Background

Cyber attacks during the Biden-Harris administration pushed cybersecurity to the forefront of domestic policy. In 2021, Colonial Pipeline, a large oil pipeline that transports almost half of all fuel used on the East Coast, suffered a ransomware incident from the hacking group Darkside. After stealing 100 gigabytes of data and threatening to release it, Darkside extorted 75 bitcoins (valued around $5 billion) from Colonial Pipeline. Even up until 2023, the China-sponsored hacking group Volt Typhoon has secretly targeted U.S. critical infrastructure sectors. Strong cybersecurity has become vital, and Biden’s National Cybersecurity Strategy reflects the administration’s attempt to combat increased cyber threats. 

Summary of the Strategy

Biden’s National Cybersecurity Strategy consist of five pillars: 

1. Defend critical infrastructure
2. Disrupt and dismantle threat actors
3. Shape market forces to drive security and resilience
4. Invest in a resilient future
5. Forge international partnerships to pursue shared goals. 

Pillar One is focused on defending U.S. critical infrastructure by increasing the number of cybersecurity regulations in critical sectors, enhancing the sharing of threat intelligence and other cybersecurity information between the public and private sector, and modernizing federal networks. Pillar Two reflects the administration’s goal to disrupt cyber adversaries capabilities and address the numerous ransomware threats the U.S. has faced. Pillar Three, one of the key goals behind the strategy, aims to shift liability for software vulnerabilities to companies by holding them responsible for security flaws and breaches of their consumers’ data. Pillar Three also calls for the possible implementation of a federal cyber insurance backstop, in order to stabilize the market in the case of a cyber incident. 

Pillar Four plans to grow and strengthen the U.S. cybersecurity workforce by expanding the number of opportunities and apprenticeships available to prospective workers. It also focuses on investing in research and development in cybersecurity and on protecting the cloud-based technologies that companies are becoming increasingly reliant on. Pillar Five intends to strengthen partnerships with U.S. allies to deter cyber threats as well as secure global supply chains. 

Arguments in Favor of and in Opposition to the Strategy

Biden’s National Cybersecurity Strategy has sparked a discussion between those in favor and in opposition to the strategy, and about what effective cybersecurity and cyber defense should look like. Proponents of the strategy claim that it increases company responsibility, which is necessary. The unregulated cyber market that has existed thus far has led to the development of numerous products that are not sufficiently prepared for cyber attacks. Because the strategy included that software companies can be held liable, this strategy will push them to put in more effort to protect their data. This will, in turn, reduce the risk of cybersecurity incidents. Opponents of the strategy, however, point to aspects of the policy like the possible cyber insurance backstop, which they deem complex to provide. A cyber insurance backstop would mean that if a cyber insurance company was not able to cover a major cyber issue, the government would provide funds. The problem they see with this is that it’s difficult to price cyber risk, and increased funding means higher taxes. 

Those who agree with the bill also support that it focuses on the main actors of cyber attacks and espionage. This strategy calls out authoritarian states that use cyberattacks against the U.S. like Russia, Iran, North Korea, and China.The general concern around China’s cyber espionage and use of cyber weapons has made this point especially popular. However, some desenters believe that the strategy’s general focus on cyber defense is insufficient and that offense is the best defense. They argue that the U.S. should also focus on increasing its use of offensive cyber operations to reduce adversaries’ abilities. They think that the U.S. should publicize its cyber capabilities and willingness to use them to discourage state actors from attacking. 

Moreover, proponents of the strategy support that it prioritizes collaboration of the government with the private sector and other countries. This strategy recognizes that the government cannot unilaterally solve this problem. Therefore, it needs support from the private sector and other countries. The strategy also encourages collaboration with U.S. allies that promotes cybersecurity cooperation in those regions. However, opponents of the strategy believe that many parts of it will be not feasible to implement. Though cybersecurity is a relatively nonpartisan issue, some policy sections will be tricky to push through, such as shifting liability to software vendors. Such a regulation could only be done through congressional legislation, and it’s difficult to say whether that will happen or not. It doesn’t help that “software is still not a tangible product under the Uniform Commercial Code (UCC) in the US,” which means it is difficult to assign liability.

Conclusion

After being released only a few months ago, Biden’s National Cybersecurity Strategy has already started to shape the administration’s response to cyber threats. Recently, the administration submitted a request to increase the budget of the Cybersecurity and Infrastructure Security Agency (CISA) to $3.1 billion (by 22%) to implement this strategy, among other initiatives. The Transportation Security Administration (TSA) has issued a new cybersecurity amendment to the security programs of certain airports/aircraft operators in an effort to improve their cybersecurity resilience. The strategy will undoubtedly influence the way the United States tackles cyber threats for years to come.