The new normal: Biden-Harris administration unveils the National Cybersecurity Strategy

The increasing complexity of cyber attack methods and techniques used against not only private companies but also critical infrastructure and government institutions is calling for more sophisticated ways to address these challenges. On March 2, 2023, the Biden-Harris Administration released its new National Cybersecurity Strategy that illustrates the vision of the current government for strengthening national cybersecurity efforts. This strategy aims to ensure that Americans can reap the benefits of a secure digital ecosystem that upholds fundamental values, including economic security, respect for human rights and fundamental freedoms, and trust in democracy. 

To achieve this vision, the US will shift the roles, responsibilities, and resources in cyberspace to reduce risks for all. This means reallocating the responsibility for cybersecurity away from individuals, small businesses, and local governments and onto organizations that are better equipped to handle it. Additionally, the strategy emphasizes long-term investments that prioritize resilience while balancing the need to address immediate threats and protect national security, public safety, and economic prosperity. 

In this blog post, we’ll take a closer look at the key points of the new US cyber strategy and what it means for American and multinational companies and citizens.

In the context of the continually evolving threat landscape, with state and non-state actors developing and executing novel campaigns to threaten national interests, the US is calling for a more coordinated, intentional, and well-resourced approach to cyber defense. By leveraging next-gen technologies that are reaching maturity at an accelerating pace global governments can collaboratively create new pathways for innovation while increasing digital interdependencies.

The strategy outlines a path to address the emerging threats and secure the promise of America’s digital future. Its implementation will safeguard national investments in rebuilding the country’s infrastructure, developing the clean energy sector, and reshoring America’s tech and manufacturing base. Working with its allies and partners, the United States aims to make its digital ecosystem:

• Defensible, with simpler, cheaper, and more effective protection mechanisms;
• Resilient, by minimizing the reach and lasting impact of cyber incidents and mistakes;
• Aligned, shaping the digital ecosystem on the most cherished and fundamental values of the United States.

The motion towards securing the US cyberspace and digital ecosystem has already begun with the following actions by the Administration:

• Executive Order 14 028 (Improving the Nation’s Cybersecurity);
• National Security Memorandum 5 (Improving Cybersecurity for Critical Infrastructure Control Systems);
• M-22-09 (Federal Zero Trust Strategy that is rapidly progressing);
• National Security Memorandum 10 (Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems).

In order to fulfill the ambitious vision for a safer and more resilient cyberspace, the Strategy sets forth a holistic approach across five key pillars.

Defend critical infrastructure by:

• Extending the use of minimum cybersecurity requirements in critical sectors to ensure national security and public safety, and simplifying regulations to reduce compliance burdens;
• Fostering public-private collaboration at a rapid pace and scale to defend critical infrastructure and essential services;
• Modernizing and safeguarding Federal networks and enhancing Federal incident response policy.

Disrupt and dismantle threat actors by:

• Strategically employing all national power tools to disrupt adversaries;
• Involving the private sector in disruption activities via scalable mechanisms;
• Addressing the ransomware threat comprehensively through a Federal approach in coordination with international partners.

Facilitate security and resilience by:

• Promoting privacy and personal data security;
• Transferring liability for software products and services to encourage secure development practices;
• Ensuring that Federal grant programs support investments in new infrastructure that is secure and resilient.

Invest in a resilient future by:

• Minimizing systemic technical vulnerabilities in the foundation of the Internet and throughout the digital ecosystem while making it more resilient against transnational digital repression;
• Supporting cybersecurity research and development for promising technologies like post-quantum encryption, digital identity solutions, and clean energy infrastructure; 
• Building a strong and diverse cybersecurity workforce at the national level.

Forge international partnerships to pursue shared goals by:

• Leveraging international coalitions and partnerships among like-minded nations to counter threats to the US digital ecosystem through joint preparedness, response, and cost imposition;
• Enhancing partner capacity to defend themselves against cyber threats, both in peacetime and in crisis;
• Collaborating with allies and partners to create secure, reliable, and trustworthy global supply chains for information and communications technology and operational technology products and services.

For what concerns ransomware, the White House’s strategy prioritizes disrupting the digital infrastructure of adversaries that pose a threat to US cyber interests, following the examples of the Emotet botnet takedown in 2021 and the Hive ransomware group takedown in 2023. In the future, the Administration seeks “to increase the volume and speed of these integrated disruption campaigns, and develop technological and organizational platforms that enable continuous coordinated operations”. For this purpose, the National Cyber Investigative Joint Task Force (NCIJTF) will expand its capacity to coordinate cyber threat investigations across the Department of Defense, and the intelligence community, to improve the speed, scale, and frequency of the disruption campaigns. 

The government also plans to work with cloud and other Internet infrastructure providers to quickly identify malicious activity, report the abuse of these systems, and establish bidirectional information sharing, which will help to disrupt adversaries in a more agile manner. To achieve this, the Administration will implement Executive Order (EO) 13 984, first introduced by the Trump administration in 2021, requiring cloud providers to verify the identity of foreign entities using their services.

The Strategy claims that the People’s Republic of China (PRC) “now presents the broadest, most active, and most persistent threat to both government and private sector networks, ” and is “the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so.”

To limit China’s technological capabilities, the US government has launched numerous initiatives, including the CHIPS Act which allocated over $50 billion to expand US-based semiconductor production and research, as well as the National Artificial Intelligence Initiative and the National Strategy to Secure 5G. As the largest producer of electronic devices with embedded computer chips, China also manufactures numerous low-cost IoT devices that do not follow the secure by design principle. In the Strategy, the Biden Administration emphasized its commitment to developing a labeling system for various IoT products to help consumers determine their security level. However, it remains unclear how this labeling will apply to foreign-made products.

The new cybersecurity course defined by the Biden-Harris Administration will inevitably have strong implications for US businesses, especially when it comes to public-private collaboration and promoting privacy and data security. Companies are already starting to show a strong commitment to the values and vision put forward by the US Government, supporting the move towards zero trust adoption and implementing tools to build resilience in the face of evolving regulatory challenges and emerging threats.