Biden team makes cybersecurity a priority for government

By Vincent M. Voci
Vice President, Cyber Policy and Operations
Cyber, Space, and National Security Policy
U.S. Chamber of Commerce

The Biden administration has adopted a strong, proactive approach to cybersecurity policy, recognizing the urgency of protecting the United States from cyberthreats. And for good reason: In 2016, Russian-backed actors conducted intrusions into U.S. political institutions; in January 2021, the United States faced significant cyber risk when a Russian government-backed operation breached the SolarWinds Orion network management software. In response, the Biden administration launched a 100-day sprint to strengthen the cybersecurity of the nation’s industrial control systems for the electricity sector. President Biden also signed Executive Order 14028 on Improving the Nation’s Cybersecurity in May 2021 to safeguard the software supply chain.

EO 14028 requires the U.S. government to define public security measures for critical software, uses the government’s purchasing power to drive enhanced cybersecurity standards into IT systems purchased by the government, and articulates a vision for zero-trust architectures in federal government networks. Another key aspect of the administration's cybersecurity policy is the focus on addressing ransomware, with the administration publicly vowing to hold ransomware actors accountable.

Congress has passed several notable pieces of legislation, including the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA, which established a mandatory cybersecurity incident reporting program. The U.S. Chamber of Commerce was influential in the congressional negotiations around CIRCIA, advocating for its members' priorities across timelines, covered entities, substantial incidents and legal liability issues.

The Biden administration's National Cyber Strategy articulates the whole-of-government, whole-of-society approach to rebalancing responsibilities for defending and securing cyberspace. The NCS communicates a new direction for cyber policy in the United States, starting with the premise that voluntary industry and market forces have failed to adequately invest in cybersecurity, risk management and resilience. Therefore, regulation is required to incentivize industry investment in stepped-up cybersecurity.

Cybersecurity best practices for organizations have remained uniform for years, including risk assessments, security measures, incident response and employee training. However, as the U.S. Chamber found in a recent report, regulation has dramatically increased over the last decade. Midsize businesses should monitor regulations along four categories of cyber public policy risk, including sector-specific cybersecurity regulations (e.g., TSA rail and pipeline, EPA Public Water), incident reporting or public disclosure, common cybersecurity standards (e.g., NIST Cybersecurity Framework, CISA Performance Goals, CISA Security-by-Design and -Default), and state-by-state approaches to cybersecurity regulations (e.g., State of New York Legislation A.3904B/S.5579A). Given that cyber risk from threat actors has steadily increased over the same period, according to the U.S. Chamber’s analysis, there is a significant growing risk to businesses from public policy, such as changes to laws, regulations or legal enforcement.

While there is a growing willingness by both political parties in Washington to pursue aggressive policy changes through regulation, the U.S. Chamber is committed to working alongside policymakers to ensure that good intentions do not lead to undesirable policy outcomes.