No More “User Beware”: Rewriting the Cybersecurity Pact Between the US Government and Private Sector

Nearly fifteen years ago, President Barack Obama stood in the East Room of the White House to deliver his first major cybersecurity speech. He wasted no time making it clear that when it came to the United States’ cybersecurity, the onus was on the private sector to do the lion’s share of the work.

“The vast majority of our critical information infrastructure in the U.S. is owned and operated by the private sector,” Obama said in May 2009—a date which may seem like a century ago in the changing life of the internet. “So let me be very clear:  My administration will not dictate security standards for private companies.  On the contrary, we will collaborate with industry to find technology solutions that ensure our security and promote prosperity.”

This vision for the relationship between the U.S. government and private sector predated Obama—and continued on for more than a decade. But with the release of yesterday’s new national cybersecurity strategy, the Biden administration has made it clear that it no longer believes that a private sector-led cybersecurity model makes sense for the United States.

“I think the fundamental recognition in the strategy is that the voluntary approach to securing [critical foundational technologies] is inadequate,” declared Anne Neuberger, the deputy national security advisor for cyber and emerging technologies during a Thursday event at CSIS.

Instead, the new strategy envisions a new bargain on both sides of the equation. Private industry will, for the first time, be expected to meet minimum cybersecurity standards—a new step mandated not by the strategy itself, which is a statement of intent, but by the rules the Biden administration is already endeavoring to move into place.  And there will be a price to pay if they fail to meet the basics: technology companies, critical infrastructure owners and operators, and others may be responsible for what happens during a cyberattack, just as a doctor could be held liable for a botched surgery, or a someone negligent might face a tort case.

In return, the government will step up as well, taking on a far more active role to disrupt criminal cyber operations around the world, and to protect Americans from the consequences of state-sponsored cyberattacks. Domestically, this may mean the FBI will more frequently use its existing authority to make public the decryption keys of ransomware actors, or remove webshells from infected computers. And internationally, it may mean that US Cyber Command will work more to disrupt foreign infrastructure relied upon by criminal actors or to collaborate more with allies and partners to “hunt forward” in their networks.

The goal of this stepped-up effort stems from the recognition that the individual—often the American consumer—has long borne the brunt of responsibility for their own cybersecurity and, frequently, paid the price of its failure.  Or, as it’s phrased in the new strategy: “A single person’s momentary lapse in judgment, use of an outdated password, or errant click on a suspicious link should not have national security consequences.” 

This shift in mindset — a “reimagined cyber social contract” said acting National Cyber Director Kemba Walden in a March 1 interview—is a major change in understanding for the United States: a country which has long held the belief that, on most occasions, the best thing the government can do is get out of the way and let the private sector innovate. It is a move that is long overdue—but one that introduces a new set of challenges that the United States will face going forward.

Evolution of the Public-Private Relationship

Of course, back in 2009, it wasn’t an unreasonable expectation to suppose that the government and industry could collaborate on a mostly volunteer basis.

Certainly, there had been warning signs already that the United States wasn’t prepared for the increased vulnerability that would come with the digital age. From 1998-1999, a Russian espionage campaign had targeted government and university computers. In 2007, a suspected state actor was discovered in the military’s secure internet. And as early as 2009, Barack Obama was already getting briefings on a highly-classified project called Olympic Games, designed to set back the Iranian nuclear development program by hacking into their computers.

But there were few at the time who fully grasped the promise of what computers could do, how many processes of our daily life would soon be powered by them, or the policy and political implications of an attack against them. 

Fast forward to 2023: the Biden administration’s new national cybersecurity strategy is being released into a completely different world. Today, Americans are acutely aware of the risks posed by ransomware—which has shut down school districts, pipelines, and local governments—as well as the pervasive threat of criminal hackers targeting personal and banking information. Disinformation is old news. And White House officials themselves are keenly watching the war in Ukraine, concerned that cyberattacks on critical infrastructure may spill beyond its borders. 

Against this backdrop, today’s strategy recognizes that the platonic ideal of a mostly voluntary security relationship between the U.S. government and private sector has not turned out like many had hoped. As such, the new cybersecurity strategy denotes “two fundamental shifts:”

First, as discussed above, is the recognition that the burden of cybersecurity should not devolve to the end user. Instead, the government needs to do more to disrupt threats, while the private sector must take greater pains to secure their products—possibly with the added threat of legal action if they fail to do so.

The second is that the government can take advantage of various tools—including the ability to drive market incentives—to incentivize better security, whether that’s improving collaboration, investing more in security from the beginning of a product’s development, or diversifying the supply chain. 

Moving from Ideals to Implementation

The question is how the Biden administration, working alongside Congress, can make this vision statement a reality. 

Part of the answer is that they’ve already begun. Over the past two years—and galvanized by the shock of the Colonial Pipeline ransomware attack in May 2021—the administration has identified a number of specific areas where they have the authority to impose minimum security standards, improve communication, or impose new security controls.  These include pipeline and aviation security directives, a new rule for the water sector, and a raft of presidential directives aimed at bolstering the security of executive branch networks.  Notably, while the specific actions iterated in these documents have at times sparked controversy, the necessity of imposing more rules has generally been less controversial.

The second part of the answer is that several significant companies—particularly prominent tech firms—aren’t exactly opposing a stronger government role.  Companies like Microsoft and Google, in particular, are already moving to standardize security rules, increase investments, and establish norms. In cases like these, the government is pushing on an open door. (Of course, there are those in industry who vehemently oppose more regulation as well.)

And the third part is that we don’t know yet. While the strategy is a strong statement, its implementation remains unclear.  New rules will take time to work. Other rules have not yet been fully implemented. And key “sticks” —in the carrot-and-stick paradigm—remain theoretical. For example, there are relatively few ways to hold industry accountable for failing to secure products or processes—and laws to permit companies to be held legally liable for failures will likely need to be passed by Congress. Given the current political environment, this may take some time to achieve.

Regardless of the timeline ahead, the new national cybersecurity strategy is an acknowledgement  of our firm dependence on the digital world in every sector, and an important step in charting a path forward for a new relationship between government and industry, with new responsibilities and roles for both. This most significant change—the commitment to rework the US government’s relationship with industry—may prove to be the strategy’s longest-lasting element.