Calls to shift liability and investment and promote secure and resilient software products/services
KPMG Regulatory Insight:
The White House announced a new National Cybersecurity Strategy (Strategy) that builds on the May 2021 Executive Order “Improving the Nation’s Cybersecurity.” The Strategy outlines the Administration’s approach to cybersecurity, which entails building and enhancing collaboration between the public and private sectors along five pillars:
To achieve the envisioned collaboration, the Administration suggests there is a need to make two fundamental shifts in cybersecurity roles, responsibilities, and resources:
To that end, the Strategy calls for:
Highlights of the Strategy follow.
The five pillars and underlying strategic objectives (outlined below) are intended to address what the Administration characterizes as software and systems that are becoming increasingly complex, providing value to companies and consumers, but also increasing collective insecurity by “layering new functionality and technology onto already intricate and brittle systems at the expense of security and resilience.”
The Administration notes that cybersecurity requirements have been proposed or finalized for several industries, including owners and operators of critical infrastructure, banking organizations, public companies, and others. (For more details, see KPMG Regulatory Insights’ Point of View: Enhancing the cybersecurity risk framework). The Strategy calls for collaboration between industry, owners and operators of critical infrastructure, federal agencies, product vendors and service providers, and other stakeholders to achieve the following strategic objectives:
The Strategy calls for the integration of diplomatic, information, military (both kinetic and cyber), financial, intelligence, and law enforcement capabilities with the goal of making “malicious actors incapable of mounting sustained cyber-enabled campaigns that threaten the national security or public safety of the United States.” Strategic objectives include:
Citing continued disruptions of critical infrastructure and thefts of personal data, the Strategy calls for shaping markets forces “to place responsibility on those within the digital ecosystem that are best positioned to reduce risk.” This includes using federal purchasing power and grant-making to incentivize broad adoption of best practices in cybersecurity and resilience to achieve the following strategic objectives:
The Strategy calls for leveraging strategic public investment in innovation, R&D, and education through multiple programs, including some new grant programs and funding opportunities established in the 2021 Infrastructure law and 2022 Inflation Reduction Act (See KPMG’s Regulatory Alerts, here). Strategic objectives include:
To “counter common threats, preserve and reinforce global internet freedom, protect against transnational digital repression, and build toward a shared digital ecosystem that is more inherently resilient and defensible,” the Strategy calls for working to scale the model of collaboration by national cybersecurity stakeholders (described above) to cooperate with the international community. Strategic objectives include:
Under the oversight of staff from the National Security Council, the Office of National Cyber Director (ONCD) will coordinate implementation of the Strategy, including working with interagency partners to develop and publish implementation plans.