The Biden-Harris Administration Releases New National Cybersecurity Strategy
The long-awaited National Cybersecurity Strategy seeks to make fundamental changes to underl
Published by The Lawfare Institute
in Cooperation With
On March 2, the Biden administration released its long-awaited National Cybersecurity Strategy. The new strategy comes more than two years after President Biden took office and more than four years after the Trump administration issued its National Cyber Strategy in September 2018. The release also occurs in the wake of a range of significant cyber intrusions and ransomware attacks, including SolarWinds, Microsoft Exchange, Colonial Pipeline, and JBS Foods. And while the strategy’s publication may seem belated, it was preceded by executive orders, strategies for meeting cybersecurity standards, and other law enforcement and international efforts undertaken by the Biden administration to improve the nation’s cybersecurity and disrupt activities of threat actors.
As the National Cybersecurity Strategy incorporates and builds on both of these efforts and activities that began in the prior administration, it reveals two fundamental shifts in how the U.S. government seeks to “allocat[e] roles, responsibilities, and resources in cyberspace.” The strategy strives to rebalance responsibility to the “owners and operators” who are “most capable” and “best positioned to make our digital ecosystem secure and resilient.” The strategy also focuses on how to “realign incentives for long-term investments” to build “a future digital ecosystem that is more inherently defensible and resilient.”
The strategy reflects the administration’s belief that for the U.S. to advance toward a more cyber-secure future, those in the best position to secure systems and software—which is neither the end user nor small organizations—must be charged with doing so. The strategy also reflects the administration’s view that U.S. policy must foster incentives that promote investment in cybersecurity over the long term. While the government has a significant role to play in achieving these outcomes, the strategy also reveals that much is expected from the private sector in addressing the vulnerability of U.S. technology.
That these shifts drive this strategy should not be a surprise to anyone listening to Biden’s top cybersecurity officials over the past year. Last month, Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), argued that the “incentives for developing and selling technology have eclipsed customer safety in importance ... [and] the cybersecurity burden falls disproportionately on consumers and small organizations, which are often least aware of the threat and least capable of protecting themselves.” Almost a year ago, Chris Inglis, the first national cyber director, who retired shortly before the release of the National Cybersecurity Strategy, asserted that while the government must treat industry as a “virtual partner” and “provide more timely and comprehensive threat information,” the “private sector must prioritize long-term investments in a digital ecosystem that equitably distributes the burden of cyberdefense.”
In what follows, we present a non-exhaustive, summary overview of this strategy through the lens of its five distinct but complementary pillars—defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships to pursue shared goals—looking at how the strategy integrates and builds on existing initiatives and introduces new efforts for pushing the U.S. toward a more secure future, sometimes in ambitious but indeterminate ways.
Pillar I: Defend Critical Infrastructure
In the past few years, the U.S. has sustained a range of cybersecurity incidents, raising the alarms about the vulnerability of much of its critical infrastructure. The U.S. recognizes that these 16 sectors are so vital to economic prosperity and national security that significant efforts must be taken to keep them “secure, functioning, and resilient.” The new cyber strategy presents a two-pronged approach to defending critical infrastructure: improving collaborative practices with other relevant stakeholders and making its own systems more resilient. The cyber strategy outlines this vision in five strategic objectives.
The first strategic objective focuses on the need to establish cybersecurity requirements to support national security and public safety. The role of regulation has been a constant source of tension between the public and private sectors, namely how to strike the right balance between mandates and incentives. The Biden strategy leads with a strong position here, recognizing that “[w]hile voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.” To address the current state of affairs, regulation is needed.
The cyber strategy recognizes that new authorities will be required to set minimum cybersecurity requirements for certain sectors—such as “food and agriculture, government facilities, and ‘critical manufacturing’—including vaccine-makers, pharmaceuticals, and mask manufacturers”—therefore delaying regulation by federal agencies until Congress passes the appropriate legislation. However, existing authorities will set these minimum requirements where possible. Although the strategy does not say which authorities and sectors fall in each category, an upcoming implementation plan will likely provide better perspectives on actions to come.
But this gap has not prevented the Biden administration from acting where it has the authority and strengthening the cybersecurity posture of various critical infrastructure sectors. In April 2021, the Biden administration launched an initiative focused on the electricity sector, followed promptly by initiatives focused on natural gas pipelines, water and wastewater, and chemicals.
Which brings us to the second strategic objective: scaling up public-private collaboration, a constant issue in the government’s approach to cybersecurity. The strategy anticipates that the work between CISA and sector risk management agencies will continue to develop as the government assesses sector-specific needs and gaps.
In a strategy that hinges so strongly on cooperation and collaboration, it is not surprising that many objectives deal with harmonizing and integrating efforts. Strategic objectives three and four set forth plans for improving coordination across federal government agencies and with the private sector, respectively.
The fifth objective focuses on modernizing federal defenses. Zero trust architecture (ZTA), a security model that removes implicit trust in any element, is central to this effort. ZTA relies on principles like “multi-factor authentication (MFA), data encryption, managing authentication and access, visibility on attack surface, leveraging cloud security tools, and replacing legacy systems.” Biden’s Executive Order 14028 on Improving the Nation’s Cybersecurity already began to move the federal government closer to ZTA. Six months after 14028, a memorandum from the Office of Management and Budget set the federal ZTA strategy and expectations for the standards and objectives that agencies had to meet by the end of fiscal year 2024.
Pillar II: Disrupt and Dismantle Threat Actors
As the new strategy begins by recognizing the range of significant threats posed by malicious actors, Pillar II opens with the statement: “The United States will use all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests.” This statement reflects some significant actions taken by the Biden administration. Over the past several years, ransomware attacks have grown in sophistication and scale, threatening a number of critical infrastructure sectors. During its first year, the Biden administration elevated ransomware to a national security issue, as it no longer could be categorized as simply “cyber crime.” Accordingly, the Biden administration has sought to apply a “whole-of-government” approach to disrupting the ransomware threat, leveraging economic, law enforcement, intelligence, and military capabilities. This whole-of-government approach was on public display with the disruption operations against the REvil and Hive ransomware groups.
While acknowledging some success in the disruption of malicious activities, the new strategy seeks to enable “more sustained and effective disruption of adversaries.” To achieve this outcome, the second pillar of the new strategy focuses on five different strategic objectives.
The first objective is to further integrate federal disruption activities. Such “disruption campaigns must become so sustained and targeted” that malicious cyber activity becomes “unprofitable” for cyber criminals and state actors no longer view it as an “effective means for achieving their goals.” To increase the “volume and speed” of such campaigns, the new strategy asserts that the federal government must develop more platforms that “enable continuous, coordinated operations.”
The new strategy also notes that the Department of Defense’s current strategic approach of “defending forward,” in which the U.S. military engages in cyber operations outside of the department’s networks, has generated insights on threat actors. Accordingly, the new strategy tasks the Defense Department with the development of an updated departmental cyber strategy, which will “clarify how U.S. Cyber Command and other [Defense Department] components will integrate cyberspace operations into their efforts to defend against state and non-state actors capable of posing strategic-level threats to U.S. interests.” The Defense Department must also continue to strengthen the “integration and coordination of [its] operations” with civilian and government partners “to disrupt malicious activity at scale.”
The second objective is to enhance public-private operation collaboration to disrupt adversaries. The new strategy acknowledges that the private sector has “growing visibility into adversary activity ... [that] is often broader and more detailed than that of the Federal Government.” Accordingly, the new strategy seeks to facilitate greater and “more routine” collaboration between the public and private sectors through a number of different venues, including virtual collaboration platforms that allow for the bidirectional sharing of information to disrupt adversaries. In addition, the federal government “will rapidly overcome barriers to supporting and leveraging this collaboration model.”
The third objective focuses on increasing the speed and scale of intelligence sharing and victim notification. The new strategy recognizes that while open-source and private-sector intelligence have “greatly increased collective awareness of cyber threats,” the “national intelligence that only the government can collect remains invaluable.” The new strategy notes that both National Security Agency and CISA-led engagements with the private sector have been effective in “disrupting adversary activity targeting the industrial base” and, in coordination with the FBI, “accelerat[ing] victim notification to reduce the impact of identified intrusions.” Building on these efforts, the new strategy asserts that the federal government “will increase the speed and scale of cyber threat intelligence sharing.” Various federal agencies are tasked with developing processes to facilitate better cyber threat intelligence sharing, including “mechanisms for the private sector to provide timely feedback and their own threat intelligence to the Federal Government.” Such activities expand on the goals of Executive Order 14028, which outlined a number of tasks for removing barriers to sharing cyber threat and incident information.
The fourth objective focuses on preventing the abuse of U.S.-based infrastructure. Malicious cyber actors exploit U.S. infrastructure, such as cloud-based infrastructure, to engage in “criminal activity, malign influence operations and espionage.” The new strategy recognizes the need for the federal government to work with cloud and other internet infrastructure providers to “identify malicious use of U.S.-based infrastructure,” along with making it easier for victims to report such abuse. Service providers are, however, expected to “make reasonable attempts” to secure their infrastructure against abuse or other malicious behavior. Accordingly, the strategy indicates that the administration will prioritize “a risk-based approach to cybersecurity across Infrastructure-as-a-Service” through the implementation of Executive Order 13984, issued during the Trump administration, which focuses on taking steps to address significant malicious cyber-enabled activities. A forthcoming rule from the Department of Commerce is expected to require providers of United States Infrastructure as a Service (IaaS) products to engage in various types of due diligence and record keeping on persons obtaining IaaS accounts and limiting foreign actors’ use of these products.
The fifth objective is countering cybercrime and defeating ransomware. As noted previously, the Biden administration is engaging in a number of ongoing efforts to disrupt the ransomware threat. The new strategy indicates that the U.S. will “employ all elements of national power” along four specific lines of effort:
(1) leveraging international cooperation to disrupt the ransomware ecosystem and isolate those countries that provide safe havens for criminals; investigating ransomware crimes and using law enforcement and other authorities to disrupt ransomware infrastructure and actors; (2) investigating ransomware crimes and using law enforcement and other authorities to disrupt ransomware infrastructure and actors; (3) bolstering critical infrastructure resilience to withstand ransomware attacks; and (4) addressing abuse of virtual currency to launder ransom payments.
The strategy recognizes the need for international cooperation and references its ongoing international outreach and Counter Ransomware Initiative. The strategy’s approach to defeating ransomware also includes a range of initiatives on the financial front, including targeting illicit cryptocurrency exchanges and “improving international implementation of standards for virtual asset illicit finance.” The implementation of Biden’s Executive Order on Ensuring Responsible Development of Digital Assets is part of this effort.
This pillar concludes by urging ransom victims not to pay ransoms because the “most effective way to undermine the motivation of these criminal groups is to reduce the potential for profit.” Nevertheless, the strategy notes that all victims of ransomware, whether or not they pay ransom, should report attacks to law enforcement and other relevant agencies. The 2018 cyber strategy also recognized the need for the government to “encourage reporting of intrusions and theft of data by all victims, especially critical infrastructure partners.” It was Biden, however, who signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022. When the law takes effect following a CISA-led rulemaking process, covered entities will be required to report “covered cyber incidents,” which will be defined further in the rulemaking process, and ransomware payments in response to ransomware attacks.
Pillar III: Shape Market Forces to Drive Security and Resilience
The third pillar states that the U.S. “must shape market forces to place responsibility on those within our digital ecosystem that are best positioned to reduce risk.” As noted previously, senior cybersecurity officials have been evangelizing this message for well over a year now. This pillar focuses on six objectives for shaping market forces to drive security and resilience.
The first objective seeks to hold stewards of “our data” accountable. Essentially, the strategy is acknowledging a need for privacy-focused legislation incorporating standards and guidelines developed by the National Institute of Standards and Technology (NIST) that imposes “robust, clear limits on the ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data like geolocation and health information.”
The second objective seeks to drive the development of secure Internet of Things (IoT) devices. Specifically, the administration will continue to improve IoT security through “Federal research and development (R&D), procurement, and risk management efforts, as directed in the IoT Cybersecurity Improvement Act of 2020.” Prior to the release of the new strategy, the White House facilitated a dialogue about how to implement a trusted national cybersecurity labeling program with the goal of increasing security across consumer IoT devices by “equipping devices with easily recognized labels to help consumers make more informed cybersecurity choices.” This dialogue follows Biden’s Executive Order on Improving the Nation’s Cybersecurity, which emphasized the need for improved IoT security.
The third objective seeks to shift liability for insecure software products and services. This is a strong move. As Paul Rosenzweig has remarked previously, “Proposing liability for badly written code or poorly implemented security measures has been the third rail of cybersecurity policy. Touch it and you die.” A third rail no more: The new strategy seeks to shift liability “onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities.” This objective may be the most controversial aspect of the strategy, and it reflects the administration’s belief that without the ability to impose legal consequences for failing to take reasonable steps to secure software and products, the cascading, harmful effects of insecure software and services may not be adequately abated over the long term. But it will require congressional action, so its implementation is far from certain. And, depending on how the referenced safe harbor framework is structured, there will likely be some industry opposition along the way.
The third objective also references important but less controversial efforts such as coordinated vulnerability disclosure, which is “the process of gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of software vulnerabilities and their mitigations to various stakeholders including the public.”
The fourth objective focuses on the use of federal grants and other incentives to build in security. Essentially, this objective is about making investments in “critical infrastructure that are designed, developed, fielded and maintained with cybersecurity and all-hazards resilience mind.” The new strategy also acknowledges the need for federal government collaboration with state and local entities and the private sector to “balance cybersecurity requirements for [grant] applicants with technical assistance and other forms of support.”
The fifth objective seeks to leverage federal procurement to achieve accountability. In many respects, the new strategy is continuing prior initiatives. Biden’s Executive Order on Improving the Nation’s Cybersecurity requires that the U.S. government only purchase software that is developed securely. To facilitate compliance with this requirement, this executive order also directs NIST to issue relevant guidance. The Office of Management and Budget is required to assist with federal agency compliance and, as part of this effort, has been working with the private sector to determine the best way to implement vendor attestation of secure software development. Relatedly, the Department of Justice stood up a civil cyber-fraud initiative to pursue government contractors receiving federal funds when they “fail to follow required cybersecurity standards.”
The sixth and final objective under this pillar indicates that the administration will explore a federal cyber insurance backstop. The strategy notes that “in the event of a catastrophic cyber incident, the Federal Government would be called upon to stabilize the economy and aid recovery” and that structuring that response ahead of time “could provide certainty to markets and make the nation more resilient.” Such a backstop would require the U.S. Treasury to accept responsibility for financial exposure risks that insurers and reinsurers face from future catastrophic cyber incidents affecting those that they insure. While this is not a new idea, it has “gained momentum” in part due to a June 2022 report issued by the Government Accountability Office recommending that CISA and the Federal Insurance Office conduct a joint assessment of “the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response.” If Congress were to enact some form of a cyber insurance backstop, critical issues to determine would include “which incidents the backstop should include” and “the specified cybersecurity processes that the backstop could require policyholders to follow.”
Pillar IV: Invest in a Resilient Future
When it comes to investing in a resilient future, the strategy adopts a comprehensive approach that recognizes the need to invest in past, present, and future infrastructure. The fourth pillar includes a range of issues: addressing the inherently vulnerable foundations of the internet, reinvigorating federal research and development (R&D), strengthening the cyber workforce, developing a digital identity ecosystem, and preparing for the postquantum future.
The first objective tackles the need to secure the technical foundation of the internet. Part of the approach will include identifying the most pressing systemic risks and working alongside the private sector in reducing risk exposure “without disrupting the platforms and services built atop this infrastructure.”
The second strategic objective in this pillar tackles the government’s role in supporting R&D in “defensible and resilient architectures.” The cyber strategy directly calls out three “families” of technologies it considers essential: computing-related technologies, biotechnologies and biomanufacturing, and clean energy technologies. To accomplish this, the government will continue to update the Federal Cybersecurity Research and Development Strategic Plan. By leveraging its investment mechanisms alongside its purchasing power and regulatory powers, the government hopes to make a significant impact in shaping market forces.
Concerns about advances in quantum computing and their implications for current cryptographic systems include the potential to break much of the public cryptography presently used and “jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions.” Accordingly, the 2018 National Cyber Strategy directed NIST to “continue to solicit, evaluate, and standardize quantum-resistant, public key cryptographic algorithms.” In 2018, Congress passed the National Quantum Initiative Act, directing the president to implement a program to “establish the goals and priorities for a 10-year plan to accelerate the development of quantum information science and technology applications” and instructing the “quantum activities” of NIST, the National Science Foundation, and the Department of Energy. The National Science and Technology Council issued a National Strategic Overview for Quantum Information Science, which laid out the U.S. plan to remain the leader in quantum information science and its applications.
The Biden administration has built on this work with two presidential directives focused on quantum information science, issued jointly in May 2022. The Executive Order on Enhancing the National Quantum Initiative Advisory Committee focuses on ensuring U.S. leadership in quantum applications. The National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems (NSM-10) is concerned with reducing the risks for government agencies as they embark on a multiyear migration to quantum-resistant cryptography.
When it comes to preparing networks and systems for the postquantum future, the new strategy hopes to set an example for the private sector. With the path charted by the prior work on this issue, the new strategy limits itself to reinforcing the objectives set by NSM-10 for a timely transition, prioritizing vulnerable public networks and systems.
The next strategic objective aims to secure new clean energy infrastructure, given its interconnected nature. To accomplish this, the administration will continue to implement the National Cyber-Informed Engineering Strategy, which was directed by Congress in the National Defense Authorization Act for Fiscal Year 2020. The administration also outlined a plan for coordinating with a range of stakeholders “to deploy a secure, interoperable network of electric vehicle chargers, zero-emission fueling infrastructure, and zero-emission transit and school buses.” The main actor here will be the Department of Energy, through initiatives like the Clean Energy Cybersecurity Accelerator, which “brings together federal infrastructure and expertise, asset owners in the energy sector, and technology innovators in a unified effort to catalyze the development of new cybersecurity solutions for the nation’s future clean energy grid” and the Energy Cyber Sense program, a voluntary program to “test the cybersecurity of energy products and technologies, including bulk-power systems.”
The fifth strategic objective is similarly forward-leaning. In this new strategy, the administration posits that “strong, verifiable digital identity solutions that promote security, accessibility and interoperability, financial and social inclusion, consumer privacy, and economic growth” are needed. Insecure solutions have facilitated fraud and other online harms, causing individual distress and financial hardship. However, the cyber strategy does not offer new initiatives or efforts but, rather, relies on existing efforts at NIST—including the identity research program authorized in 2022—and outlines the principles the administration will encourage in identity management: “privacy, security, civil liberties, equity, accessibility, and interoperability.”
The last strategic objective of this pillar focuses on the development of a cyber workforce. Efforts to enhance the U.S. cybersecurity workforce are not new, spanning initiatives like the CyberCorps Scholarships, which supports up to three years of cybersecurity education in exchange for working for the U.S. government after graduation, or the National Initiative for Cybersecurity Education Framework, which offers resources so that organizations can better discuss their approaches to cybersecurity.
In addition, the Biden administration already announced an interagency effort to develop a national strategy “focused on the cyber workforce, cyber training and education, and digital awareness.” In December 2022, the administration put forward its vision and commitments to address systemic barriers to access science, technology, engineering, mathematics, and medicine (STEMM) fields, including scholarships, training, and work opportunities. The new strategy outlines the objectives of the future National Cyber Workforce and Education Strategy: “expanding the national cyber workforce, improving its diversity, and increasing access to cyber educational and training pathways.” Along these lines, during the recent roundtable titled “The State of Cybersecurity in the Black Community,” the National Science Foundation, the Department of Labor, the Department of Commerce, and the Small Business Administration, along with additional participants, announced multimillion-dollar initiatives aimed at accomplishing this goal.
Pillar V: Forge International Partnerships to Pursue Shared Goals
The new strategy wants to “thwart the dark vision for the future of the Internet” that adversaries like China and other autocratic governments seek. To do so, the document offers five strategic objectives, which could be parsed into two main goals: strengthening common approaches with partners and countering global threats.
In the first place, the cyber strategy articulates the need to build coalitions to counter threats to the digital ecosystem. Strengthening international partnerships has been a priority throughout the Biden administration. These coalitions can take many forms. Examples include the Declaration for the Future of the Internet—a political commitment in favor of an open internet—and the Freedom Online Coalition, whose 36 member countries seek to advance internet freedom and human rights online. However, this is also a regular issue in bilateral and multilateral meetings, and cooperation in cybersecurity is a staple issue in security dialogues—think the Quad, the U.S.-EU Trade and Technology Council, AUKUS, the Indo-Pacific Economic Framework for Prosperity, and the Americas Partnership for Economic Prosperity.
The second strategic objective focuses on strengthening international partner capacity, particularly:
to secure critical infrastructure networks, build effective incident detection and response capabilities, share cyber threat information, pursue diplomatic collaboration, build law enforcement capacity and effectiveness through operational collaboration, and support our shared interests in cyberspace by adhering to international law and reinforcing norms of responsible state behavior.
While this requires a whole-of-government effort, the cyber strategy points to the departments of Justice, Defense, and State as the leads.
According to the fourth strategic objective, the administration will adopt a “renewed, active” diplomacy, which will include coordinated activity to call out malicious actors and support the voluntary norms of responsible behavior. The U.S. and its allies have called out Russia and China in the past. The Biden administration has already been successful in nominating the head of the International Telecommunication Union, the U.N. body that develops the internet’s technical standards.
The final piece in the international cooperation puzzle concerns global supply chains. Dependence on foreign suppliers for information, communications, and operational technology products and services in a time of competition—particularly with China—raises interesting questions about the trustworthiness of these products and services. The new strategy follows in the steps of the National Strategy to Secure 5G, and the associated efforts to ensure a secure supply chain for 5G and next-generation wireless networks, and wants to extend the model to other critical technologies. The efforts would see a restructuring of global supply chains to allow these technologies to “be developed at home or in close coordination with allies and partners.”
Under this objective, the government continues to build on existing policy: the mandate of the Bipartisan Infrastructure Law requires federally funded projects to “buy American,” Executive Order 13873, Securing the Information and Communications Technology and Services Supply Chain, and Executive Order 14034, Protecting Americans’ Sensitive Data From Foreign Adversaries, provide a framework for supply chain protection. Through this domestic approach, the U.S. government hopes to improve national cybersecurity, as well as to “attract countries to support the shared vision of an open, free, global, interoperable, reliable, and secure Internet” by showing “that digital technologies will function as expected.”
Conclusion
The Biden administration’s National Cybersecurity Strategy puts forth an ambitious vision for U.S. cybersecurity—one to be attained by the end of the decade. To achieve a more cyber-secure future, the administration seeks to realign roles and responsibilities to those entities in the best position to secure systems and software and to promote incentives for investment in cybersecurity over the long term.
The cyber strategy cannot be evaluated in a vacuum. It’s important to look at the efforts that preceded it and recognize the efforts yet to come. For some elements of the strategy, the implementation details are relegated to a plan yet to be written. And as the saying goes, “the devil is in the details.” Moreover, in those areas where Congress will need to provide the executive branch with new authorities, there will likely be additional delays or challenges with implementation.
Given these challenges, it would be easy, at this point, to express some skepticism about the necessary work that lies ahead. Nevertheless, the Biden administration has advanced a forward-leaning vision for cybersecurity, with original initiatives that have the potential to reshape how the U.S. approaches and manages cybersecurity for the foreseeable future. In presenting this aggressive strategy, the Biden administration has set a high bar for cybersecurity that will be hard for future administrations to ignore. It has also put Congress on notice for where it will need to act.