On March 1, 2023, the Biden administration published its National Cybersecurity Strategy. This is not an executive order, but an outline of how the administration will guide the evolution of cybersecurity at the national level.
The federal government can only impose its wishes on federal agencies. It cannot impose those wishes at a national level without the agreement of Congress. This is difficult – not impossible, but difficult – in politically partisan times, especially in the run-up to a presidential election. For this reason, the National Cybersecurity Strategy must ultimately be considered a wish list of the administration’s desires, not a statement on what will happen nationally.
It may be somewhat aspirational, but the administration is not toothless. It ultimately has a lot of control over much of the nation’s business infrastructure.
Firstly, it indirectly has authority over the critical industries via the federal agencies that provide governance of those industries. Those agencies can be directed to set standards affecting their covered industries. Secondly, it has strong control over these and all federal agencies, and can require that any purchases by those agencies must conform to a particular set of standards.
These two abilities will affect the greater part of business in the US. But what the federal government will likely never achieve is a single cybersecurity regulation imposed across the entire nation. For example, whenever the strategy document uses the phrase “we will work with Congress…”, it is an admission that this part of the strategy cannot be guaranteed. That phrase is used nine times within the document.
Given both the power and limitations affecting the administration, it is worth looking closer at the possible outcomes of this National Cybersecurity Strategy. SecurityWeek talked to Chris Hart, partner and co-chair of Foley Hoag LLP’s privacy and data security group.
Hart agrees with both the power and limitations of the presidency but suggests we shouldn’t focus too much on the partisan nature of government. He admits the potential for a national personal privacy regulation got “really gummed up in Congress for all sorts of political reasons;” but he suggests that cybersecurity is a separate concern to personal privacy.
“I think cybersecurity is a little bit different,” he said. “In part because there appears to be bipartisan concern around the Chinese use of cyber weapons and surveillance. So, I think there’s a heightened sense that there is a national security need here. I think there’s more than the possibility of bipartisan consensus because of real national security threats that animate both sides of the aisle.”
Nevertheless, without the agreement of Congress, parts of the strategy are merely aspirations, and you cannot base an overarching strategy on aspirations. For this reason alone, it is worth examining Biden’s strategy in greater detail.
National cybersecurity based on a patchwork of joined up regulations.
We asked Hart if Biden’s intention is to develop a national approach to cybersecurity based on a joined-up patchwork of individual regulations set by the federal agencies. Pointers to this expectation can be found in two paragraphs within the document.
“Federal Agencies that support critical infrastructure providers must enhance their own capabilities and their ability to collaborate with other Federal entities. When incidents occur, Federal response efforts must be coordinated and tightly integrated with private sector and State, local, Tribal, and territorial (SLTT) partners.
“Finally, the Federal Government can better support the defense of critical infrastructure by making its own systems more defensible and resilient. This Administration is committed to improving Federal cybersecurity through long-term efforts to implement a zero trust architecture strategy and modernize IT and OT infrastructure. In doing so, Federal cybersecurity can be a model for critical infrastructure across the United States for how to successfully build and operate secure and resilient systems.”
Key concepts in the first paragraph are ‘enhance’, ‘collaborate’, and ‘integrate with private sector’. The second paragraph appears to be saying, ‘and we (the Federal Government) will be your guide’.
“I think there’s something to that,” said Hart. “It is consistent with a long standing, sectoral approach that the US Federal Government has taken on security. Part of it is in the DNA of how the US tends to work; Agencies are given their remit to determine what’s reasonable security for their sector of the US economy. Now, there’s a good question of whether that’s sensible. Wouldn’t it be better to have a single standard or set of standards that are then implemented across industries? I don’t I don’t know if that’s true – there will still be a need for specificity.”
The question is whether a single regulation (such as the EU’s GDPR and its supporting regulations, covering all industries in all member nations) can provide better security than individual regulations covering individual industry sectors. Sector specific regulations make sense: the cybersecurity requirements for the finance sector are different to those for the health and energy sectors. The weakness is that it can lead to some organizations being required to conform to multiple different regulations.
This is the problem that the National Cybersecurity Strategy is attempting to address by demanding better cooperation and integration between the different federal agency security regulations. If it succeeds, a patchwork of joined up regulations will, through the law of synergy, provide a superior approach than a single regulation covering all sectors. As Hart comments, “The hope is that when the sausage is made, you have a better product than if you had had Congress come up with a single standard.”
The National Strategy goes further than just pointing to an integrated quilt of cybersecurity regulations. It seeks to promote a national background on which cybersecurity can thrive. Interesting areas include personal privacy, international trade, switching the burden of cybersecurity responsibility away from the user and more toward the security supplier, and cyberinsurance.
While a national personal privacy law may not be immediately realistic, Congress has been discussing the possibility for a decade or more. The National Strategy supports this objective.
“The Administration supports legislative efforts to impose robust, clear limits on the ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data like geolocation and health information.”
But absent that national law, there are still things the federal government can achieve. First is the hope that improved cybersecurity will filter down to better protection of PII. Second, the FTC (as part of the patchwork cybersecurity solution) has some influence at a national scale. It can, and does, enforce against the misuse of user PII under its remit of preventing deceptive practices by businesses.
“The Federal Government will encourage and enable investments in strong, verifiable digital identity solutions that promote security, accessibility and interoperability, financial and social inclusion, consumer privacy, and economic growth. Building on the NIST-led digital identity research program authorized in the CHIPS and Science Act, these efforts will include strengthening the security of digital credentials; providing attribute and credential validation services; conducting foundational research; updating standards, guidelines, and governance processes to support consistent use and interoperability; and develop digital identity platforms that promote transparency and measurement.”
The first part of this indicates the aspiration, while second part implies a readiness to make it part of the ‘interoperable’ patchwork cybersecurity solution. There is no easy solution to a national personal privacy regulation in the US, but the National Cybersecurity Strategy makes a good stab at creating one.
Pillar Five of the Strategy is titled ‘Forge International Partnerships to Pursue Shared Goals’. This is largely a statement of US foreign policy relating to cyber. One area discusses ‘cross-border data flows’. It is worth noting that GDPR is never mentioned in the document, but nevertheless GDPR currently makes any flow of data that includes PII of EU residents from the EU to the US illegal. In practice, this isn’t enforced by EU regulators because of ongoing discussions between the two blocs.
The Strategy describes working with the QUAD, the IPEF and the APEP (but not the EU) “to collaborate in setting rules of the road for the digital economy, including facilitating the development of technical standards, mechanisms to enable cross-border data flows that protect privacy while avoiding strict data localization requirements…”
The problem with data flows between the EU and the US is fundamental to existing laws governing privacy in the EU, and intelligence and law enforcement in the US. Governments on both sides of the Atlantic agree with the need for free flows of data, but are hampered by their respective laws that are almost impossible to change.
We’re in a cycle where the governments agree to some form of acceptable wording to make the process legal, but EU privacy activists immediately take the issue to the European Court. Each court case can take several years to resolve. So far, the European Court has declared all ‘wordings’ to be unconstitutional within Europe (because of GDPR); so new negotiations begin. It’s difficult to see an acceptable conclusion to this process – but if the two governments continue to strive to find a solution, the EU regulators will hold off enforcing EU law. It’s a precarious situation, but free data flows from Europe can continue so long as the US government keeps talking.
Nevertheless, and for whatever reason, EU/US data flows is given little mention within the Strategy’s ‘international partnerships’ section. Data flows are an aspirational aspect of the National Strategy.
The burden of cybersecurity
A fascinating area within the document talks about the need to rebalance the responsibility to defend cyberspace. “Today, end users bear too great a burden for mitigating cyber risks… Our collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual and individual citizens.”
This has been widely interpreted as an attempt to make security vendors responsible for the performance of their products — but it’s not an easy concept. Vendors traditionally claim that their product cannot be blamed for a breach, because the breach was allowed by a user’s misuse of the product.
This is an area where Hart has strong opinions. “I don’t think I agree with that. I have represented several clients who hold this view – but I think it’s a convenient view for them. It’s our users’ error. It’s not it’s not ours. The problem is that nobody is accountable.”
The route chosen in the National Cybersecurity Strategy is to force security vendors to provide security by design. The government can do this through its patchwork of agency regulations, together with the sheer purchasing power of the Federal Government.
“There has to be some pressure put on software providers to increase their security design,” continued Hart. “It can’t all be on the user, because if it is all on the user, it’s never going to be improved. The only other option is through ordinary tort law, which is probably not the best tool.”
On the back of the National Strategy, we can expect to see increasing pressure on software developers to use secure design principles, and be able to demonstrate security by design in their products. The concept isn’t new, but a consistent and concerted insistence on its application is new.
The cyberinsurance backstop
Two separate simple statements could herald a profound change to the cybersecurity market. The first is, “We will explore how the government can stabilize insurance markets against catastrophic risk to drive better cybersecurity practices and to provide market certainty when catastrophic events do occur.”
And later, “The Administration will assess the need for and possible structure of a federal insurance response to catastrophic cyber events that would support the existing cyber insurance market.”
Nothing is promised, but the government is making it clear that it is not ruling out a government cyberinsurance backstop. This would be the government providing supporting funds in the event of what the insurance industry describes as a systemic risk — an event so huge or widespread that the insurance industry couldn’t cover it by its own resources.
It’s a complex issue. How much should a backstop provide? What risks would classify as being supported. Where should the funds come from? If from the government, that means the taxpayer. If from a levy on insurance premiums, that could increase the cost of insurance and reduce the demand for cyberinsurance.
Hart is in little doubt that it is an issue that must be addressed. “it’s been notoriously difficult to price cyber risk,” he said, “and the insurance market went kind of haywire because of the increase in ransomware attacks.”
But the problem really gets critical with the critical industries. “There’s certain critical infrastructure that is effectively off the map for cyberinsurance,” he continued, “because the insurers don’t know if it’s a one-hundred-year risk, or a thousand-year-risk, or if the covered company will be destroyed by the risk. There are certain kinds of catastrophic cyber risks that underwriters alone, even very large underwriters, cannot reasonably underwrite.”
A government supported cyberinsurance backstop is clearly being considered by the Federal Government.
The national cybersecurity strategy
The national strategy outlined by the Federal Government on March 1, 2023, is a monumental attempt to weave a consistent approach to cybersecurity for the whole nation. It attempts to rationalize and standardize where it can, and to encourage and incentivize where it cannot insist. It must be said, however, that some areas remain more aspirational than enforceable.