Biden’s cybersecurity strategy is bold, but it may get held up in Congress

The Biden Administration released its updated National Cybersecurity Strategy in early March — and although it’s Biden’s first, it’s the third cybersecurity strategy the U.S. has released this century. And it will likely have the most real impact.  

Unlike cyber strategies of the past, this latest one holds several groups and sectors directly accountable for its success. It points to a single senior government official who will need to answer for its implementation and success. The National Cyber Director will be held responsible for ensuring that the implementation is monitored and measured, that interagency teams are in lockstep, and that the federal government has the resources and permissions needed to bring the strategy to fruition.

It’s a big task: Chris Inglis recently stepped down from the role after just under two years, and while Kemba Walden is stepping in as the acting official, President Biden will hopefully appoint a permanent director in the coming weeks, whether Walden or someone else.  

Heightened tech sector liability

Another goal is placing heightened liability on the tech sector as a whole, including holding critical hardware and software providers responsible for creating safer products. Within the released strategy, the administration has committed to working with both Congress and the private sector to “develop legislation establishing liability for software products and services” — an effort that is sure to prove divisive in the current Congress.

Rightfully, the Biden Administration strategy focuses on critical infrastructure, and, taking a step further than previous cyber strategies, connects cyber requirements compliance to infrastructure investment funding. These funds “can drive investment in critical products and services that are secure and resilient by design and sustain and incentivize security and resilience throughout the lifecycle of critical infrastructure,” according to the strategy.

Implementing this will be a challenge, as it will require various government agencies to collaborate on the end goal of tying funding requirements to demonstrated cyber practices.  

While the released strategy had many expected elements, the Biden Administration has made one thing clear: There will be a focus on community-wide implementation, not only for the yet-to-be-named National Cyber Director but for legislative bodies, policymakers and tech companies.

Even within singular companies, there is a trend of making cybersecurity everyone’s responsibility, but there hasn’t always been shared accountability. This strategy aims to encourage ownership for everyone involved: Those developing the technology, those along the supply chain to the end user, those creating mandates and incentives, and finally, the financial marketplace. This multi-pronged approach is sure to receive more consistent and streamlined results, but it will take real collaboration and communication to do so. 

Finally, the strategy is regulation-forward, citing that without strategic governance across the board, changes have been unpredictable. While allowing voluntary approaches has produced improvements, “the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes,” the strategy states.

What’s to come?

Policy-wise, this is the strongest cyber regulation stance that the US government has taken in more than a decade, and it will prove tricky to implement. The Republican House of Representatives is regulation-shy, and getting proper alignment from the House will prove challenging, particularly on topics such as holding tech companies liable and connecting compliance to federal funding.  

So the question remains: Is Biden’s bold strategy too bold to work? Getting sign-off from policymakers (including the House) and coordinating constant transparency and communication between public and private sectors — all while leading with a new director — is far from simple.

But given the high stakes — cybercriminals are ever-evolving and shifting to weaponizing their attacks — governments must draw a heavy line in the sand and implement bold strategies. If all stakeholders can work to make this strategy successful, our country will be better off for it. 

Bob Kolasky is SVP of critical infrastructure at Exiger.

Please follow and like us: