Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The Biden Administration released its National Cybersecurity Strategy (Strategy) in an effort to reshape U.S. policy and priorities around cybersecurity for the public and private sectors, marking a significant shift in tone and focus from prior administrations’ efforts in this space. The Strategy’s release comes as U.S. national security, public safety, and economic prosperity are under relentless cyber-attack from a variety of threat actors, including an identified group of nation-state actors, as well as criminal syndicates. The Strategy highlights that foreign actors present the “broadest, most active, and most persistent” threat to both U.S. public and private sector networks. Efforts to build “digital authoritarian” systems (such as digital political disinformation campaigns and political surveillance) have undermined societies and governments around the world and blocked or manipulated the free flow of ideas that was the supposed promise of the Internet age.
In light of the increase in foreign cyber threats resulting in the theft of intellectual property held by U.S. entities and personal information of U.S. citizens, in addition to disruptions to critical U.S. business operations, the Administration has outlined its strategic objectives to achieve the ultimate goal of securing the U.S. cyberspace against growing foreign threats.
Although the Strategy does not directly create new legal obligations for private sector entities, it does provide a clear signal regarding the direction the Administration intends to take in shaping legal obligations in the coming years. The Administration also emphasized its commitment to making this Strategy more than a thought leadership piece, including announcing coordinated efforts between the Office of the National Cyber Director (ONCD) and its interagency partners to develop and publish a related implementation plan for the Strategy. Private sector entities are well-advised to get ahead of potential new and enhanced cybersecurity efforts and regulations by considering implications for their own information security programs stemming from the Administration’s call for strategic shifts and each of the five “pillars” outlined in the Strategy.
The Strategy aims to better position U.S. public and private sectors to defend themselves in an evolving threat landscape through two “fundamental shifts” in the allocation of roles, responsibilities, and resources in the cyber environment. First, the Strategy calls for increasing incentives for the owners and operators of critical systems, as well as technology providers that support those systems, to take responsibility for minimizing cybersecurity risks. These organizations, according to the Administration, are most capable and best-positioned to reduce cyber risks. Second, the Strategy calls for a realignment of incentives in favor of long-term investment into the U.S. cybersecurity posture. The Administration is looking to strike a balance between short-term defenses against urgent threats and strategically planning for and investing in a resilient future.
The Strategy rests on five pillars intended to enhance collaboration between U.S. public and private sector entities, as well as international allies and partners, with the goal of thwarting cyber threats from foreign criminal syndicates and adversarial nation-states.
The most notable components of the pillars for private sector entities are as follows:
As part of Strategic Objective 1.1, “Establish Cybersecurity Requirements to Support National Security and Public Safety,” this pillar calls for an increased focus on cybersecurity regulations aimed at mitigating threats to U.S. critical infrastructure, the large majority of which is owned by the private sector. While acknowledging past efforts to establish standards in some industries, such as oil and gas pipelines, the Administration states that “today’s marketplace insufficiently rewards – and often disadvantages – the owners and operators of critical infrastructure” that implement robust cybersecurity measures and concludes that “the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.” The Strategy therefore amplifies the need for additional regulations that are operationally and commercially viable and tailored to each sector’s risk profile. In support of this objective, the Administration encourages state and federal regulators to establish requirements intended to harmonize and streamline new and existing cybersecurity regulations and standards that apply to critical infrastructure entities. State and federal regulators are further directed to collaborate in efforts to minimize harm where regulations are in conflict or are otherwise overly burdensome
According to the Administration, new and enhanced cybersecurity regulations should be performance-based and agile enough to adapt as adversaries increase their capabilities and change tactics. While such regulations will define minimum expected cybersecurity practices or outcomes, the Administration will encourage organizations to undertake efforts to exceed these requirements.
Finally, Strategic Objective 1.1 states that new regulations may be necessary in some industries in order to “create a level playing field” so that organizations are not “trapped in a competition to underspend their peers on cybersecurity.” It therefore encourages regulators to “ensure that necessary investments in cybersecurity are incentivized through the rate-making process, tax structures, and other mechanisms.”
Pillar 1 of the Strategy also recognizes the need to “Update Federal Incident Response Plans and Processes” as part of Strategic Objective 1.4, which will leverage the rulemaking efforts by the Cybersecurity and Infrastructure Security Agency (CISA) under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). As recognized by this objective, CIRCIA will enhance the government’s awareness and ability to respond effectively when entities in critical infrastructure sectors report cyber incidents.
Moreover, as part of Strategic Objective 2.2, “Enhance Public-Private Operational Collaboration to Disrupt Adversaries,” the Strategy calls for enhancing public-private collaboration, viewing it as an important measure for dismantling and disrupting cybersecurity threats from criminal syndicates and adversarial nation-states. For instance, the Strategy encourages private sector companies to join non-profits that can serve as hubs for operational collaboration, such as the National Cyber-Forensics and Training Alliance (NCFTA).
Strategic Objective 2.5, “Counter Cybercrime, Defeat Ransomware,” also reaffirms the Administration’s commitment to mounting disruption campaigns against ransomware threat actors, including the targeting of illicit cryptocurrency exchanges. This objective also strongly discourages the payment of ransoms, and encourages the reporting of any ransomware incident if the organization nonetheless chooses to pay such ransom (which will become legally required for some entities under CIRCIA, once CISA completes its rulemaking process).
As a key item, Strategic Objective 3.3, “Shift Liability for Insecure Software Products and Services,” provides that regulators must reshape laws and regulations that govern liability for data loss and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies. The Administration intends to work with Congress to develop legislation to begin to shift liability to those entities that fail to take reasonable precautions to secure their software. Key objectives include preventing software manufacturers and publishers with market power from fully disclaiming liability by contract, and establishing higher standards of care for software in specific high-risk scenarios. Additionally, the Administration also plans to drive the development of an adaptable safe harbor framework to shield companies that securely develop and maintain their software products and services from liability. This safe harbor will draw from current best practices for secure software development, such as the NIST Secure Software Development Framework.
The Strategy will also aim to leverage federal procurement to improve accountability, as outlined in Strategic Objective 3.5, “Leverage Federal Procurement to Improve Accountability.” Specifically, through its Civil Cyber Fraud Initiative, the U.S. Department of Justice will hold entities or individuals accountable that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, misrepresenting their cybersecurity practices or protocols, or violating obligations to monitor and report cybersecurity incidents.
While Strategic Objective 3.6, “Explore a Federal Cyber Insurance Backstop,” briefly addresses the government’s potential assessment of a federal cybersecurity insurance structure aimed at stabilizing the U.S. economy in the event of a catastrophic incident, the Administration appears only to suggest that additional input and consultation will be considered across stakeholders without a clear path forward for cyber insurance.
Private sector organizations are well-advised to begin assessing the impact of the Strategy on their business, especially as the Strategy implementation aims to focus on accountability mechanisms and shifting liability. In the short term, companies providing software products and services into the U.S. market may wish to evaluate how the Administration’s focus on liability-shifting may impact their development lifecycle, contracting strategy, and overall cyber risk management processes. In addition, organizations may want to consider reviewing anew how their information security policies and procedures align with cybersecurity standards such as those published by NIST (especially as the Administration works toward NIST Cybersecurity Framework 2.0), enhance processes to confirm security-by-design in the development of new products and services, update ransom payment procedures to clearly support compliance with OFAC guidance on payments to sanctioned persons, and implement clear vendor-management policies to help ensure that vendors maintain robust cybersecurity measures that align with the Strategy and are not potentially influenced by adversarial nation-states.
Authored by: Pete Marta, Alaa Salaheldin, A.J. Santiago, Stacy Hadeka, Paul Otto, Tim Bergreen, Katy Milner, Nathan Salminen.