The new US cyber security strategy: a sea change for critical infrastructure

In the context of a growing national security priority related to the protection of critical infrastructure, on March 2, 2023, the Biden administration unveiled the National Cyber Security Strategy. This document represents a broad and forward-looking vision for both public and private cyber defenses. The objective of the initiative is to redistribute part of the burden associated with mitigating cyber security risks, shifting it from end users and critical infrastructure operators towards private sector enterprises. In fact, the latter are in a better position to make significant progress in terms of security and resilience. The focus of the strategy is also on incentivising long-term investment by the private sector.

A new regulatory model and the growth of the cyber insurance sector

The Strategy aspires to introduce a new regulatory paradigm in the field of cyber security for critical infrastructure sectors, moving from voluntary guidelines to mandatory regulations. In parallel, the growing role of the insurance sector in the field of cyber security is emerging. Insurance companies now offer specific coverage for cyber risks, which generate billions of dollars in premiums for the insurance industry. Part of the Strategy contemplates exploring a federal guarantee for cyber insurance, which would result in a partnership between the government and the insurance industry to support the issuance of cyber insurance for commercial entities.

Challenges and complexity of implementing the strategy

Despite its benefits and forward-looking initiatives, the Strategy presents some challenges. One of these is the harmonization of duplicate or overlapping requirements. Organizations facing a cyber incident often face multiple, sometimes conflicting, reporting requirements that can distract resources from dealing with the real threat. Furthermore, a complex aspect for companies is to understand how the various agencies can implement the recommendations of the Strategy with the tools they have available today, not only in terms of processes and people, but also in the context of their legal competences.

Additional federal initiatives and key steps for critical infrastructure owners and operators

In addition to the presentation of the Strategy, the federal government has taken further steps in other areas to improve the national cyber security posture and capabilities. These initiatives include the guidelines of the Infrastructure and Cyber Security Agency, the requirements proposed by the Securities and Exchange Commission, the memorandum of the Environmental Protection Agency for public water systems, and the expansion of the safety directives of the Transport Safety Agency. For critical infrastructure owners and operators, there are several key steps to take, including regulator education, interdisciplinary compliance, and a culture shift to take cybersecurity seriously at all levels of the organization.