In March 2023, the Biden administration released a new National Cybersecurity Strategy, which makes it clear that the time for private companies voluntarily opting into cybersecurity has long passed. Instead, the new strategy promises to support new regulatory frameworks that will shift liability and create incentives for private firms to defend against critical vulnerabilities. This article discusses three concrete things business leaders should know about the new strategy. First, every company will need to identify their distinct vulnerabilities and risks. Second, companies will then need to adopt measures that address those vulnerabilities. Third, the strategy categorically states that it will push for legislation to hold these firms liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers.
On March 2, 2023, the Biden administration released its long-awaited National Cybersecurity Strategy. In light of cyberattacks targeting American infrastructure, business, and governmental agencies, the document elevates cybersecurity as a critical component of the United States’ economic prosperity and national security. It also intimates a fundamental dilemma, which is that the private sector — with key stakeholders consisting of software firms, small- and medium-sized businesses, broadband providers, and utility companies — holds the key to the public good of cybersecurity:
Continued disruptions of critical infrastructure and thefts of personal data make clear that market forces alone have not been enough to drive broad adoption of best practices in cybersecurity and resilience.
Voluntary progress toward better cyber hygiene on the part of the private sector is no longer enough. Instead, the new strategy promises to support new regulatory frameworks that will shift liability and create incentives for private firms to defend against critical vulnerabilities.
Why a Public Sector Document Is Fixated on the Private Sector
The private sector has attracted the attention of a cyber-wary public sector because of a slew of high-profile cyber incidents in the last few years. In 2017, customer credit bureau Equifax experienced a hack that compromised the personal information of more than 143 million Americans, leading to a $425 million settlement with the Federal Trade Commission. Malicious actors have increasingly employed ransomware against American businesses, demanding large sums of money for the safe exchange of sensitive data.
Ransomware continues to be a popular tactic amongst hackers precisely because these campaigns have often been successful in generating lucrative payouts. According to Comparitech’s analyses of ransomware incidents throughout the U.S., ransomware attacks on American businesses cost $20.9 billion from 2018–2023, with an average ransom demand of $4.15 million dollars for affected businesses in 2022. For example, Colonial Pipeline, which transports 100 million gallons of fuel per day, or 45% of all fuel used on the East Coast, suffered a devastating ransomware breach in 2021, the largest publicly disclosed attack on critical U.S. oil infrastructure in history. The perpetrator, DarkSide, stole 100 gigabytes of data within two hours, which it threatened to release unless the company paid 75 bitcoins to the group, worth approximately $5 million dollars at the time, which Colonial Pipeline paid within a few hours, blackmailed into action by the disruptiveness of the attack.
No part of the economy is immune. As a 2021 survey by the Center for Strategic & International Studies indicated, 42% of small- and medium-sized businesses experienced a cyberattack in the last year and estimates suggest that 40% of 2021 cyberattacks concentrated on small and medium-sized businesses, with attacks on these businesses growing 150% over the last two years. The potential data and revenue extractability might be lower when compared to that of large businesses like Microsoft, but small- and medium-sized firms also have fewer resources to devote to robust cybersecurity. In some cases, these companies simply don’t have any dedicated resources for cybersecurity.
Three Things Companies Need to Know About the National Cybersecurity Strategy
While the 39-page document features bureaucratic buzzwords like “harmonize”, “stakeholders,” and “multilateral,” we’ve identified three concrete things business leaders should know about the new strategy.
First, every company needs to identify their distinct vulnerabilities and risks. The Biden administration’s strategy makes it clear that the time for companies voluntarily opting into cybersecurity has long passed. Instead, they need to take proactive measures to test and understand their threat landscape. Companies should conduct formal vulnerability scans and penetration tests that identify potential access points. Where possible, companies should hire “ethical hackers,” otherwise known as “red teams,” that simulate sophisticated cyberattacks and reveal whether and how adversaries could access sensitive data or disrupt networks. Firms must also thoroughly vet third-party vendors and software suppliers to minimize the risk of attacks through the supply chain.
Second, companies then need to adopt measures that address those supply chain vulnerabilities. As part of this step, they should take advantage of the strategy’s promise for public-private collaboration in the form of information-sharing, as well as practical guidance and support on how to navigate the cyber threat environment. More generally, they need to then take preventative measures, including patching known exploits, providing regular security training for employees, and incorporating anomaly-detection tools, while ensuring that they have response plans that can minimize the scale and harm of successful hacks.
Third, companies need to recognize that one size will not fit all when it comes to cybersecurity. An important subtext of the strategy is its focus on establishing more aggressive regulatory standards on larger business, critical infrastructure, and software providers.
The strategy categorically states that “the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes” and that it will push for legislation to hold these firms “liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers.” These firms may in turn seek to shape legislation and liability, but the strategy makes it clear that more of the onus in terms of finding and fixing vulnerabilities will fall on the larger businesses where stakes are higher and resources are more abundant. Small businesses are not in the crosshairs (yet), but are also not off the hook. They should also seek out opportunities for collaboration, such as the National Institutes of Standards and Technology’s recently launched initiative to foster communication across small businesses.
When it comes to the concrete implications of the Biden administration’s new National Cybersecurity Strategy for American industry, the devil will be in the details. The document includes core pillars and noble goals that we would expect, given that cyberspace is arguably now the backbone of the U.S. national economy. The trick will be doing this in ways that are mindful of the realistic challenges of identifying and patching all vulnerabilities, and the risks that inadequate care will affect not just individuals, but the entire global economy.
