Sunday, March 3, 2024

National Cybersecurity Strategy Outlines A New Era Of Cybersecurity Regulation – Security – United States

Must read


To print this article, all you need is to be registered or login on Mondaq.com.

On March 2, 2023, the White House Office of the National Cyber
Director (ONCD) released the National Cybersecurity Strategy
(“Strategy”). The Strategy outlines the
Administration’s priorities for cyber regulations and policy.
This Strategy replaces the last National Cyber Strategy, released
in 2018, but ONCD says it builds on several of its priorities. It
sets out an ambitious goal: “a defensible, resilient digital
ecosystem where it is costlier to attack systems than defend them,
where sensitive or private information is secure and protected, and
where neither incidents nor errors cascade into catastrophic,
systemic consequences.”

This Strategy promises an array of federal activity, some of
which is already underway, some of which will need to be
kickstarted by agencies, and some of which will need congressional
action. This Strategy is being released amidst an array of federal
agency activity, including implementation of new legislation, the
Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)
of 20221, and possible major changes to the Framework
for Improving Critical Infrastructure Cybersecurity managed by the
National Institute for Standards and Technology (NIST).

Overview of the National Cybersecurity Strategy

In the Strategy, the Administration moves away from
long-standing policy promoting voluntary adoption of cybersecurity
risk management, to promoting cybersecurity regulatory standards.
Entities that hold “concentrated risk” are a priority for
enhancing requirements and capabilities. The Strategy encourages
federal and state regulators to step in where they perceive
gaps.

The Strategy is organized along five pillars: (1) Defend
Critical Infrastructure; (2) Disrupt and Dismantle Threat Actors;
(3) Shape Market Forces to Drive Security and Resilience; (4)
Invest in a Resilient Future; (5) Forge International Partnerships
to Pursue Shared Goals. Each of the pillars has subordinate
“strategic objectives” that describe goals or a desired
end state.

Pillar One: Defend Critical
Infrastructure

The Administration says that it aims to develop a more effective
model of “collaborative defense” by “equitably
distributing” risk and responsibility, and establishing
“foundational” levels of security and resilience. This
pillar has several calls for direct regulation, some of which the
Administration recognizes need legislation.

  • Strategic objective 1.1: Establish cybersecurity requirements
    to support national security and public safety.

    • The Administration will seek mandatory requirements for
      cybersecurity for critical infrastructure owners and operators, and
      cites existing and developing regulations for pipelines, rail,
      aviation, and water as models.

    • Mandatory cybersecurity requirements will be imposed via a
      combination of federal and state regulation, but will vary by
      sector. These will be informed by the CISA Cross-Sector
      Cybersecurity Performance Goals and the NIST Cybersecurity Framework.

    • The Administration also hopes to harmonize regulations and
      de-conflict incident reporting requirements.

    • The Strategy notes that some critical infrastructure sectors
      have limited resources to adopt enhanced cybersecurity
      capabilities, and encourages regulators to keep those limitations
      in mind. It offers no specific guidance or proposals, however, for
      enhancing those resources.


  • Strategic objective 1.2: Scale public-private collaboration.

    • DHS CISA will have the coordinating role for critical
      infrastructure security and resilience.

    • Existing “sector risk management agencies” will
      continue to have the primary roles in coordinating with industry
      stakeholders.

    • CISA and the sector risk management agencies are encouraged to
      improve and better target collaboration with the private sector,
      and to move towards real-time, actionable, and multi-directional
      cyber threat information sharing.


  • Strategic objective 1.3: Integrate Federal cybersecurity
    centers.

    • The federal government will seek to better coordinate among its
      several cybersecurity centers, with the goal of supporting rapid
      intelligence sharing with critical infrastructure described in
      objective 1.2.


  • Strategic objective 1.4: Update Federal incident response plans
    and policies.

    • The federal government will provide clear guidance for how
      private sector partners can get help from the government during an
      incident.

    • The forthcoming incident reporting rules created by CIRCIA will
      support incident response activities.

    • The recently established Cyber Safety Review Board will ensure
      that lessons learned help improve national cybersecurity
      posture.


  • Strategic objective 1.5: Modernize Federal defenses.

    • The federal government will continue its efforts to modernize
      its own networks and move towards a zero trust architecture, as
      outlined in Executive Order 14028, Improving the Nation’s
      Cybersecurity
      (May 12, 2021).

    • It will also coordinate investments to enhance cybersecurity on
      federal civilian and national security networks.

Pillar Two: Disrupt and Dismantle Threat
Actors

This portion of the Strategy highlights ongoing efforts,
including the FBI-led National Cyber Investigative Joint Task Force
and the multinational Counter Ransomware Initiative. Some proposals
contained in this pillar may need additional legal support and
authorities to facilitate and protect shared information and
activities.

  • Strategic objective 2.1: Integrate Federal disruption
    activities.

    • DOJ and other federal law enforcement agencies will continue to
      integrate domestic legal authorities with private industry and
      international allies to disrupt online criminal activity while DoD
      will “defend forward” by disrupting malicious activity
      before it impacts intended targets.


  • Strategic objective 2.2: Enhance public-private operational
    collaboration to disrupt adversaries.

    • The Strategy notes that the private sector has a more
      comprehensive view of cyber threats than the federal government,
      and highlights examples of successful collaboration such as the
      2021 Emotet botnet takedown.

    • To continue this success, the Administration encourages private
      sector companies to collaborate and take part in designated
      public-private collaboration hubs. “Nimble, temporary
      cells” would share information and work rapidly to disrupt
      adversaries. The federal government will look to support this
      collaboration model by removing barriers such as security
      requirements or records management policies.


  • Strategic objective 2.3: Increase the speed and scale of
    intelligence sharing and victim notification.

    • This objective seeks to address an issue many companies have
      raised with the federal government: the lack of timely and valuable
      intelligence sharing.

    • The Strategy notes some examples of successful collaboration
      such as NSA’s engagement with the defense industrial base, and
      the Joint Cyber Defense Collaborative. The Administration will look
      to expand these types of sharing initiatives to other sectors and
      tasks the sector risk management agencies with developing
      intelligence priorities for their sectors.


  • Strategic objective 2.4: Prevent abuse of U.S.-based
    infrastructure.

    • The Strategy notes that malicious cyber actors frequently
      exploit U.S.-based cloud infrastructure, domain registrars, hosting
      and email providers and other digital services to carry out
      criminal activity or malign influence operations. The federal
      government will continue an effort under the authorities of
      Executive Order 13984, Taking Additional Steps to Address the
      National Emergency With Respect to Significant Malicious
      Cyber-Enabled Activities
      (January 25, 2021), which establishes
      record-keeping requirements for U.S. Infrastructure as a Service
      (IaaS) providers to limit malicious cyber actors’ use of those
      services.


  • Strategic objective 2.5: Counter cybercrime, defeat ransomware.

    • Noting the impact ransomware has had on U.S. critical
      infrastructure, the Strategy highlights the existing
      Counter-Ransomware Initiative and points to international
      cooperation, law enforcement investigations, and anti-money
      laundering activities targeting cryptocurrency. The Administration
      again “strongly discourages” victims from paying ransom
      but notes that some may choose to pay.

Pillar Three: Shape Market Forces to Drive Security
and Resilience

This portion of the Strategy outlines a vision to
“incentivize industry to prioritize core economic and national
security interests and recast responsibility for cyber risk
management to stakeholders who manage concentrated risk and those
best positioned to reduce risk.” This pillar identifies
objectives that include new regulations and will require
legislation to make major suggested changes. Implementation of this
pillar will rely on several existing workstreams and will impact
private companies in several ways.

  • Strategic objective 3.1: Hold the stewards of our data
    accountable.

    • The Strategy calls for national privacy legislation that would
      set limits on collection, use, transfer, and storing personal data,
      with heightened protections for sensitive data such as geolocation
      and health information. The legislation would also include
      requirements for protecting personal information that align with
      NIST standards and guidelines.


  • Strategic objective 3.2: Drive the development of secure IoT
    devices.

    • The Administration will move forward with the cybersecurity
      labeling scheme for Internet of Things (IoT) devices, and will
      leverage federal procurement, among other tools, to promote IoT
      security.


  • Strategic objective 3.3: Shift liability for insecure products
    and services.

    • The Administration will seek legislation establishing liability
      for software products and services. Such legislation would prohibit
      full disclaimers of liability by contract, and establish
      “higher standards of care for software in specific high-risk
      scenarios.” The contemplated legislation will offer a safe
      harbor for developers that meet secure software development
      practices, such as the NIST Secure Software Development
      Framework.

    • The Administration will promote coordinated vulnerability
      disclosure practices.

    • Programs developing and promoting a software bill of materials
      (SBOM) will also continue, and an effort will be devoted to
      identifying and mitigating risks in widely used
      “unsupported” software (such as the Log4j
      vulnerability).


  • Strategic objective 3.4: Use Federal grants and other
    incentives to build in cybersecurity.

    • The Strategy notes that several programs created and funded
      under laws such as the Bipartisan Infrastructure Law and the CHIPS
      Act offer funding for investments that may include
      cybersecurity.


  • Strategic objective 3.5: Leverage Federal procurement to
    improve accountability.

    • Federal procurement policies will continue to implement the new
      clauses and policies created under EO 14028. The Strategy
      encourages agencies to test cybersecurity requirements through
      procurement that can lead to “novel and scalable
      approaches.”

    • The Strategy notes that DOJ’s Civil Cyber-Fraud Initiative
      uses the False Claims Act to pursue contractors who fail to meet
      their cybersecurity obligations.


  • Strategic objective 3.6: Explore a federal cyber insurance
    backstop.

    • The assessment would focus on “catastrophic
      incidents,” suggesting that structuring an economic recovery
      and aid package in advance through insurance could be more
      effective and faster than a response after such an event.

Pillar Four: Invest in a Resilient
Future

The Administration says that it plans to maintain the U.S.
leading role as an innovator in next-generation technologies and
infrastructure. The Strategy here calls for several new regulatory
mandates, but also calls for substantial government spending in
R&D in new and future technology. This investment focuses on
computing, biotech, and clean energy, among other areas,
demonstrating a sense of the Administration’s priorities.

  • Strategic objective 4.1: Secure the technical foundation of the
    internet.

    • The Strategy calls for addressing “pervasive
      concerns” such as Border Gateway Protocol vulnerabilities,
      unencrypted Domain Name System requests and slow adoption of IPv6.
      These issues will be addressed through “close
      collaboration” between the government and private sector.

    • The federal government will ensure that its own networks
      implement these security measures.

    • The U.S. will support Standards Development Organizations to
      ensure that the internet remains open, free, global, interoperable,
      reliable, and secure.


  • Strategic objective 4.2: Reinvigorate federal research and
    development for cybersecurity. This effort will focus on three
    priority “families” of technologies:

    • Computing, including microelectronics, quantum systems, and
      artificial intelligence;

    • Biotechnologies and manufacturing; and

    • Clean energy.


  • Strategic objective 4.3: Prepare for our post-quantum future.

    • Highlighting federal efforts, the Strategy encourages the
      private sector to prepare to implement quantum-resistant
      cryptography.


  • Strategic objective 4.4: Secure our clean energy future.

    • The Administration will look to add cybersecurity requirements
      proactively into new technologies, such as electric vehicle
      chargers, zero-emissions fueling infrastructure, zero-emissions
      transit and school buses, and distributed energy resources.


  • Strategic objective 4.5: Support development of a digital
    identity ecosystem.

    • Noting that the lack of secure digital identifies leads to
      fraud and can slow citizen access to government resources and
      funding, including in disaster response, the Administration plans
      to build on NIST’s ongoing work to develop secure digital
      credentials, attribute and credential validation services, and
      updating standards, among others.

    • The Strategy encourages states rolling out mobile drivers’
      licenses to incorporate privacy and security.


  • Strategic objective 4.6: Develop a national Strategy to
    strengthen our cyber workforce.

    • The Administration will seek to expand the number of
      cybersecurity workers, increase the diversity of the workforce, and
      expand access to training and career pathways.

Pillar Five: Forge International Partnerships to
Pursue Shared Goals

The Strategy emphasizes that cybersecurity will be pursued on
the international front by working with allies and international
forums to develop cohesive cybersecurity efforts for cybercrime and
global supply chains. This pillar revisits important coalition work
around the world and restates the vital role that standards play.
It also draws on lessons learned from recent geopolitical
trends.

  • Strategic objective 5.1: Build coalitions to counter threats to
    our digital ecosystem.

    • Noting multiple ongoing international partnerships and
      engagements, the Strategy calls for advancing these efforts with
      like-minded countries on issues such as threat information sharing,
      secure-by-design principles, and incorporating private sector and
      civil society groups.


  • Strategic objective 5.2: Strengthen international partner
    capacity.

    • The Departments of Justice and Defense will continue to build
      and expand their respective law enforcement and military
      partnerships, respectively, while the State Department will
      prioritize aid to build cybersecurity capacity across the
      globe.


  • Strategic objective 5.3: Expand U.S. ability to assist allies
    and partners.

    • The Administration continues a commitment to support allies and
      partners when victims of a significant cyberattack, and highlights
      a NATO initiative on virtual cybersecurity incident response
      support.


  • Strategic objective 5:4: Build coalitions to reinforce global
    norms of responsible state behavior.

    • The Strategy calls for the U.S. to continue work to reshape and
      secure the global supply chain for ICT products and services.

    • The Administration will promote the global deployment of 5G,
      and support Open RAN through the NTIA Public Wireless Supply Chain
      Innovation Fund.

    • The U.S. will work with partners and allies to identify and
      implement best practices in cross-border supply chain
      management.

Footnote

1. P.L. No: 117-103 (March 15, 2022).

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States

Top Six Predictions For Fintech M&A In 2023

Akin Gump Strauss Hauer & Feld LLP

Fintech dealmaking felt the pinch in 2022, with valuations and investment activity directly impacted by the correction in technology stocks and rising interest rates.

Latest article