The White House’s National Cybersecurity Strategy unveiled yesterday is an ambitious blueprint for improving U.S. cybersecurity and threat response, but some of the more ambitious items will take time to implement, and could face opposition from Congress.
President Biden came into office around the time of the SolarWinds and Colonial Pipeline cyber attacks, so cybersecurity has been a major focus of the Administration from the beginning. The new document spells out an ambitious plan for implementing national cybersecurity controls and laws.
Cybersecurity leaders generally responded positively to the plan while acknowledging that the road to implementation will be a long one. The initiatives that stand out the most — critical infrastructure security standards, a national data privacy and security law, and liability for security failures — will likely take time and the support of Congress to implement.
Security Strategy Priorities and Pillars
The National Cybersecurity Strategy [PDF] is aimed at generating what it describes, almost idyllically, as “a resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”
To that end, the Biden-Harris administration suggested in a statement, “[W]e must make fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace.”
Those fundamental shifts are focused on two core priorities. The first is to rebalance responsibility for cybersecurity away from individuals, small businesses and local governments, and towards “the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.”
The second priority is to focus on long-term investments, with the aim of “building toward a future digital ecosystem that is more inherently defensible and resilient.”
The strategy itself is structured around five key pillars:
- Defend Critical Infrastructure: “We must build new and innovative capabilities that allow owners and operators of critical infrastructure, Federal agencies, product vendors and service providers, and other stakeholders to effectively collaborate with each other at speed and scale.”
- Disrupt and Dismantle Threat Actors: “The United States will use all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests. These efforts may integrate diplomatic, information, military (both kinetic and cyber), financial, intelligence, and law enforcement capabilities.”
- Shape Market Forces to Drive Security and Resilience: “We must hold the stewards of our data accountable for the protection of personal data; drive the development of more secure connected devices; and reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies.”
- Invest in a Resilient Future: “We will leverage the National Science Foundation’s (NSF) Regional Innovation Engines program, longstanding Secure and Trustworthy Cyberspace program; new grant programs and funding opportunities established in the Bipartisan Infrastructure Law, Inflation Reduction Act, and CHIPS and Science Act; Manufacturing Institutes; and other elements of the Federal research and development enterprise.”
- Forge International Partnerships to Pursue Shared Goals: “To counter common threats, preserve and reinforce global Internet freedom, protect against transnational digital repression, and build toward a shared digital ecosystem that is more inherently resilient and defensible, the United States will work to scale the emerging model of collaboration by national cybersecurity stakeholders to cooperate with the international community.”
Also read: MITRE ResilienCyCon: You Will Be Breached So Be Ready
Big Goals: Critical Infrastructure, Liability, and GDPR-like Law
A few items stand out as particularly ambitious and time-consuming to implement.
Strategic Objective 1.1 is the creation of mandatory requirements for critical infrastructure security. While that’s an obvious need, between published notices and comment periods the federal regulatory process can take two to three years to finalize new rules, so that could take much of the remainder of President Biden’s first term to implement — and potentially depend on the commitment of a successor.
The critical infrastructure security objective may require help from Congress too, which is never a sure thing, so the document emphasizes cooperation and working with regulatory agencies and state governments where possible to use existing authority.
“Regulations will define minimum expected cybersecurity practices or outcomes, but the Administration encourages and will support further efforts by entities to exceed these requirements,” the document says.
The objective also discusses the importance of cloud security services and says the government will “identify gaps in authorities to drive better cybersecurity practices in the cloud computing industry and for other essential third-party services, and work with industry, Congress and regulators to close them.”
The document is also mindful of cost and said the government will work to ease that burden through initiatives such as tax incentives.
Two of the plan’s most ambitious objectives will need Congressional approval.
In Strategic Objective 3.2, the Administration suggests it will pursue a national data privacy law similar to the EU’s GDPR.
The document says the Administration “supports legislative efforts to impose robust clear limits on the ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data like geolocation and health information. This legislation should also set national requirements to secure personal data consistent with standards and guidelines developed by NIST. By providing privacy requirements that evolve with threats, the United States can pave the way for a more secure future.”
In Strategic Objective 3.3, the Administration calls for greater liability for failure to follow basic security practices.
“Markets impose inadequate costs on and often reward those entities that introduce vulnerable products or services into our digital ecosystem,” the objective states. “Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance…
“We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities… Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open source developer of a component that is integrated into a commercial product.”
At the same time the Administration said it will also work to shield from liability companies that meet an “adaptable safe harbor framework” of security best practices.
The Administration will also pursue coordinated vulnerability disclosure, promote further development of SBOMs, and “develop a process for identifying and mitigating the risk presented by unsupported software that is widely used or supports critical infrastructure.”
The plan says the government will also continue to invest in the development of secure software, including “memory-safe languages and software development techniques, frameworks and testing tools.”
Another key element of the plan is for the government to act as a backstop for the insurance market in event of “catastrophic events.”
Also read: Software Supply Chain Security Guidance for Developers
Responsibility is a Key Theme
ImmuniWeb founder Ilia Kolochenko said by email that while shifting the cybersecurity burden onto industry might seem harsh, it makes sense economically.
“Software vendors will certainly argue that they will be required to raise their prices, eventually harming the end users and innocent consumers,” Kolochenko said. “This is, however, comparable to car makers complaining about ‘unnecessarily expensive’ airbag systems and seatbelts, arguing that each manufacturer should have the freedom to build cars as it sees fit.”
“Most industries – apart from software – are already comprehensively regulated in most of the developed countries: you cannot just manufacture what you want without a license or without following prescribed safety, quality and reliability standards,” Kolochenko added.
Kaniah Konkoly-Thege, chief legal officer and senior vice president of government relations at Quantinuum, noted that a subsection of the strategy’s fourth pillar focuses specifically on preparing for a post-quantum future, prioritizing “the transition of vulnerable public networks and systems to quantum-resistant cryptography-based environments.”
“While the guidance does not go in-depth regarding steps to prepare for a post-quantum future, it is best practice to assess current cryptographic systems, inventory data, experiment with NIST’s post-quantum algorithms and develop plans to protect data, especially sensitive data (i.e., medical, financial, or personal data), by transitioning to these post-quantum (PQC) algorithms,” Konkoly-Thege noted. “NIST is currently in the process of standardizing these algorithms with final standards due to be released in 2024.”
Also read: New Quantum-safe Cryptography Standards Arrive None Too Soon
A Broad Security Approach
Shift5 CEO and co-founder Josh Lospinoso said by email that the strategy takes the right approach to a significant and growing threat. “When you address cybersecurity issues in a wholesale way like this strategy spells out, you start to really encourage the integration of cyber capabilities that will ensure the U.S. maintains its tactical edge over near-peer competitors,” he said.
“The policy is very clear-eyed about needing to take the burden off the user, the small business, the local government – and very correct that the government and private industry need to keep breaking down barriers to move and innovate at the speed of war,” Lospinoso added.
Still, Swimlane co-founder and chief strategy officer Cody Cornell said it’s going to take a lot of collaborative effort to turns these ideas into action. “The National Cybersecurity Strategy lays out a lot of great high-level ideas with the goal of modernizing the federal government’s cybersecurity strategy with the understanding that it needs help from across the government and the private sector, but does leave some questions unanswered around the speed and agility to execute inside the windows of an Executive administration and its inevitable changes in leadership that come at a longest in an eight-year cycle,” he said.
“Like almost everything in cybersecurity, real progress is not just made with strategy, but in detailed hands-on work,” Cornell added.
eSecurity Planet Editor Paul Shread contributed to this report
Read next: Is the Answer to Vulnerabilities Patch Management as a Service?