investigative Joint Task Force (NCIJTF). The strategy notes that DoD and the Intelligence Community will bring to bear their full range of complementary authority to international disruption campaigns. The strategy calls out the National Security Agency’s Cybersecurity Collaboration Center for its highly effective effort at disrupting adversary activity targeting the Defense Industrial Base (DIB) using its national intelligence-driven engagement with industry initiative.
The strategy acknowledges that ransomware is a threat to national security, public safety, and economic prosperity and that ransomware perpetrators have disrupted hospitals, schools, pipeline operations, government services and other aspects of critical infrastructure or essential services. Countering ransomware attacks, particularly from Russia, Iran, and North Korea on key critical infrastructure services, will be a top Administration priority. The Biden Administration will also continue work on the 35-nation Counter Ransomware Initiative to leverage global cooperation and address the abuse of virtual currency.
To prevent the abuse of U.S-based infrastructure, the Biden Administration proposes to work with cloud service providers and internet service providers to identify malicious cyber actors and implement Executive Order (EO) 13984, “Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities” (January 19, 2021). EO 13984 was issued by President Trump to address the use of U.S. Infrastructure as a Service (IaaS) products by foreign malicious cyber actors to run software and store data on servers offered for rent or lease without responsibility for the maintenance and operating costs of those servers. Those foreign malicious actors used IaaS to harm the U.S. economy through the theft of intellectual property and sensitive data and to threaten national security by targeting U.S. critical infrastructure. The challenge the EO sought to address was that foreign malicious actors were using IaaS to avoid U.S. legal process so the EO imposed certain record-keeping obligations with respect to foreign transactions.
The Biden Administration will now prioritize adoption and enforcement of a risk-based approach to cybersecurity involving IaaS providers to address known methods of indicators of malicious activity. In short, the Administration seems ready to enhance and enforce providers’ record-keeping related to foreign transactions as set forth in EO 13984 which includes verification of identity provisions and special measures for certain foreign jurisdictions or foreign persons. The devil will be in the details of how the Executive Branch intends to accomplish this and whether they get pushback about privacy and civil liberties concerns in such private sector tracking.
In Pillar 3, The Biden Administration Announces an Intent to Reshape Market Forces to Drive Security and Resilience
Overall, the Biden Administration believes that government needs to do more to incentivize industry to prioritize cyber risk management. As a result, the Administration will work with Congress to pass national privacy legislation that imposes limits on the ability to collect, use, transfer, or store personal data aligned with the National Institute of Standards and Technology (NIST) privacy framework. The Administration will also work with Congress on legislation establishing liability for software products and services onto developers or manufactures. The Administration, however, supports a liability safe harbor for software manufactures who meet certain requirements and will offer grants or incentives to help companies build security and resiliency by design. Similarly, the government will seek to leverage the federal procurement process to improve accountability. Finally, the Administration will study whether a federal cybersecurity insurance backstop for catastrophic cybersecurity incidents is required.
The Administration is seeking to shape market forces through national privacy legislation and enhanced software safety liability legislation. Their goal is to shift liability onto those who fail to take reasonable precautions to secure their software or “fail to live up to the duty of care they owe customers, businesses, or critical infrastructure providers.” This emphasis on liability issues was previewed in, among other things, a recent op-ed by Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, which urged tech companies to “Stop Passing the Buck” and in remarks this week that “[t]echnology manufacturers must take ownership of the security outcomes for their customers.” and responsibilities was previewed in Cyberspace Solarium Commission’s report recommending legislation making manufacturers liable for damages from incidents that exploit known and unpatched vulnerabilities. All of this should be of note to software and hardware manufacturers and integrators and any “as a service” providers.
Pillar 4 Calls for Steps to Invest in a Resilient Future
Pillar 4 seeks to invest in a more resilient future and secure internet protocols by focusing on federal research and development for cybersecurity and advance resilience in the cloud. Acting through NIST, the U.S. government will lead public and private efforts to prepare for the transition to post-quantum cryptography while recognizing that strong encryption is foundational to cybersecurity and global commerce. The strategy recognizes that many of the technical foundations of the digital ecosystem are inherently vulnerable and need to be secured (e.g., Border Gateway Protocol, unencrypted Domain Name System, etc.). Additionally, the Administration will support digital identities in the cyberspace ecosystem.
Multiple workstreams are already underway across government and in the private sector on many aspects of internet security. Some of these efforts raise hard policy, practical and legal questions, and may need sustained collaboration domestically and globally. ONCD and the White House may find it challenging to coordinate across disparate efforts and avoid duplication of work.
In Pillar 5 the Strategy Says it Plans to Forge Partnerships to Pursue Shared Goals
Pillar 5 moves over to the international cyber scene and seeks to strengthen the deployment of 5G and future telecommunications networks globally and reinforce the applicability of existing international law as well as the global norms for responsible behavior in cyberspace. The Department of State will focus on capacity building priorities with key U.S. partners while Commerce will lead international efforts to secure global supply chains. DOJ, of course, will focus on global cybercrime and the Administration’s Counter Ransomware Initiative while the Department of Defense (DoD) will have the lead on strengthening military relationships. Interestingly, the U.S. will be leading a NATO effort to build a virtual cyber incident support capability to enable allies to respond collectively to cyber threats.
U.S., however, has already exercised considerable leadership in combatting international cybercrime as shown by FBI and DOJ disruption efforts in cooperation with law enforcement entities across the world including the successful recent takedown of the Hive network thwarting over $130 million in ransom demands or the dismantling of the network of Russian botnets together with partners in the U.K., the Netherlands, and Germany. The U.S. had already been successfully coordinating international efforts to investigate and prosecute cybercrime worldwide as indicated by the sequencing of disruption operations by FBI and DOJ for the last several years utilizing its “all tools” approach to targeting malicious cyber activities. Additionally, the U.S. signed the second addition to the Budapest Convention on strengthening international cooperation in May of 2022 signaling its continued commitment to working with foreign partners on this important global effort.
While the Biden Administration has indicated that it will seek to deconflict and harmonize competing cybersecurity regulations, many parts of the private sector should be prepared to face multiple new mandatory cyber requirements. Look for increased enforcement of EO 13984’s record-keeping obligations for foreign transactions involving U.S. IaaS as the government looks to crack down on infrastructure abuse by malicious foreign cyber actors. Finally, the Administration is also seeking to work with Congress on legislation to mandate privacy protections and security by design requirements in a further effort to close the perceived cybersecurity gap.
Coordination is vital given the many ongoing proceedings that are poised to increase regulatory burdens and create new obligations at the Securities and Exchange Commission (SEC), Federal Communications Commission (FCC), Federal Trade Commission (FTC), NIST, and others. Myriad Executive Orders have kicked off multiple efforts across government as well. And all of this is happening while NIST is considering major changes to the seminal Cybersecurity Framework, and other countries are moving aggressively to regulate critical infrastructure.
ONCD is charged with implementing these strategic objectives under the oversight of the National Security Council (NSC) staff and in coordination with the Office of Management and Budget (OMB). ONCD and OMB will jointly issue annual guidance on cybersecurity priorities to federal departments and agencies to further the Administration’s approach.
It remains to be seen if the relatively new ONCD, now without its first Director after Chris Inglis departed, can deliver on the Strategy’s goals and sustain the core public-private partnership model that has been at the heart of federal cyber policy for over a decade.
* * * *
Wiley provides comprehensive legal and policy advice to telecommunications providers and can assist providers with meeting new regulatory and legislative requirements.