Search Our Website:

Late last week, the White House released the long-awaited National Cyber Strategy (NCS), outlining a road map for how the Biden administration plans to strengthen the cyber ecosystem. The strategy is comprehensive and seeks to address everything from the nation’s geopolitical approach to undergird democratic values in the global digital ecosystem to bolstering the U.S. cyber workforce.

In this advisory, we highlight and provide an initial analysis of provisions impacting the private sector.  

The Five Pillars

The National Cyber Strategy (NCS) proposes a marked shift in the nation’s approach to govern cyber risk, one that seeks to wholly reshape market incentives and systems. The administration calls for a number of policy changes so that those “most capable and best positioned” in the digital ecosystem will shoulder a greater share of the burden. The NCS outlines five pillars, each of which includes a number of proposed changes:

  1. Defend Critical Infrastructure
  2. Disrupt Threat Actors
  3. Shape Market Forces to Drive Security and Resilience
  4. Invest in Resilient Systems
  5. Forge International Partnerships to Pursue Shared Goals

The strategy seeks to build on existing laws, regulatory authorities and presidential directives. Implementation will depend in part on interagency cooperation, support from Congress, coordination among the states, and harmonization with certain international standards – a tall order indeed. Outlined below are key issues for market participants to consider.

Critical Infrastructure – New Cyber Requirements

As it relates to critical infrastructure, the administration will leverage existing authorities to implement minimum cyber requirements and promote cyber- and privacy-by-design as well as resiliency measures for systems, products and services among critical sectors.1 We anticipate regulatory efforts to expand upon the significant work already done in financial services, pipeline, rail, water and aviation sectors. In a public event promoting the NCS, national cyber officials noted that education, critical manufacturing and distributed generation would be next.

Given the political realities, this will likely be an area of friction. To address gaps in regulatory authority, the administration intends to work with Congress, states, territories, tribes and independent regulators.

The executive branch will continue to push for stronger regulation and oversight of government contractors. While changes to standardized contracts and common cyber attestation forms have taken longer than expected, officials confirm that they are still coming.

Harmonization as Regulation?

It is pretty clear that the private sector and administration do not see eye-to-eye on the definition of regulatory harmonization. To quote the acting National Cyber Director, “We have to raise the bar in some places. We have to harmonize in other places to create a level playing field...[so] those that are not regulated enough can come to the same … minimum requirements.”2  In other words, the administration is calling for a common baseline of cyber regulations across critical sectors as a part of its regulatory harmonization efforts.

Officials acknowledged the high costs for heavily regulated sectors and articulated a desire to minimize the costs of audits, assessments and compliance burdens in a way that leverages international standards and promotes cross-border alignment.

Given competing and overlapping authorities and priorities among sector-specific regulators, the Department of Homeland Security (DHS), the Office of Management and Budget, the Office of National Cyber Director (ONCD) and the National Security community, we expect this to be another area of friction. While it is a complex and ambitious task, there is at least bipartisan support on Capitol Hill for harmonization. We are hopeful some limited progress might be made, eventually.

Building on Existing Efforts to Strengthen Cloud Security

The Biden White House is prioritizing adoption and enforcement of a risk-based approach to cyber for “Internet as a Service” (IaaS) providers and is pushing to bolster the methods used to identify and detect malicious activity.

Building on Executive Order 13984, which was promulgated in the waning days of the previous administration, the NCS calls for requirements to verify identity through a national ID (which does not exist), an address, method of payment, wallet, telephone number and IP address. EO 13984 empowers the Secretary of Commerce, in coordination with certain stakeholders, to offer exemptions so long as entities are engaged in security best practices meant to deter abuse of IaaS.

Officials suggest implementation will be soon.

Software Liability

“Right now, we live in …[a] first-to-market, not secure-to-market” world according to ONCD Acting Director Kemba Walden. The NCS intends to build on efforts to develop a “Software Bill of Materials” (SBOM) initially begun pursuant to Executive Order 14028. The administration is calling on Congress to support efforts to change market incentives by establishing new liability standards for software products and services.

It's not clear that the Republican-controlled House would support such an effort. The White House has at least offered an olive branch in calling for a new safe harbor for entities employing the NIST Secure Software Development Framework and other evolving best practices.

The administration has also called on Congress to expand SBOM requirements and push for changes that will assist in identifying and mitigating risk from unsupported software. This seems like an uphill legislative battle that will take time if it ever moves forward. Congress would need to provide standards of care and definitions of harm.

Proposed Congressional Action

In addition to all the proposed changes noted above, the White House is calling on Congress to build on previous bipartisan efforts and adopt legislation that will:

  • Expand gaps and limitations in regulatory authorities, as identified by the bipartisan Cyber Solarium Commission, so that the federal government can ensure critical sectors meet minimum cyber requirements or at least mitigate market failures.
  • Work with the administration to identify regulatory and legislative gaps in authorities to strengthen cybersecurity for cloud computing.
  • Ensure regulatory frameworks consider the full extent of resources needed to modernize cybersecurity; develop federal funding mechanisms where necessary.
  • Codify the Cyber Safety Review Board at DHS and expand authorities so it can carry out its mission.
  • Drive cyber best practices at scale by developing software liability standards.
  • Develop a federal cyber insurance backstop.
  • Continue to fund cyber modernization for state, local, tribal, territorial and federal government entities.

What’s Next

President Biden has identified the NCS as a national priority, and the White House and executive branch agencies are already pushing forward in the areas where they have existing authority.

Congress poses more of a challenge, as many of these proposals are heavy lifts given the current political climate. However, Congress has a way of pushing through significant changes in the wake of national catastrophic events.

How Buchanan Can Help

Given the significance of the proposed changes, Buchanan’s Federal Government Relations Team is well-positioned to provide further clarity on the NCS, other cyber-related policy issues, and how the changes impact you and your business.