National Cybersecurity Strategy

For the last twenty years, beginning with George W Bush, every president has released some kind of cybersecurity strategy. This month, the White House’s Office of the National Cyber Director released President Biden’s National Cybersecurity Strategy. It replaces - and in some instances, builds on - the 2018 National Cyber Strategy produced by the Trump administration. The significance of these policy documents is that they represent how the Executive Branch thinks about cyberspace and cybersecurity. As such, it provides insight into how an administration intends to use its executive powers - not to mention whatever influence it has with Congress - to shape and secure cyberspace.

Overview​

The Biden administration’s cybersecurity strategy is organized around five broad pillars. These are:

1. Defend critical infrastructure
2. Disrupt and dismantle threat actors
3. Shape market forces to drive security and resilience
4. Invest in a resilient future
5. Forge international partnerships to pursue shared goals

The language used here is fairly mundane and uncontroversial. To get a better sense of what exactly all this entails, we can take a look at the specific objectives under each pillar.

The strategic objectives for Pillar 1:

• Establish cybersecurity requirements to support national security and policy safety
• Scale public-private collaboration
• Integrate federal cybersecurity centers
• Update federal incident response plans and processes, and modernize federal defenses

The strategic objects for Pillar 2:

• Integrate federal disruption activities
• Enhance public-private operational collaboration to disrupt adversaries
• Increase the speed and scale of intelligence sharing and victim notification
• Prevent abuse of US-based infrastructure
• Counter cybercrime and defeat ransomware

The strategic objectives for Pillar 3:

• Hold the stewards of our data accountable
• Drive the development of secure IoT devices
• Shift liability for insecure software products and services
• Use federal grants and other incentives to build in security
• Leverage federal procurement to improve accountability
• Explore a federal cyber insurance backstop

The strategic objectives for Pillar 4:

• Secure the technical foundation of the internet
• Reinvigorate federal research and development for cybersecurity
• Prepare for our post-quantum future
• Secure our clean energy future
• Support the development of a digital identity ecosystem
• Develop a national strategy to strengthen our cyber workforce

The strategic objectives for Pillar 5:

• Build coalitions to counter threats to our digital ecosystem
• Strengthen international partner capacity
• Expand US ability to assist allies and partners
• Build coalitions to reinforce global norms of responsible state behavior
• Secure global supply chains for information, communications, and operational technology products and services

According to the Strategy, to realize all these goals, the Biden Administration is proposing two fundamental shifts in the nation’s cyberspace. First, the Biden Administration wants a rebalancing of the responsibilities to defend cyberspace. Second, the Biden Administration wants to realign incentives to favor long-term investments. It is here, with these two proposals, that we see the most significant departure from previous administrations’ thinking about cyberspace. For this reason, let’s say more about the two fundamental shifts cited by the Biden administration because they represent a novel way the Federal Government thinks about the relationship between the public and private sectors.

Fundamental Shift #1 - Rebalance the responsibility to defend cyberspace​

The first fundamental shift that Biden believes is necessary to better secure cyberspace is a rebalancing of the responsibility to do so. At present, according to the Strategy, end users - e.g., individuals and small businesses, with limited resources - bear too great a burden for mitigating cyber risks. “A single person’s momentary lapse in judgment, use of an outdated password, or errant click on a suspicious link should not have national security consequences.” The Biden administration would like to shift most of the burden of cybersecurity away from relatively unsophisticated end users and towards the “most capable and best-positioned actors” in cyberspace, in other words, major technology companies and the owners of critical infrastructure.

Let’s take a look at how the Biden administration views the role and responsibility of major technology companies. This is encapsulated in strategic objective 3.3, which calls for shifting the liability for insecure software products and services. The Biden administration believes that software developers all too often shirk their cybersecurity responsibilities. According to the authors of the strategy document, “too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance.” Moreover, software makers “fully disclaim liability by contract,” and so are not incentivized to follow secure-by design principles or perform pre-release testing.

We can see how the Biden administration thinks about the owners of critical infrastructure - that is, oil and natural gas pipelines, aviation, rail, etc - in strategic objective 1.1. Perhaps unsurprisingly, Biden thinks about the role and responsibility of the owners of critical infrastructure in a similar way to how he thinks about the major tech companies: “While voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.”

To better understand this shift in perspective, an analogy may be useful. “In the cyberworld, we’re finally saying that Ford is responsible for Pintos that burst into flames because they didn’t spend money on safety,” Glenn S. Gerstell, a former general counsel at NSA, told The New York Times.

Fundamental Shift #2 - Realign incentives to favor long-term investments​

But precisely how to shift the onus of cybersecurity away from individuals, small businesses, and other entities with limited resources and expertise, and onto big tech, and big business more generally? The answer, in short, is encapsulated in the second big shift cited by the Biden Administration: it is to realign incentives to favor long-term investments. This means reshaping market forces and public programs to motivate key actors to build more secure and resilient products and services.

To better understand what all of this might mean, let’s return to strategic objective 1.1, which is concerned with critical infrastructure. According to Biden, market forces alone do not sufficiently reward robust cybersecurity practices. On the contrary, the administration believes, “today’s marketplace insufficiently rewards - and often disadvantages - the owners and operators of critical infrastructure who invest in proactive measures to prevent or mitigate the effects of cyber incidents.” To motivate ‘animal spirits’ in the direction of cybersecurity and operational resilience, the Biden administration is proposing new and updated, sector-specific cybersecurity regulations that “will define minimum expected cybersecurity practices or outcomes.” At the same time, Biden is prepared to encourage and support efforts that exceed these requirements, through, among other routes, the use of “Federal purchasing power and grant-making.”

Disrupt, not deter​

All of our analysis so far on Biden’s National Cybersecurity Strategy has focused on domestic policy. We have looked at who the administration believes is most responsible for so much of the nation’s cybersecurity (in so far as it is privately owned and operated), and how the administration would like to use its power to incentivize key players’ behavior in cyberspace. What we have not spoken about is how Biden thinks about the Federal government’s role in defending cyberspace from threat actors.

Writing for Lawfare, Dr. Herb Lin, a scholar of cyber policy and security at Stanford University, characterizes the strategy as endorsing, “a highly assertive approach” to taking on threat actors. In particular, Lin notes that the Biden administration seems increasingly prepared to use military power to disrupt threat actors. Lin contrasts this more offensively-oriented ‘disruption’ posture with the more defensively-oriented ‘deterrence’ posture of previous administrations - policies that have failed to secure cyberspace. As Lin writes, “malicious actors choose to ignore US threats of retaliation and ply their trade with relative impunity.”

Conclusion​

An outstanding question remains. To what extent does the Biden administration have the power to reshape the private sector in the ways outlined above? The answer is that it depends. In some instances, Biden is leveraging existing authority to impose cybersecurity requirements. For example, in the wake of the cyberattack that shut down Colonial Pipeline in 2021, according to reporting by The New York Times, “the Biden administration used little-known legal authorities held by the Transportation Security Administration to regulate the nation’s vast network of energy pipelines. Pipeline owners and operators are now required to submit to far-reaching standards set largely by the federal government, and later this week, the Environmental Protection Agency is expected to do the same for water pipelines.”

At the same time, there are limits to what the Executive Branch can do unilaterally. For example, establishing liability for software products and services will require legislation. It is always difficult to pass new and sweeping corporate regulations through Congress, especially a divided Congress. It is therefore not at all guaranteed that the kinds of fundamental shifts envisioned by the Biden Administration will entirely come to pass.

In the meanwhile, the pace and sophistication of cyber threats only increases. To better harden your online presence, schedule some time to talk with one of our experts.