The Biden administration released its National Cybersecurity Strategy (“Strategy”) on March 2, 2023.1 The Strategy builds on previous policy actions by the Biden administration that sought to strengthen cybersecurity in critical infrastructure and protect personal data, including through regulatory action, government procurement requirements, and an emphasis on software security. The Strategy calls for (1) a “[r]ebalanc[ing of] the responsibility to defend cyberspace,” under which the “most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem,” with the Strategy notably highlighting the role of cloud services and software providers and (2) a “realign[ment of] incentives to favor long-term investments,” in part to “ensure that market forces and public programs alike reward security and resilience.” While still emphasizing public-private sector collaboration, the Strategy reflects an increased focus on regulatory action and private sector liability. Although many of the Strategy’s proposed changes will hinge on congressional action, if implemented by Congress and the administration, the Strategy would have significant consequences for certain businesses, including owners and operators of critical infrastructure, software developers, cloud providers, government contractors, and businesses that handle personal information. Understanding the Strategy and its potential implications accordingly will be important for companies across sectors.
