President Releases National Cybersecurity Strategy
~5 minute read
Written for:
Cybersecurity Providers
Critical Infrastructure Providers
Consumer Data Industry
Policy Brief:
The National Cybersecurity Strategy restates the importance of focusing cyber protection on critical infrastructure but seeks to expand those covered under federal minimum guidance regulations.
It proposes to shift liability from end users to software and services developers “to promote secure development practices” but does not provide direction on the regulatory bright line for such liability.
It calls for ransomware attacks to be treated as a “National threat” rather than just a criminal action.
It explores a national insurance backstop in the case of a catastrophic cyberattack to supplement the existing cyber insurance market.
On March 2, 2023, President Biden released the Administration’s “National Cybersecurity Strategy” outlining the approach to protecting critical infrastructure and supply chain operations. At the heart of the Strategy is a shift in the legal liability for attacks away individuals, small businesses, and local governments to cybersecurity providers and consumer data holders who are seen by the Administration as the organizations “most capable and best-positioned” to reduce risks.
The Strategy takes a stick over carrot approach by placing “responsibility on those within our digital ecosystem that are best positioned to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable in order to make our digital ecosystem more trustworthy.” The Strategy calls for:
Promoting privacy and the security of personal data;
Shifting liability for software products and services to promote secure development practices; and,
Ensuring that Federal grant programs promote investments in new infrastructure that are secure and resilient.
That approach requires Congressional authority to enact both a data privacy and national cybersecurity product legislation. While the issues of data privacy and cybersecurity have bipartisan support in the Congress, the approach to providing privacy and strengthening the Nation’s cybersecurity approach vastly differs among Members. The Strategy clearly accelerates the National discussion over the need to “place blame” for attacks made by criminals and criminal states on those that have either been attacked or are responsible for protecting against attacks. The Strategy recognizes that “the most advanced of cybersecurity programs cannot prevent all vulnerabilities,” but lacks the definition concerning what “reasonable precautions to secure [cybersecurity provider] software” will mean. Determining the bright-line of when that liability shifts is certainly up for continuous debate. Despite stringent cybersecurity, data protection, audits, bonding, and reporting requirements enacted under both federal and state laws for the consumer data industry, the Strategy attempts to establish a national policy that directs liability for attacks against the consumer data industry toward the providers/keepers of this information. It is likely that same policy will carry forward for cybersecurity providers wherein the Strategy calls for the same agency, the National Institute of Standards and Technology (NIST), to develop this bright-regulatory line. One impact of that policy is that it will dramatically shift the burden concerning cybersecurity insurance obligations from general liability policies that provide financial backstops against attacks to the cybersecurity industry’s product liability insurance requirements. The financial impact of just stating the Administration’s policy will have a financial impact on the operational costs of cybersecurity providers as the insurance industry reevaluates the underwriting risks. The President’s plan does call for exploration of a “Federal Cyber Insurance Backstop” which would create federal fund for “catastrophic events.”
Critical Infrastructure
The President’s Strategy renews calls and current federal regulatory actions to shore up the Nation’s critical infrastructure, which includes the supply chain, through the establishment of federal minimum standards. While the plan calls for “streamlining” the rulemaking process for certain industries, the Congress has not yet given NIST and CISA the tools, funding, and a clear regulatory mandate to begin a full rulemaking process for those industries. For federal agencies, the policy allows them to use the full weight of their regulatory authority to establish and enforce minimum federal cybersecurity requirements. However, developing and promulgating such regulations may take years, leaving states to implement a patchwork of requirements authorized under existing law. While the plan calls for annual reviews of areas of potential vulnerability, how that interacts or translates into real protection given the rapidly changing cyber threat areas for critical infrastructure, who are the most targeted industries for advanced persistent threat, is unclear.
In terms of individual sectors, electric utility and transmission operators currently meet federal minimum guidelines established by the Federal Energy Regulatory Commission (FERC) but expect to see revised requirements as additional threats are discovered. The oil/gas industry cyber regulations continue to be developed through both FERC and the Transportation Security Administration (TSA). Public water systems saw the U.S. Environmental Protection Agency (USEPA) promulgate final federal minimum standards for state enforcement literally the day after the President’s release of the Cyber Strategy document. Other industries including rail, aviation, airports, and the supply chain’s surface fleets have been noticed of future regulations.
What is clear within the Strategy is the desire to rapidly expand what is covered under the “critical infrastructure” umbrella. In tying in potential data privacy requirements with traditional cybersecurity the plan eyes the potential for amendments to certain federal laws including the Drivers’ Privacy Protection Act, Federal Motor Carrier Safety Act, Fair Credit Reporting Act, and the Equal Credit Opportunity Act which govern the release/regulation of consumer data to industries ranging from banks, mortgage companies, insurance companies, and fleet owners/operators. These laws have wide impacts on normal consumer transactions ranging from obtaining insurance quotes, being notified on potential fraudulent credit card activity, to CarFax and employment background checks. The Strategy seeks to combine the discussion over privacy directly with cybersecurity pulling the consumer data industry into the discussion. It also seeks to pull in “attaching” entities to critical infrastructure ranging from agricultural/irrigation districts to renewable energy. Any industry which has potential attachment to “critical infrastructure” may be included in the minimum federal cyber requirements.
Implementation
In his March 2, 2023, announcement, the President directed the National Security Council, through the Office of the National Cybersecurity Director, to coordinate with the Office of Management and Budget on the implementation of the National Cybersecurity Strategy. While the plan did not indicate a timeline, it clearly demonstrated the issue as a priority for the Administration. Within the last decade, Congress and the Administrations have increased cybersecurity spending by 180% with a targeted $7.6 billion to be spent in Fiscal Year 2023 alone.
For its part Congress has reacted on a bipartisan basis to cyber threat with quick action in the House of Representatives on 1) legislation to improve FAA cybersecurity requirements; 2) legislation to shore up the health care industry against cyberattacks and 3) a bill that requires regular oversight of companies that sell “Internet of Things” (IOT) devices such as internet-connected refrigerators, smart thermostats and home security cameras to prevent compromised products from entering American homes.
Referenced Documents
The Presidents National Cybersecurity Strategy can be found here.
From the Hill is an industry snapshot for Capitol Core Group clients in select industries of interest. It is compiled from Capitol Core research and discussions as well as outside resources including Bloomberg Government, Roll Call, and other relevant sources. All data provided is public data but is compiled for ease of understanding.
This is the tenth in the series on the topic of cybersecurity since 2020 and is a policy overview. Capitol Core initiated this snapshot due to release of the President’s National Cybersecurity Policy and Congressional actions on the subject.
Michael W. McKinney leads Capitol Core’s “technology” practice area which includes cybersecurity.