The Biden administration's plans to introduce minimum cybersecurity requirements for organizations in critical infrastructure sectors could face challenges in a divided Congress.
That said, many other proposals in the president's broad new National Cybersecurity Strategy, announced March 2, could be relatively easier to implement, even though some of them might have to be via executive fiat, several former government officials and security experts said.
Much Needed Updating
"President Biden's National Cybersecurity Strategy will drive a much-needed updating of the United States' cyber-social contract," a senior administration official tells Dark Reading. "That includes both immediate initiatives that build on the administration's executive actions to drive critical infrastructure cybersecurity, as well as an ambitious, long-term vision that will require legislative, regulatory, and technological innovations over the next several years."
The strategy represents a commitment by federal agencies to pursue those innovations and to collaborate with industry to meet objectives, the official says, and continues "our longtime, critical partnership with Congress in developing bipartisan cybersecurity policy."
The key focus areas for Biden's strategy for building US resilience in cyberspace are: critical infrastructure defense, disrupting threat actors, and using the government's purchasing clout and other mechanisms to influence better cybersecurity practices in the public and private sector. The plan also proposes new federal investment in cybersecurity research and development, building a digital identity ecosystem, and focusing on foundational Internet technologies such as the Domain Name System and IPv6.
Individual components of the strategy include mandatory minimum cybersecurity requirements for critical infrastructure, a proposal to make software vendors liable for the security of their products, and services and scaling existing public and private partnerships.
What's Next for the National Cybersecurity Strategy?
For the moment, at least, the strategy document does nothing to change things on the ground. Legislation, regulation, and follow-up executive action are all going to be key to moving forward the administration's agenda, says Jordan Burris, senior vice president and head of public sector strategy at Socure.
"Specifically, we will see this play out in regulation for critical infrastructure sectors to set minimum requirements for cybersecurity," says Burris, former chief of staff at the White House Office of Management and Budget. Legislation will also play a role in ensuring that resources are available for some of the new requirements in the strategy for agencies and other stakeholders.
"Cybersecurity has always been viewed as a non-partisan issue in Washington, DC," Burris says. "However, it is critical that as the administration continues to roll out its plans, that it works with both sides of the aisle to make progress."
This is going to be especially key when calling on Congress to invest in cybersecurity capabilities across agencies, he says, "Unfortunately, there are many proposals that administrations have advocated for that have obtained little to no traction in the halls of Congress."
Ideally, Biden's plans should receive bipartisan applause and action for his proposals, says Theresa Payton, CEO at Fortalice Solutions and a former CIO at the Executive Office of the President at the White House. "But I've been around long enough to understand the political atmosphere in Washington right now is just short of toxic," she says. "So, finding common ground on these critically important issues is going to be difficult," she adds.
Like Burris, Payton notes that for now, the new strategy provides a road map for the administration's cybersecurity priorities more than anything else. Essentially, the strategy acknowledges the federal government's significant role in cybersecurity while also demanding a whole lot more from the private sector.
The Biggest Congressional Sign-Off Challenges
Garnering the support in Congress is going to be especially difficult when it comes to the regulatory component in Biden's strategy document, Payton says. While it is notable the administration is willing to wade into an area that other administrations have stayed away from, the regulatory question will be a tough sell on the Hill, given the pro-business/anti-regulation climate amongst the House majority. Even so, "I think in the aftermath of the SolarWinds breach and the Colonial Pipeline attack, it's an important and probably overdue dialogue that all public and private sector partners need to have," Payton says.
And the Biden administration's proposal to shift liability for software away from users to software vendors and publishers is almost certainly going to be another hard sell. There have been similar proposals in the past that have gone nowhere, and there's little to suggest the new plans will fare any differently.
One initial stumbling block is that software is still not a tangible product under the Uniform Commercial Code (UCC) in the US, explains John Pescatore, a former National Security Agency (NSA) analyst and current director of emerging security trends at the SANS Institute. Before discussions around legislative support for the liability-shifting proposal in Biden's new strategy can even begin, that issue needs resolution, Pescatore tells Dark Reading.
"The UCC says software is not a tangible good and without that you cannot assign liability," he says. The lobbying power that tech giants have in Washington is only going to exacerbate the challenge, he notes.
Even so, the White House can also take unilateral action in many cases, according to Payton. "Nearly all areas of the strategy can be actionable whether if implemented as an executive order or as a law passed by Congress," Payton adds. "Given the divided nature of Congress, I would expect to see a series of executive orders coming from the White House in the weeks and months ahead."
There Are Some Actionable Strategy Components
While the biggest pieces of the plan remain unactionable for now, not all of the proposals in Biden's strategy are dependent on legislation and regulatory action. Perhaps the most important among this group, according to security experts, is the plan to use the federal government's purchasing power to get software vendors and others doing business with the government to follow cybersecurity best practices.
A Biden May 2021 executive order already requires all federal contractors to produce a software bill of materials (SBOM) and other artifacts of secure software development practices to their federal agency customers. Last week's strategy seeks to scale up and build on those kinds of efforts and doing so will require no legislative support. The strategy document's proposal to bolster public-private information sharing and for dismantling threat actor infrastructure are two other areas that are also not dependent on Congress to move on.
And indeed, Burris perceives that the administration can also move things forward on that front by getting Sector Risk Management Agencies (SRMAs) to better coordinate with entities such as information sharing and analysis centers (ISACs), the US Cybersecurity and Infrastructure Agency (CISA), and bodies such as the Joint Cyber Defense Collaborative.
"Some of the strategy can be enacted by the executive branch under the direction of the White House," says Curtis Franklin, an analyst with Omdia. "These pieces are quite likely to be actionable and, once in place, binding and long-lasting." As examples, he points to proposals in the new strategy to integrate federal cybersecurity centers, to update the federal incident response plan and processes, and integrating federal disruption activities.
"There's a lot in the document that is an extension of existing strategic items and those will have the easiest time moving forward," Franklin says. Nonetheless, he agrees that it's important to be realistic: "The pieces that would require legal or regulatory action are much more challenging, and some will never happen."