On March 2, the White House issued the National Cybersecurity Strategy (the Strategy), a broad vision to reinvigorate the federal government’s approach to cybersecurity and address a wide spectrum of long-term challenges. The Strategy reflects the latest significant cybersecurity-focused activity from the Biden administration and contains an ambitious set of goals and initiatives.
The sprawling policy declaration is structured around the following five “pillars,” each of which contains multiple strategic objectives: (1) defend critical infrastructure; (2) disrupt and dismantle threat actors; (3) shape market forces to drive security and resilience; (4) invest in a resilient future; and (5) forge international partnerships to pursue shared goals. The Strategy also calls for fundamental shifts in how the nation allocates roles and responsibilities. Notably, the Strategy calls for “rebalancing” cybersecurity burdens to alleviate strains on end users and infrastructure operators and place more responsibility on “the most capable and best-positioned actors.”
Likely driven in part by recent cybersecurity incidents—such as the 2021 ransomware attack on a major fuel pipeline—the Strategy places a particular emphasis on marshaling a whole-of-government approach to ensuring effective cybersecurity practices in critical infrastructure sectors. Some of the key components of that approach are detailed below.
What Owners and Operators of Critical Infrastructure Need to Know
The Strategy makes clear upfront that voluntary cybersecurity guidelines for critical infrastructure sectors (historically, the federal government’s prevailing approach) have produced inadequate results. Thus, the primary strategic objective under pillar one is for the federal government to establish mandatory, performance-based cybersecurity regulations in critical infrastructure sectors. The Strategy notes that the federal government will use available authorities to achieve this objective, citing recent examples of mandatory requirements in the pipeline, rail, and aviation sectors led by the Transportation Security Administration (TSA) and in the water/wastewater sector led by the Environmental Protection Agency. Where the federal departments and agencies have gaps in statutory authorities to implement minimum cybersecurity standards, the Biden administration will work with Congress to close them. The Strategy suggests that such new authorities could also be targeted in the cloud computing industry and other third-party services that are essential to critical infrastructure operations.
The Strategy also aims to improve the ways in which critical infrastructure companies have typically coordinated with the federal government. The Strategy seeks to enable “real-time, actionable, and multi-directional” information sharing between the public and private sectors through the use of technology solutions (e.g., machine-to-machine data sharing), improve private sector access to federal government resources in response to cybersecurity incidents, and potentially expand access to classified information to provide actionable intelligence to owners and operators of critical infrastructure.
Pillars two through five of the Strategy are not limited to critical infrastructure, but include other notable goals and initiatives that will be relevant to critical infrastructure owners and operators, such as the following:
- A congressionally directed engineering strategy for clean energy technology, such as distributed energy resources
- Adoption and enforcement of a risk-based approach to cybersecurity across infrastructure-as-a-service (IAAS) sectors to prevent malicious actors from exploiting US-based infrastructure (e.g., cloud infrastructure)
- An enhanced focus on the pernicious threat of ransomware attacks, which have targeted critical infrastructure and essential services
- Development of national data privacy legislation to drive greater accountability for organizations holding and using sensitive data, such as personal, health, and geolocation information
- Development of legislation establishing liability for software products and services
- Incentivizing the adoption of secure software development practices, including the development of software bills of material (SBOMs) to support supply chain risk mitigation
- Assessing the need for a federal cyber insurance “backstop” mechanism in response to catastrophic cyber events
- Using international coalitions to reinforce global norms of “responsible state behavior,” such as refraining from cyber operations that would intentionally damage critical infrastructure
Challenges and Open Questions
The Strategy acknowledges that fully realizing its goals will require significant coordination and cooperation, particularly among stakeholders in the federal government. In particular, several significant strategic objectives, including the shift to mandatory regulations and greater legal accountability for software providers, will require legislative action. While cybersecurity initiatives can draw bipartisan consensus, corresponding legislation often lags. For example, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 was enacted after years of efforts to develop a federal cybersecurity incident reporting mandate. It also remains to be seen how the Strategy’s objectives will be received by a politically divided Congress, especially as the nation enters an election cycle.
Additionally, many of the implementation details are unknown. For example, the Strategy recognizes the negative impacts of duplicative or conflicting regulatory requirements and directs regulators to “work together to minimize these harms,” but it is unclear how such harmonization will occur in practice. Although open questions remain, the White House has indicated that progress is already underway, coordinated by the Office of the National Cyber Director. Owners and operators in critical infrastructure sectors should also pay close attention to the implementation of the Strategy’s directives in the months and years ahead.