Key Proposals in Bidens Cybersecurity Strategy Face Congressional Challenges
The strategy document does nothing to change things on the ground in the near term; legislation, regulation, and follow-up executive action are all going to be key to moving forward the administrations agenda.
The Biden administrations plans to introduce minimum cybersecurity requirements for organizations in critical infrastructure sectors could face challenges in a divided Congress.
That said, many other proposals in the presidents broad new
National Cybersecurity Strategy,
announced March 2, could be relatively easier to implement, even though some of them might have to be via executive fiat, several former government officials and security experts said.
President Bidens National Cybersecurity Strategy will drive a much-needed updating of the United States cyber-social contract, a senior administration official tells Dark Reading. That includes both immediate initiatives that build on the administrations executive actions to drive critical infrastructure cybersecurity, as well as an ambitious, long-term vision that will require legislative, regulatory, and technological innovations over the next several years.
The strategy represents a commitment by federal agencies to pursue those innovations and to collaborate with industry to meet objectives, the official says, and continues our longtime, critical partnership with Congress in developing bipartisan cybersecurity policy.
The key focus areas for Bidens
strategy for building US resilience in cyberspace
are: critical infrastructure defense, disrupting threat actors, and using the governments purchasing clout and other mechanisms to influence better cybersecurity practices in the public and private sector. The plan also proposes new federal investment in cybersecurity research and development, building a digital identity ecosystem, and focusing on foundational Internet technologies such as the Domain Name System and IPv6.
Individual components of the strategy
include mandatory minimum cybersecurity requirements for critical infrastructure, a proposal to make software vendors liable for the security of their products, and services and scaling existing public and private partnerships.
For the moment, at least, the strategy document does nothing to change things on the ground. Legislation, regulation, and follow-up executive action are all going to be key to moving forward the administrations agenda, says Jordan Burris, senior vice president and head of public sector strategy at Socure.
Specifically, we will see this play out in regulation for critical infrastructure sectors to set minimum requirements for cybersecurity, says Burris, former chief of staff at the White House Office of Management and Budget. Legislation will also play a role in ensuring that resources are available for some of the new requirements in the strategy for agencies and other stakeholders.
Cybersecurity has always been viewed as a non-partisan issue in Washington, DC, Burris says. However, it is critical that as the administration continues to roll out its plans, that it works with both sides of the aisle to make progress.
This is going to be especially key when calling on Congress to invest in cybersecurity capabilities across agencies, he says, Unfortunately, there are many proposals that administrations have advocated for that have obtained little to no traction in the halls of Congress.
Ideally, Bidens plans should receive bipartisan applause and action for his proposals, says Theresa Payton, CEO at Fortalice Solutions and a former CIO at the Executive Office of the President at the White House. But Ive been around long enough to understand the political atmosphere in Washington right now is just short of toxic, she says. So, finding common ground on these critically important issues is going to be difficult, she adds.
Like Burris, Payton notes that for now, the new strategy provides a road map for the administrations cybersecurity priorities more than anything else. Essentially, the strategy acknowledges the federal governments significant role in cybersecurity while also demanding a whole lot more from the private sector.
Garnering the support in Congress is going to be especially difficult when it comes to the regulatory component in Bidens strategy document, Payton says. While it is notable the administration is willing to wade into an area that other administrations have stayed away from, the regulatory question will be a tough sell on the Hill, given the pro-business/anti-regulation climate amongst the House majority. Even so, I think in the aftermath of the SolarWinds breach and the Colonial Pipeline attack, its an important and probably overdue dialogue that all public and private sector partners need to have, Payton says.
And the Biden administrations proposal to shift liability for software away from users to software vendors and publishers is almost certainly going to be another hard sell. There have been
similar proposals in the past
that have gone nowhere, and theres little to suggest the new plans will fare any differently.
One initial stumbling block is that software is still not a tangible product under the Uniform Commercial Code (UCC) in the US, explains John Pescatore, a former National Security Agency (NSA) analyst and current director of emerging security trends at the SANS Institute. Before discussions around legislative support for the liability-shifting proposal in Bidens new strategy can even begin, that issue needs resolution, Pescatore tells Dark Reading.
The UCC says software is not a tangible good and without that you cannot assign liability, he says. The lobbying power that tech giants have in Washington is only going to exacerbate the challenge, he notes.
Even so, the White House can also take unilateral action in many cases, according to Payton. Nearly all areas of the strategy can be actionable whether if implemented as an executive order or as a law passed by Congress, Payton adds. Given the divided nature of Congress, I would expect to see a series of executive orders coming from the White House in the weeks and months ahead.
While the biggest pieces of the plan remain unactionable for now, not all of the proposals in Bidens strategy are dependent on legislation and regulatory action. Perhaps the most important among this group, according to security experts, is the plan to use the federal governments purchasing power to get software vendors and others doing business with the government to follow cybersecurity best practices.
A Biden
May 2021 executive order
already requires all federal contractors to produce a
software bill of materials (SBOM)
and other artifacts of secure software development practices to their federal agency customers. Last weeks strategy seeks to scale up and build on those kinds of efforts and doing so will require no legislative support. The strategy documents proposal to bolster public-private information sharing and for
dismantling threat actor infrastructure
are two other areas that are also not dependent on Congress to move on.
And indeed, Burris perceives that the administration can also move things forward on that front by getting Sector Risk Management Agencies (SRMAs) to better coordinate with entities such as information sharing and analysis centers (ISACs), the US Cybersecurity and Infrastructure Agency (CISA), and bodies such as the Joint Cyber Defense Collaborative.
Some of the strategy can be enacted by the executive branch under the direction of the White House, says Curtis Franklin, an analyst with Omdia. These pieces are quite likely to be actionable and, once in place, binding and long-lasting. As examples, he points to proposals in the new strategy to integrate federal cybersecurity centers, to update the federal incident response plan and processes, and integrating federal disruption activities.
Theres a lot in the document that is an extension of existing strategic items and those will have the easiest time moving forward, Franklin says. Nonetheless, he agrees that its important to be realistic: The pieces that would require legal or regulatory action are much more challenging, and some will never happen.
Tags:
Key Proposals in Bidens Cybersecurity Strategy Face Congressional Challenges