The White House has certainly been true to its word on pushing forward on cyber. In July 2023, following the release of the Biden Administration’s (“the Administration”) National Cybersecurity Strategy (the “Strategy”), the Administration announced its Implementation Plan, detailing initiatives to execute the Strategy. Following that, the White House Office of the National Cyber Director (“ONCD”) announced a request for information (“RFI”) on cybersecurity regulatory harmonization by September 15, and the Administration also unveiled its National Cyber Workforce and Education Strategy. The Cybersecurity Infrastructure Security Agency (“CISA”) recently published its detailed Cybersecurity Strategic Plan for the fiscal years 2024 to 2026, which is intended to align with the National Cybersecurity Strategy. The CISA Plan outlines goals, including that technology products are secure by design and default.
As we wrote in Part 1 of this Debevoise Data Blog series, the Strategy is organized into five pillars, each with its own strategic objectives. In Part 2, we discuss pillars 2 and 5, which address the government’s efforts to disrupt and dismantle cyber threats and forge international partnerships around cybersecurity. In Part 3, we will cover the Implementation Plan.
With numerous cyber extortion developments and systemic supply chain vulnerabilities reported in recent months, there is hope that the Administration’s Strategy will succeed in integrating response efforts across government and private industry.
Subject to ongoing initiatives arising out of the Implementation Plan, the most significant takeaways from pillars 2 and 5 of the Strategy include the following:
- New Ransomware Response Framework: The Administration is seeking to discourage ransomware payments. That’s not new. But as part of that effort, and in order to learn more about threat groups, the federal government encourages consultation and information sharing. In parallel, the Administration may sanction additional threat groups, narrowing the pool of threat groups to which a ransom could be paid lawfully.
- Private Sector Actors’ National Security Responsibilities: The Strategy calls for private sector actors to take a more active role in preventing foreign-based ransomware and other cyberattacks on domestic government, infrastructure, businesses, and individuals. Recognizing that foreign-based actors often use U.S.-based infrastructure to launch cyberattacks, but that much of this infrastructure is privately owned and operated, the Strategy calls for coordination and information sharing between public and private actors.
- Global Supply Chain Regulation: The Administration reaffirms its view that the manufacturing of critical and sensitive technology should be performed in the United States through a domestically-produced, secure supply chain while encouraging international partners to enact robust supply chain regulation to ensure security and resilience abroad. The Administration believes that such an approach may help level the playing field among supply chain participants.
Key Strategic Objectives from Pillars 2 and 5
We turn now to a discussion on the critical aspects of pillars 2 and 5.
Pillar 2: Disrupt and Dismantle Threat Actors
Building upon the U.S. Government’s dismantling of the Hive ransomware group, while advocating for a “more sustained and effective disruption of adversaries,” the Administration is outlining in Pillar 2 its vision to continue the work to eliminate ransomware attacks by leveraging multiple government agencies’ capabilities to render such attacks unprofitable and unviable, especially by urging ransom victims not to pay demands.
Integrate Federal Disruption Activities
As part of the Department of Defense’s “defending forward” operations, the Strategy advocates for uniting operations through the National Cyber Investigative Joint Task Force (“NCIJTF”), which could entail OFAC’s designation of additional threat groups as sanctioned entities. While this approach is consistent with targeting malicious and state actors to render their operations ineffective, it also serves as a reminder that organizations should pay careful attention to current sanctions lists in advance of making any payment given the risk of a strict liability violation.
Prevent Abuse of U.S.-Based Infrastructure
Recognizing that attackers sometimes exploit U.S.-based cloud and other Internet infrastructure providers as part of their attacks, the Strategy seeks to work with these providers to identify malicious use, share reports with the government, make reporting easier, and deny attackers’ access to infrastructure. This approach is consistent with the Administration’s passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). To do so, the Strategy urges all service providers to secure their infrastructure against abuse or other criminal behavior.
Specifically, the Strategy targets Infrastructure-as-a-Service (“IaaS”) providers as imperative to achieving these goals. IaaS providers should focus on the Executive Order on Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities (“EO 13984”), which requires: (1) identity verification for certain foreign persons who obtain accounts with these service providers; (2) conditions on accounts within certain foreign jurisdictions; and (3) increased public-private information sharing and collaboration among private entities. While not final, a forthcoming Department of Commerce rule seeks to provide IaaS providers with the tools necessary to implement EO 13984. That rule will presumptively allow these actors to act consistently with respect to both the Strategy and any accompanying regulations.
Pillar 5: Forge International Partnerships to Pursue Shared Goals
In pillar 5 the Administration is focused on building international coalitions to work towards a future Internet that is “open, free, global, interoperable, reliable, and secure.” The Strategy advocates for the expansion of existing cooperation agreements, the establishment of more robust cybercrime prosecution networks, and capacity building to fight cybercrime among U.S. partners. Additionally, it advocates for the manufacturing and development of sensitive infrastructure and technology within the United States.
Build Coalitions to Counter Threats to Our Digital Ecosystem
Most malicious cyber activity targeting the United States is carried out by actors based abroad or using foreign computing infrastructure. The Strategy outlines current and prospective worldwide partnerships to advance common cybersecurity interests through promoting information sharing, comparing expertise, driving secure-by-design principles, and coordinating incident response activities. The Administration also pledges to develop international legal frameworks to hold malicious actors accountable. We have come a long way in the past decade with robust cooperation between law enforcement agencies around the globe. Some of the global takedowns are evidence of this. The Strategy seeks to pave the way for the next steps forward.
Secure Global Supply Chains for Information, Communications, and Operational Technology Products and Services
The Strategy articulates the Administration’s goal of securing the global supply chain by reducing dependence on foreign suppliers. While recognizing the need to act with foreign partners, the Administration identifies issues of trustworthiness, security, and reliability in certain parts of the global supply chain. The Strategy advocates for onshore development of information, communications, and operational technology products and services, building on the Trump Administration’s National Strategy to Secure 5G. As part of this effort, the Strategy emphasizes implementation of Executive Orders that reinforce defenses against information-based national security risks. Gaining familiarity with the Executive Orders on Securing the Information and Communication Technology and Services Supply Chain and Protecting Americans’ Sensitive Data from Foreign Adversaries will be essential for private sector actors partnering with the Administration to achieve increased security.
- Expansion of Sanctions to More Threat Groups Could Change Ransom Negotiations and Expose Victims to Heightened Risk of Strict Liability. The Administration seeks to expand the number of threat groups to whom making a payment would be rendered unlawful based on applicable sanctions laws. In light of this, companies should consider technical solutions, including more robust backups and data controls to help mitigate the need to pay a ransom in the case of a cyber event. And should companies find themselves the victims of ransomware or data extortion, they should enter into negotiations aware of these risks and modify their approach accordingly.However, companies and trade groups should also consider their position on this aspect of the Strategy and engagement with the Administration. While centralizing reporting requirements for ransomware payments may benefit the broader cybersecurity ecosystem, foreclosing an avenue for companies to navigate cyberattacks could make their impact more acute and may place companies in even more difficult positions. As the Strategy moves from policy proposals to implementation, the Administration should reassess its stance on this key objective, considering the reality of ransomware negotiations.
- IaaS Providers Must Defend American Cyberspace. As discussed in Part 1 of this Debevoise Data Blog series, companies in the critical infrastructure space can expect to face increased regulation and compliance requirements for policing access to their technology. While considerations around privacy arise from tracking the identity and location of users accessing the technology of critical infrastructure companies, national security priorities may prevail. Companies in the critical infrastructure space should prepare their diligence and compliance program accordingly, to ensure that they are ready to protect their systems sufficiently.
- Supply Chain Participants May See a Geographic Shift. The Administration’s efforts may successfully incentivize companies towards domestic production of certain sensitive technology or other critical products. Companies with operations within or outside of the United States should consider how the implementation of the Administration’s plan may impact their business and familiarize themselves with the above-mentioned Executive Orders.
- Future Revisions May Clarify Private and Public Responsibilities. As is typical for sweeping governmental strategies implicating numerous agencies, clarifications and increased requirements could arise as the Administration implements the Strategy. Now that the Administration has issued its implementation plan, companies should closely monitor new requirements on their cybersecurity and data protection operations.
To subscribe to our Data Blog, please click here.