The Biden administration’s national cybersecurity strategy, a long-awaited policy vision released almost two years after an executive order called for more resilient infrastructure, lacks key details effecting change.

Turning the vision and stated objectives into reality requires more action and follow through, cybersecurity experts said. Laws and regulations that impose greater responsibility on the technology sector aren’t likely to come quick or easy.

“The pillars described in the strategy are well and properly defined, but of little use without such legislative support,” John Rostern, SVP and global lead of cloud and infrastructure services at security consultancy NCC Group North America, said via email.

“Drafting such legislation in a form that will be acceptable across the House and Senate will be challenging. Unfortunately, it is unlikely that this will move forward quickly,” Rostern said. 

Julie Davila, VP and global field CTO at Sophos, said there’s only so many industries that can be influenced or otherwise forced to meet standards through federal legislation.

Baseline security requirements for critical infrastructure could trickle down to other vendors and software providers in those ecosystems, according to Davila. 

“You’re going to have a lot of companies that are kind of in that middle area where they’re not explicitly in scope for a lot of these laws and regulations, but will be kind of scooped in,” Davila said.

Strengthen baseline requirements

How the federal government might put teeth behind its plan to impose greater responsibility and liability on technology companies, including financial penalties or otherwise, remains unclear.

A liability regime akin to data protection and privacy laws in Europe, “tied to a real and pragmatic set of baseline control expectations will be a welcome change,” Jamf CISO Aaron Kiemele said via email.

Organizations that violate the European Union’s General Data Protection Regulation may be fined up to 4% of annual revenue.

Driving reform without punitively punishing organizations for incidents that occur in a difficult to predict security environment will be tricky, Kiemele said.

The White House acknowledges a need to balance expectations in a reasonable manner, noting “even the most advanced software security programs cannot prevent all vulnerabilities.”

The strategy specifically calls for liabilities to be imposed on organizations that “fail to take reasonable precautions to secure their software” and “fail to live up to the duty of care they owe consumers, businesses or critical infrastructure providers.”

Reward exceptional security

Incentivizing more resilient and defensible systems, another policy goal, recognizes the need to reward organizations that prioritize security.

“It’s easy to make poor security an opportunity for admonishment, but for many organizations security is a cost center of which meeting bare minimum compliance is the aim of the game,” Dray Agha, senior ThreatOps analyst team lead at Huntress, said via email.

Whatever form these standards take, organizations shouldn’t be able to lean on compliance as cover for their next security breach, according to Rostern.

“Agencies must invest in supporting and incentivizing regulated entities to go beyond the minimum baseline,” Rostern said.

The strategy doesn’t indicate a radical change so much as it reaffirms the federal government’s commitment to use every tool available to recognize the critical role private companies play in strengthening cyber defense, according to Michael McPherson, SVP of security operations at ReliaQuest.

“The private sector collaboration will likely be the greatest challenge to implementing this strategy, due to the sheer depth and breadth of companies who possess the information and capabilities which could be of value in this effort,” McPherson said. “Building a framework to harness the power of the private sector is a herculean task.”