U.S. National Cybersecurity Strategy reignites conversation around liability for failure
The White House has published its long-awaited National Cybersecurity Strategy, which creates five key collaborative pillars for effective cybersecurity in the U.S.
Who should be held responsible when cybersecurity fails? It’s a hotly debated topic and one that the U.S. government looks keen to join, with the publication of the U.S. National Cybersecurity Strategy.
The long-awaited strategy has finally been presented to the masses, with mixed reviews thus far. What is unarguable, however, is that a strategy for cybersecurity is much needed following a year in which cyberattacks increased by 300%.
What does the National Cybersecurity Strategy say?
Ultimately, the new National Cybersecurity Strategy – which replaces the 2018 National Cyber Strategy – looks to “make fundamental shifts in how the United States allocates roles, responsibilities and resources in cyberspace”. It is a wide-reaching reconsideration of how the U.S. tackles cybersecurity across all levels, with an overarching goal:
“Our goal is a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”
In particular, the strategy has two stalwart objectives. Firstly, it aims to “rebalance the responsibility to defend cyberspace”. This will be achieved by ensuring that the organizations who are “most capable and best-positioned to reduce risk” take on the burden in the place of “individuals, small businesses, and local governments”.
Secondly, the strategy hopes to “realign incentives to favor long-term investments” by focusing as much on strategic planning and future-proofing resilience as on imminent threats.
In pursuit of these goals, the National Cybersecurity Strategy has 5 key pillars.
The 5 pillars of the National Cybersecurity Strategy
1. To defend critical infrastructure
The strategy plans to bolster confidence by expanding the minimum cybersecurity requirements of certain critical sectors, as well introducing new, modernized defenses for Federal networks, and enabling better collaboration between public and private entities to enable a faster pace of response.
2. To disrupt and dismantle threat actors
The White House plans to use “all tools of national power” to disrupt cyber-criminals, as well as engaging the private sector in disruption activities and reinvigorating the approach to ransomware at a Federal level.
3. To shape market forces to drive security and resilience
The Strategy will shift the burden of cybersecurity liability to promote secure development practices, and ensure that the Federal grant program invests in new, secure, and resilient infrastructure.
4. To invest in a resilient future
The U.S. government will make strategic investments to “lead the world in the innovation of secure and resilient next-generation technologies”, with a goal to reduce vulnerabilities within the internet and across the digital ecosystem more broadly. This will include building out a national cyber workforce.
5. To forge international partnerships to pursue shared goals
Under the new strategy, the U.S. government will focus on international coalitions and partnerships and work with allies and partners to develop a secure, reliable, and trustworthy global supply chain for information and communications technology.
Languishing over liability
Of the 5 key principles, the proposal to shift liability for cybersecurity failures away from individuals and small businesses to organizations that are “most capable” at reducing risks has received the most attention. Speaking at a press conference shortly after the publication of the National Cybersecurity Strategy, Acting National Cyber Director, Kemba Walden said:
“Today, across the public and private sectors, we tend to devolve responsibility for cyber risks downwards. We ask individuals, small businesses, and local governments to shoulder a significant burden for defending us all. This isn’t just unfair, it’s ineffective.
The biggest, most capable, and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe. This strategy asks more of industry, but also commits more from the federal government.”
Responsibility and liability for cybersecurity failures has long been a topic for debate, and the White House is making its position clear within the new Cybersecurity Strategy. Responsibility is always challenging, especially when the ultimate goal is constantly shifting, with a far-from-perfect chance of success. Indeed, the new strategy addresses this challenge, noting that any changes in liability will be implemented “while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities”.
While some view the idea of “rebalancing” as a bold step from the Biden-Harris Administration, it must be acknowledged that the new strategy will have to see most plans pass through a currently divided Congress before being approved or implemented. This has not gone unnoticed by some in the industry, with some commenting that the changes are not so much “bold” as they are an engagement in a wider discourse around liability and responsibility more generally, with little certainty that such changes will actually be implemented. Others have noted that similar liability-driven proposals have been debated in the past, to little avail.
As ever, the notion of increased responsibility also brings to the fore questions around innovation and growth. It has often been said that regulation is the killer of innovation. The same could potentially be true of the U.S. government’s move to shift liability. As the strategy notes:
“Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers.”
The White House will need to tread carefully to ensure that any increased burden is not so stifling as to deter organizations from becoming those that are “most capable” or “best positioned” to reduce risks. For now, these parameters lack clarity and it remains to be seen what institutions the strategy will shift responsibility to, or what that might entail.