Congressional reaction to President Biden’s national cyber strategy broke along party lines, with strong support from Democratic Homeland Security committee leaders tempered by GOP skepticism that could bog down legislative efforts to implement parts of the plan.
The strategy was released today by the Office of the National Cyber Director along with information on an upcoming implementation plan. It includes multiple lines of effort where the Biden administration intends to seek added authority from Congress.
“Combating persistent and ever-evolving cybersecurity threats requires an all hands on deck approach from the public and private sectors,” Senate Homeland Security Chairman Gary Peters (D-MI) said today. “The Biden Administration’s National Cybersecurity Strategy is a significant step to ensuring our nation is ready to strengthen our defenses and fight back against foreign adversaries and cybercriminals that continue targeting our systems.”
Peters said, “I will closely examine this strategy, quickly consider the parts of it that will require Congressional action, and continue leading efforts to strengthen our nation’s cybersecurity defenses.”
But House Homeland Security Chairman Mark Green (R-TN) and cyber subcommittee Chairman Andrew Garbarino (R-NY) said that while the strategy “rightly highlights the need for public-private collaboration and federal government coordination,” it comes as “no surprise that this Administration’s desire for more regulation, bureaucracy, and red tape is a consistent theme” in the document.
“While the Trump Administration’s National Cyber Strategy promoted open, industry driven standards, and risk-based approaches, the Biden Administration’s Strategy encourages agencies to regulate where they can and identify regulatory gaps where they want new authorities,” Green and Garbarino said.
“We are concerned that while the Administration expresses their desire to harmonize [regulation], their actions have only encouraged or forced new regulations from multiple agencies – in contradiction of Congress’ clear direction through the Cyber Incident Reporting for Critical Infrastructure Act of 2022,” the Homeland Security Republicans said.
“The Biden Administration must prioritize streamlining existing regulations while working with the private sector to identify new opportunities for partnership, rather than punishment, particularly through their implementation of this Strategy,” they said.
"As Chairmen of the Homeland Security Committee and the Cybersecurity and Infrastructure Protection Subcommittee, we plan to exercise strong oversight over the Administration’s operational implementation of the Strategy, particularly the requirements for the Cybersecurity and Infrastructure Security Agency,” Green and Garbarino said.
Across the aisle, House Homeland Security ranking member Bennie Thompson (D-MS) and cyber subcommittee ranking member Eric Swalwell (D-CA) said, “The National Cybersecurity Strategy … continues the Biden-Harris Administration’s ambitious approach to cybersecurity and we commend the Office of the National Cyber Director for leading this critical national security effort.”
Thompson and Swalwell said, “We support the Administration’s aspirations to better coordinate federal efforts to disrupt malicious cyber campaigns, become a more effective security partner to the private sector, and ensure we are prepared to defend against the threats of the future by investing in R&D and growing a more diverse cyber talent pipeline.”
But they added, “We must ask more of the private sector, building on the collaborative partnerships the Biden-Harris Administration has worked hard to develop over the past two years. As cyberattacks increase in frequency and sophistication, smart, well-harmonized, performance-based security requirements for critical infrastructure could help ensure the critical infrastructure we rely on every day is sufficiently resilient to keep operating in the wake of a compromise.”
Thompson and Swalwell said, “We also share the Administration’s commitment to shifting the responsibility for securing cyberspace on those best positioned to do so and we are eager to explore opportunities to incentivize security-by-design so that consumers no longer bear the brunt of the rush-to-market.”
Senate Intelligence Chairman Mark Warner (D-VA) said, “I’m pleased to see the Biden Administration advocating for the kind of best practices that I’ve long called for, such as building and reinforcing strong partnerships with the private sector, investing in the long-term protection of our nation’s critical infrastructure, being proactive about establishing strong cybersecurity foundations and meeting critical standards.”
Pieces for Congress
The strategy flags multiple areas where the administration will ask Congress for additional statutory authority and resources to meet its goals, including “to implement minimum cybersecurity requirements or mitigate related market failures.”
It specifically says officials “will work with Congress and the private sector to develop legislation establishing liability for software products and services.”
The administration also “will identify gaps in authorities to drive better cybersecurity practices in the cloud computing industry and for other essential third-party services, and work with industry, Congress, and regulators to close them.”
The strategy calls for working with Congress and stakeholders to explore creating a federal cyber insurance backstop and the administration will seek legislation to codify the Cyber Safety Review Board.
The strategy concludes by noting, “The Administration will work with Congress to fund cybersecurity activities to keep pace with the speed of change inherent within the cyber ecosystem.”
Stakeholder comments on strategy
Cybersecurity firm Tenable’s senior vice president for global government affairs James Hayes commented that “the success of the strategy will rely on Congress to properly fund and empower ONCD and CISA in order to help them tackle all of the areas to be addressed. CISA needs to have authority so they aren’t a paper tiger.”
“It will be a priority to drive alignment not only across federal departments and agencies but also with state and local governments and between public and private sectors,” Hayes said, while voicing strong support for “the strategy’s inclusion of baseline requirements for critical infrastructure cybersecurity,” which may also require congressional action to ensure agencies have authority in all sectors.
However, Wiley Rein partner Megan Brown said, “I honestly am disappointed how regulatory the strategy is, and at the apparent desire to force larger companies and actors to subsidize or take responsibility for others’ cybersecurity.”
She said, “There is not enough about how the government can and will do better to help protect the private sector and improve cyber defenses for the nation.” Further, she said, “I think they overstate the degree of collaboration on the prior regulatory moves/directives for certain sectors.”
Brown offered a detailed assessment of the strategy in a blog post today.
Brandon Pugh of the R Street Institute think tank said of the liability and regulatory aspects of the strategy, “I urge the administration and Congress to tread carefully as they contemplate action that could undermine free market principles.”
Pugh said “The strategy currently recommends shifting liability onto manufacturers and software publishers that fail to take precautions to secure their software through legislation that the administration hopes to develop with Congress. This might sound positive in theory, but in practice there would be large challenges and many questions to answer first. – Charlie Mitchell (firstname.lastname@example.org)