On March 2, 2023, the White House Office of the National Cyber Director (“ONCD”) released the Biden Administration’s (the “Administration”) long-awaited National Cybersecurity Strategy (the “Strategy”), the first since the Trump Administration’s strategy was issued in September 2018. The Strategy positions cybersecurity very clearly as a critical national security issue and builds on the Administration’s issuance of the May 2021 Executive Order on Improving the Nation’s Cybersecurity that created the ONCD as well as its creation of a new Deputy National Security Advisor for Cyber and Emerging Technology position on the National Security Council.
The Strategy demonstrates a strong commitment by the Administration to further enhance the country’s cybersecurity posture. Early reaction to the Strategy is largely favorable. However, the Strategy also contains provisions that would shift liability for software vulnerabilities onto the developers. Such a fundamental shift will create new litigation and potentially upend breach response.
The Strategy is composed of five “pillars,” each with its own strategic objectives. In Part 1 of this Debevoise Data Blog series, we discuss the key provisions from pillars 1, 3 and 4, which mostly affect the private sector by calling for expanded cybersecurity standards, changes to market incentives through both carrots and sticks and efforts to secure certain Internet infrastructure. Part 2 will cover pillars 2 and 5, which address the government’s efforts to disrupt and dismantle threat actors and forge international partnerships around cybersecurity.
What is in the Strategy?
With its five guiding pillars, the Strategy codifies disparate cybersecurity actions across states and private industry by (i) advocating for legislation to protect national critical infrastructure; (ii) emphasizing threat actor deterrence and detection by officially declaring ransomware as a national security threat; (iii) proposing to shape market activity through government purchasing and proposed legislation; (iv) seeking public-private investment in cybersecurity resilience; and (v) working internationally to protect cyberspace.
The most significant takeaways from pillars 1, 3 and 4 of the Strategy include:
- Liability Shift: Software manufacturers and distributors, as well as their customers, can expect a changing liability landscape if the Administration succeeds in pushing through legislative changes that override existing liability limitations in software license agreements. Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency, has used the last two months leading up to the release of the Strategy to lay the groundwork for this fundamental shift. Efforts to shape this proposal will be critical, together with software developers ensuring that they are employing best practices in software development.
- Heightened Standards: The Strategy calls for heightened cybersecurity standards, such as those recently implemented in the transportation and pipeline sectors, by (i) further expanding similar federal cybersecurity standards and (ii) facilitating greater regulatory harmonization across other critical sectors, including for cloud infrastructure and other essential third-party services. Critical sector companies and their third-party infrastructure providers in particular should become familiar with the recent examples of federal cybersecurity standards as well as National Institute of Standards and Technology (“NIST”) guidelines that have informed these new regulatory requirements.
- Privacy Regulations: The Administration appears to be using the Strategy to promote federal legislation to impose clear limits on the collection, use, transfer and maintenance of personal data, i.e., federal privacy regulation. “Stewards” of personal data should expect demanding requirements but with the hope for a federal standard that could lead to greater harmonization of the existing state-by-state patchwork.
- Regulatory Harmonization: The onslaught of legislative and regulatory activity in the cyber space has led to a cry from industry to harmonize the legislation, reporting and examinations. The Strategy is a clear signal that the Administration is listening. Sprinkled in with the calls for new legislation is an understanding that too many regulators are operating in this area without sufficient coordination.
Key Strategic Objectives from Pillars 1, 3 and 4
Pillar 1: Defend Critical Infrastructure
This pillar is aimed at ensuring that the owners and operators of critical infrastructure as well as their vendors, service providers and applicable federal agency partners and regulators collaborate so that U.S. infrastructure is defensible and resilient against cybersecurity attacks. Although critical infrastructure is typically the province of the federal government, private entities are intrinsically involved in it and its cybersecurity, so this pillar seeks to harmonize public and private cyber standards.
Expanding Cybersecurity Requirements to Support National Security and Public Safety
The Strategy indicates plans for additional cybersecurity regulation in the critical infrastructure space and harmonization of existing regulation. The Strategy specifies that the government intends to establish mandatory minimum cybersecurity requirements for critical infrastructure providers based on existing cybersecurity frameworks issued by the Cybersecurity and Infrastructure Security Agency (“CISA”) and NIST. These requirements would add to the reporting obligations provided for in the March 15, 2022 Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). We discussed CIRCIA in a prior Debevoise Data Blog post, and the Strategy’s emphasis on improved standards follows the trend of regulators providing rules for certain sensitive regulated industries such as financial services, banking and securities issuers.
The Strategy also urges regulators to promote the adoption of secure-by-design principles through critical infrastructure-related cybersecurity regulations, consistent with recent goals and guidelines. Certain regulators are already beginning to contemplate cybersecurity-related regulations and best practices. For instance, the day after the Strategy was released, the Environmental Protection Agency released a memorandum addressing cybersecurity in U.S. public water systems. In addition to advocating for increased cybersecurity regulation on critical infrastructure providers, the Strategy indicates that such regulation should apply to critical infrastructure entities’ third-party service providers, including cloud-based storage providers “essential to operational resilience.”
Pillar 3: Shape Market Forces to Drive Security and Resilience
This pillar is aimed at incentivizing market participants to update their cybersecurity and privacy policies and procedures to better defend themselves and their customers from cybersecurity incidents. The Strategy recognizes that the federal government cannot prevent all cyberattacks on private entities but can use its authority to shift burdens and liability from consumers to companies.
New Federal Standards for Stewards of Personal Data
The Strategy advocates for legislation to address the protection of consumer privacy in the digital age, indicating that data stewards should have clear limits on the extent to which they can use, transfer and maintain personal data and that such limits should be based on NIST’s standards and guidelines. This advocacy signals a national emphasis on robust, clear limits on organizations’ ability to use, transfer and maintain personal data and appears to urge Congress to resume consideration of the American Data Privacy and Protection Act (“ADPPA”). While the ADPPA failed to pass last summer, the growing inconsistencies and inefficiencies arising from the patchwork of state privacy laws could lead to the passage of a national cybersecurity law requiring data protection consistent with NIST guidelines. However, it is unclear whether the Strategy will generate any impact beyond executive action with a divided government.
Shifting Liability for Insecure Software Products and Services
Perhaps the single most significant change proposed by the Strategy, tucked away in pillar 3, is a massive liability shift in the software industry. Historically, software license agreements have greatly limited the liability for software manufacturers and distributors for vulnerabilities in their code. This objective should be a key focus area for private entities, as it would represent a fundamental shift in liability for software providers. The Strategy, in an effort to address the downstream effects of unsecure software and services, aims to shift responsibility for data security from software purchasers, such as businesses and individual consumers to software providers by imposing a new standard of care and direct liability for introducing vulnerable products or services to the market. It also would “encourage coordinated vulnerability disclosure across all technology types and sectors,” with a particular emphasis on rooting out vulnerable software in critical infrastructure. To further encourage secure-by-default and secure-by-design software, the Strategy advocates for legislation that includes a safe harbor for companies that follow privacy and data security best practices consistent with the NIST Secure Software Development Framework, allowing them to continue innovating without fear of liability for subsequent breaches.
As CISA Director Jen Easterly noted in remarks at Carnegie Mellon, the Strategy advocates “[a] model in which responsibility for technology safety is shared based upon an organization’s ability to bear the burden and where problems are fixed at the earliest possible stage—that is, when the technology is designed rather than when it is being used.” As envisioned, software companies could not fully disclaim liability for breaches by contract, so those providers who supply insecure products would face increased litigation risk for failure to meet these standards. Without software developer liability, the Administration may not be able to address the downstream effects of insecure software and services. However, if implemented, it could lead to cross-sector liability risk for any company offering software to consumers. Whether requiring proactive cybersecurity in development delays or stifles software innovation remains to be seen.
Federal Cyber Insurance Backstop.
The Strategy also proposes assessing the feasibility of creating an aid package that stands ready to stabilize markets in the event of a catastrophic cyber incident that harms entities throughout the cyber ecosystem. Under this program, the U.S. Treasury would back financial exposure risks that insurers face from cyber incidents. The Strategy also advocates for creating a plan to support the existing cyber insurance market in the event of a catastrophe. Each aid package could provide stability and resilience in the event of a disaster, and the Strategy encourages cooperation between Congressional, state and industry actors.
Pillar 4: Invest in a Resilient Future
Pillar 4 focuses on securing the internet as a whole, investing in the cyber workforce and R&D, including in quantum computing and clean energy. The Strategy proposes to “encourage and enable investments in strong, verifiable digital identity solutions that promote security, accessibility and interoperability, financial and social inclusion, consumer privacy, and economic growth” so that the U.S. approach to cybersecurity going forward is not reactive.
Government Efforts to Secure Internet Infrastructure
The Strategy indicates that the Administration would like to update the foundation of the internet’s infrastructure to mitigate the impact of entrenched vulnerabilities. To do this, the Strategy suggests that technologists take steps to “clean up” known and pervasive concerns with respect to the internet’s architecture, such as unencrypted domain name requests and the adoption of new technologies to increase the security of the internet. The Strategy proposes that the federal government perform research and development into the cybersecurity risks of next generation technologies such as artificial intelligence and quantum computing to ensure the U.S. is ready for their adoption. The Strategy explicitly indicates quantum computing as an area of interest, especially due to the threat that it poses to existing, widely used encryption methods and standards.
Development of new Digital Technology and Infrastructure
The Strategy also focuses on investing in new technologies to support the digital ecosystem. One such technology is a verifiable digital identity solution that can be used to access government benefits and services, communication and social networks, and digital contracts and payment systems. The Strategy indicates that this technology is to combat credential and identify theft. It notes, however, that such credentials should be created with privacy, security, civil liberties, equity, accessibility and operability in mind.
Other technologies the Strategy envisions implementing are renewable energy technology solutions such as electric energy generation and storage devices to increase the resilience, safety and efficiency of the electrical grid.
- Potential Shift in Liability for Software Bugs to Hold Manufacturers and Distributors Accountable for Poor Development Processes. If the Administration succeeds in driving legislation that overrides liability waivers in existing license agreements, the software industry and its customers will experience a paradigm shift that greatly raises their risk potential and creates tremendous economic incentive for a robust software development lifecycle, one informed by NIST software development standards and designed to qualify them for the type of “safe harbor” mentioned in the Strategy. With potential restrictions placed on software developers’ ability to limit liability by contract, consumers (including companies and individuals) will want to reexamine their purchase agreements and ensure favorable terms.
- Greater Cybersecurity Regulation but with Hope for Increased Harmonization: Companies, especially in the critical infrastructure space, should expect additional rule-making and legislation as regulators take steps to respond to the Strategy’s call to establish sector-specific cybersecurity requirements, as they have in the transportation and pipeline sectors, consistent with NIST standards and guidelines. Those who hold personal data, regardless of sector, can expect a possible federal standard regarding the collection, use, transfer and maintenance of personal data. As to both areas of increased regulation, there are reasons to be hopeful about a potential harmonization of requirements that have to date been a fragmented compliance drain on company resources that could be better used to defend networks.
- NIST Guidelines Take Center Stage: Companies that are not already utilizing the NIST cybersecurity framework should gain familiarity with NIST’s standards and guidelines to prepare for future legislation, and should track potential Congressional action to revive the ADPPA. They could do so by ensuring that their software development and maintenance are consistent with NIST standards and guidelines to take advantage of the proposed safe harbor provision. Additionally, while vulnerability disclosure could burden compliance, it appears poised to improve the cybersecurity of the entire ecosystem. Companies could assess internal vulnerabilities and prepare to disclose in anticipation of congressional action.
- Digital Identities: A robust digital identity ecosystem raises questions about how companies will operate and whether their uses of digital identities will aggravate existing data privacy concerns. In particular, the Strategy recommends that any national digital identity system must use the most secure data privacy and cybersecurity controls, and, if made universal, these controls would require companies to consider civil liberties, equity, accessibility and operability when connecting to this ecosystem. While the precise path forward here is unclear, widespread digital identity utilization could transform how digital ecosystem actors interact with consumers and their data.
This post comes to us from Debevoise & Plimpton LLP. It is based on the firm’s memorandum, “National Cybersecurity Strategy (Part 1): The White House Urges Private and Public Action,” dated March 16, 2023, and available here. Mengyi Xu, Noah L. Schwartz, Stephanie D. Thomas, Jarrett Lewis and Jacob Hochberger contributed to the memorandum.