The White House issued a strategy document this week signaling its intent to pursue an aggressive expansion of compulsory federal regulatory requirements regarding cybersecurity, applicable to a vast swath of the American economy, in particular critical infrastructure companies and technology providers. The plan couches this regulatory campaign within the context of a new policy approach, moving from one of voluntary incentives for private sector entities to meet certain cyber norms, to an assertive view that private companies’ security choices are a matter of essential public interest and, therefore, compulsion. Fundamentally, the Biden White House (the Administration) believes that:
- Roles and responsibilities must be “rebalanced” to ensure that key private sector entities (and there will be many within the rubric) meet federally mandated cybersecurity norms; and
- “Incentives” must be created to ensure companies invest in security capabilities that the Administration believes are essential.
While much work in Washington will be required to realize this expansive new vision of regulatory control over private cybersecurity decision-making, companies should anticipate the need to update governance controls and prepare to assess and adjust their cybersecurity posture in anticipation of the ensuing regulatory growth. The strategy is filled with a range of important topics, but we focus below on the key themes that will fundamentally alter relations between the government and private companies in the years to come if this vision is realized: the new focus on tech firms and the significant expansion of the current regulatory ambit.
A New Focus on Technology Providers. While the government has long been focused on owners and operators of critical infrastructure firms, the novelty of the strategy is its expansion of regulatory authority to include technology service providers on which critical infrastructure relies. In particular, the strategy includes a call to “identify gaps in authorities to drive better cybersecurity practices in the cloud computing industry and for other essential third-party services,” and for the government to “deepen operational and strategic collaboration with software, hardware, and managed service providers with the capability to reshape the cyber landscape.” With a particular emphasis on software, the document calls for liability-shifting federal legislation which would “establish higher standards of care for software in specific high-risk scenarios,” with an “adaptable safe harbor framework” to protect companies which take steps to protect their software products and services. Such efforts are likely, in many respects, to require new authorities and some time, but the breadth of the vision would portend a sea change in the regulatory expectations for the technology sector writ large.
Significant Expansion of the Current Regulatory Trajectory. In addition to the new focus on tech companies, the strategy also accelerates and expands on the already growing federal regulatory impulse. The new strategy comes in the wake of myriad regulatory initiatives concerning cybersecurity in the past few years, and can be contextualized by the recent remarks of Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, emphasizing the role of what she characterized as “unsafe technology products” developed by private companies in the expanding cyber threat landscape. The Administration has, therefore, accelerated its previously gradual march towards compelled security implementations and intends to put its full weight behind the measures necessary to achieve its ends. Within the context of recent trendlines, however, these developments are not altogether shocking.
- As discussed in a prior post, the Securities and Exchange Commission published a proposed rule in March 2022 (expected to be finalized soon) that would require public companies to report material cybersecurity incidents and describe a range of cyber risk management and governance practices;
- The federal government is also reviewing procurements for potential misrepresentations about cyber capabilities through the Justice Department’s Civil Cyber-Fraud Initiative, which pursues civil actions against government grantees and contractors who do not follow cybersecurity obligations;
- Other recent regulatory initiatives have already focused on critical infrastructure. In the wake of the 2021 shutdown of one of the nation’s largest oil pipelines by a Russian ransomware group, the Transportation Security Administration issued cybersecurity requirements for pipeline owners and operators and certain other sectors. The Environmental Protection Agency recently issued guidance on reporting cyberattacks for the water sector and is expected to issue additional requirements later this week. And in March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act that directs DHS to promulgate regulations requiring critical infrastructure companies to report breach incidents; and,
- The Administration has recently given the U.S. Department of Commerce the green light to revive the rulemaking process for a new host of know-your-customer requirements applicable to cloud providers.
Corporate Preparation is Key. While it will take some time for the Administration to gain the authorities necessary to realize the full potential of its vision, there is a growing consensus amongst Washington policymakers (justified or not) that more direct and aggressive federal action is desirable. Some variations of these themes could likely make their way into law, and companies would do well now to perform foundational reviews to prepare for those eventualities. Technology companies and owners and operators of critical infrastructure may wish to consider steps they can take now to prepare for the likelihood of additional regulatory scrutiny:
- Assess risks and potential vulnerabilities, including by performing cybersecurity assessments and roadmaps to upgrading capabilities;
- Enhance governance and oversight of major cybersecurity risks with clear policies, procedures, and assigned roles and responsibilities;
- Evaluate and audit relationships with critical third-party service providers and ensure the existence and implementation of clear frameworks for onboarding and ongoing analysis of such providers;
- Review procedures for information sharing and incident disclosure; and,
- Review the ability for compliance and enterprise risk management systems to integrate cybersecurity controls and be responsive to government reporting and engagement.