On March 3, 2023, the White House released the National Cybersecurity Strategy. The White House described this as the blueprint for a long-term effort by the Biden administration in cooperation with Congress and the private sector to address cybersecurity issues, built around 5 pillars:

1. Defend Critical Infrastructure
2. Disrupt and Dismantle Threat Actors
3. Shape Market Forces to Drive Security and Resilience
4. Invest in a Resilient Future
5. Forge International Partnerships to Pursue Shared Goals

The National Cybersecurity Strategy also requires making systemic shifts in how the, “United States allocates roles, responsibilities, and resources in cyberspace.” The first shift is to rebalance the responsibility to defend cyberspace and the second is to realign incentives to favor long-term investments. For a general summary of the entire strategy, we recommend the fact sheet provided by the White House. We want to focus on four key takeaways from Thursday’s announcement, though.

• First, a lot of headline attention has been grabbed by elements of Pillar 3 which could significantly impact private sector actors, particularly shifting liability for cybersecurity to software companies and device manufacturers, and limiting those companies’ ability to shift cybersecurity risk via contract. But for changes like this to take effect and really push the private sector, legislative action is going to be necessary. That means bipartisan agreement will be necessary for any significant increase in corporate liability, and negotiating a potentially technically complex “safe harbor” for secure software development practices is going to be difficult for a Congress heading into a Presidential election cycle. Thus, while there is certainly significance to these developments, it will take time for legislation (and subsequent regulation) to bring about any real change on these points.
• Privacy remains a top priority for the Biden administration. In a document focused on cybersecurity strategy, in a pillar focused on market forces related to cybersecurity, the first priority listed is the need to pass federal privacy legislation which includes cybersecurity standards. But the focus is on privacy, and that will remain with both Congress and the FTC, particularly as their rulemaking navigates Congressional oversight from both parties. Congress wasn’t able to get this done under single-party rule, though, and the prospects of success in this Congress do not appear brighter than in recent years. Plus, even if legislation is passed, it will take years to sort out lawsuits and finalize regulations to implement an eventual law.
• The most directly impacts will probably be felt in already-regulated industries, particularly critical infrastructure. This is the prime focus of the first pillar of the strategy, and where agencies already have some regulatory authority over industries, there’s more room for the administration to move without Congressional action. Utilities, pipelines, transportation industries, and telecom providers, among others, may be the first to see new agency rulemakings that attempt to rely on existing authority.
• A great deal of the strategy focuses on things the Executive Branch can do without Congress, but those things also tend to be less impactful to the private sector. Changing priorities in federal infrastructure defense and investment may create business opportunities for private sector actors, but are less likely to create major challenges. One notable exception, however, is the potential for increased procurement scrutiny being placed on the cybersecurity practices of contractors and suppliers to the government.

Strategy documents like this one are by their nature high-level, and an immense amount of detail remains to be fleshed out via Executive Order, regulation, and legislation. That makes it difficult to anticipate where these efforts may go, so businesses will need to monitor and potentially engage in the process to ensure their interests are represented. Legislative activity presents opportunities for advocacy, both directly and through trade groups. And regulations are almost always subject to public comment and input before finalization, giving interested parties the opportunity to share their concerns and feedback with regulators.

Paul Hastings’ Privacy and Data Security group will be closely monitoring developments in this space, and as always are available to answer questions and assist clients in navigating this ever-shifting privacy and cybersecurity landscape.