Unpacking Biden’s National Cybersecurity Strategy
Table Of Contents:
The cybersecurity stakes are higher than ever. Society is so deeply connected and dependent on digital technology that a severe enough attack could cripple critical functions. The US government is aware of the threat and is preparing what promises to be the most aggressive cybersecurity strategy document ever. Called the National Cybersecurity Strategy (NCS), it is still under wraps at the time of writing, but those who have seen it promise that it will level up US cybersecurity capabilities. Here’s what we know and what to expect.
A History of Soft Cybersecurity Policy
Until the current administration, the White House took a relatively light-touch approach to securing critical national infrastructure (CNI). This class of infrastructure, which is considered vital to societal operation, is comprehensive, including 16 sectors ranging from food to finance.
Past efforts to protect the CNI have been much like this segment of the economy itself: fragmented and incoherent. Previous administrations issued voluntary cybersecurity guidelines for CNI sectors, leaving regulators to develop and enforce more robust cybersecurity controls.
Some of these controls have been more successful than others and have often been imposed at a state level. For example, the New York Department of Financial Services (NYDFS) issued the Part 500 regulation, which became effective in 2017 and took an aggressive approach to cybersecurity enforcement. The SEC has also been stepping up cybersecurity controls.
Yet other sectors have been less aggressive. Municipal water departments often lack cybersecurity expertise. Companies across other industries considered part of the CNI often have competing priorities like maintaining quarterly financial performance.
Even before the May 2021 ransomware attack on Colonial Pipeline that sent gasoline prices soaring across the eastern US, the Biden administration had already moved towards a more cohesive, hands-on approach to CNI security. In April 2021, it kicked off a sector-by-sector review and hardening of the CNI with a 100-day plan to increase security among electrical utilities.
In July of that year, the president followed this up by signing the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, vowing to address cybersecurity protections across a range of CNI sectors. The government issued substantial cybersecurity requirements for oil and gas pipeline operators in May and July, announced the Water Sector Action Plan in January 2022, and targeted the chemical sector with a different plan last October.
These measures were more aggressive than previous administrations’ attempts. It imposed mandatory measures, such as requiring incident response plans. The executive branch also worked with Congress to create the Cyber Incident Reporting for Critical Infrastructure Act, which will eventually enforce a 72-hour cyber attack notification window for CNI operators.
Those who have seen the strategy document believe it will unify this approach, taking further measures to force companies in CNI sectors to harden their defences. The document will call for shifting liability to companies that fail to implement appropriate measures.
No More Mister Nice Guy
The strategy document doesn’t just hone defensive measures; it also turns its attention outward. It includes explicit measures to target malicious actors, say those in the know.
The US government has become increasingly hawkish in its targeting of threat actors in cyberspace. The Obama administration kept tight reins on offensive cyber activities, requiring explicit presidential permission to go after enemies of the US online. The Trump administration took its foot off the brake in 2018, issuing National Security Presidential Memorandum No. 13, which gave the Pentagon more autonomy in launching offensive cyber operations.
Initially, the Biden White House studied whether it should repeal some of Trump’s measures. However, reports suggest that the National Cybersecurity Strategy will take them a step further.
“Our goal is to make malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States,” the document reportedly states in a five-page section titled “Disrupt and Dismantle Threat Activities”. It also says that the FBI’s National Cyber Investigative Joint Task Force will work with other agencies to interfere with and ultimately take down attackers’ networks.
Enforcing What’s Coming
The government will also reportedly enlist private companies as partners in the fight against attackers, sharing information with them about attack patterns. These partnerships, along with the enforcement measures that we’re likely to see in the NCS, raise a question: how much will the executive branch be able to enforce this?
The government’s most ground-breaking document before this, May 2021’s Executive Order on Improving the Nation’s Cybersecurity, was more limited in scope because executive orders only apply to federal agencies. Any pressure applied to the private sector was indirect, through the imposition of cybersecurity controls in federal procurement policies that would require supplier compliance.
The new strategy document will apply to a vast slew of private firms which have traditionally been cautious about government cybersecurity regulations. For example, information sharing has been a contentious point in the past. Companies have worried about legal liability if they divulge the extent and scope of attacks to the government.
Some of the sectors included in the CNI might be legally difficult for the White House to regulate. It will need the help of agencies and a deeply divided, dysfunctional Congress that will prove problematic in pushing sensible laws through. We’ll know more when the document drops, which should be very soon.