2023 National Cybersecurity Strategy: Businesses Are Asked To Bear More of the Burden

By Aloke S. Chakravarty, James P. Melendres, and Gabrielle M. Morlock

Earlier in March, the White House released its 2023 National Cybersecurity Strategy, addressing its new outlook on cybersecurity threats and protective measures. Having the first national strategy in five years allows the executive branch to signal to its own agencies as well as the public and business sectors where its attention and resources will be spent and also telegraphs its expectations of greater enforcement and private sector investment. In this way, analyzing the priorities of the strategy should allow businesses to consider the impact of the federal government using their existing authorities for greater enforcement, along with their expectation of greater long-term investment by private companies to ensure their own networks are protected, their own technology is not vulnerable, and that they will cooperate when there is an issue. During this administration, businesses that do not update their cyber-posture are at greater risk of enforcement, and in addition to critical infrastructure components, those that purvey technical solutions or platforms as a service are likely to be prioritized.

The 2023 Strategy focuses on five main pillars with a message aimed at demanding more cooperation from the private sector, particularly among larger businesses or those with a focus on consumer data and the collection or maintenance of sensitive personal information. The 2023 Strategy expresses an emphasis on increased enforcement through existing authorities, including implementation of notification requirements, whether under the FTC, HIPAA, or other data enforcement regulatory agencies and related regulations. The overall goal is twofold: to rebalance the responsibility of a defensive cyberspace, where those who are best positioned to take action should, as the entire nation’s cyber resilience should not be dependent on the smallest most vulnerable organizations or individual citizens; and to realign incentives to favor long term investments in cybersecurity by rewarding market forces and public programs for building a more robust, secure, and diverse cyber practice. The 2023 Strategy provides that the Federal Government is committed to making “generational investments in our nation’s infrastructure, digitizing and decarbonizing energy systems, securing our semiconductor supply chains, modernizing our cryptographic technologies, and rejuvenating our foreign and domestic policy priorities” and to do so, proposes the following five pillars:

1. Pillar One: Defend Critical Infrastructure

Pillar One of the 2023 Strategy proposes greater focus on public-private collaboration among owners and operators of critical infrastructure. Applicable businesses will be expected to follow updated federal agency incident response plans and processes in order to improve efforts to identify the cause of security incidents and provide better response processes across all involved parties.

2. Pillar Two: Disrupt and Dismantle Threat Actors

Pillar Two of the 2023 Strategy proposes using diplomatic, information, military, financial, intelligence, and law enforcement capabilities to build upon successes to disrupt and dismantle threat actors in cyberspace. To implement this proposal, the 2023 Strategy proposes businesses to work together with the federal government to disrupt activities to render cyber activity unprofitable and to deter foreign governments and non-state actors from participating in such activities.

3. Pillar Three: Shape Market Forces to Drive Security and Resilience

Pillar Three of the 2023 Strategy proposes to focus responsibility on those best positioned to reduce risk. To do this, the 2023 Strategy provides that we must modernize our digital economy and promote practices that enhance digital security. Business will be expected to follow more robust restrictions pertaining to the collection of personal data to maintain data privacy.

4. Pillar Four: Invest in a Resilient Future

Pillar Four of the 2023 Strategy focuses on building next generation software, devices, and innovations that implement strong security practices and features. The goal is to out-innovate other countries and optimize critical and emerging technologies.

5. Pillar Five: Forge International Partnerships to Pursue Shared Goals

Pillar Five of the 2023 Strategy focuses on changing the way cyber processes function so that responsible behavior is expected and rewarded, and irresponsible behavior is costly. The 2023 Strategy focuses on engaging with other countries to build a broad coalition of nations working towards a common goal and providing and maintaining a secure Internet.

In implementing its 2023 Strategy, the Federal Government will use a data-driven approach to measure implementation, outcomes, and effectiveness. The executive branch is expected to coordinate with various state agencies and departments as well as the private and public sector, to set standards and implement new processes. Regardless of whether there is new legislation imposing greater incentives to improve cybersecurity, the 2023 Strategy signals that the government expects an increase in private sector investment and collaboration in security, and intends to take steps that will enhance the federal capacity to carry out its essential functions and protect the American public from cyberattacks.