On March 1, 2023, the Biden administration published its National Cybersecurity Strategy, an outline of how the administration will guide the evolution of cybersecurity at the national level. The federal government has a lot of control over much of the nation’s business infrastructure, such as the critical industries via the federal agencies that provide governance of those industries and the power to require that any purchases by those agencies must conform to a particular set of standards. However, without the agreement of Congress, parts of the strategy are merely aspirations, and a single cybersecurity regulation imposed across the entire nation is unlikely. Chris Hart, partner and co-chair of Foley Hoag LLP’s privacy and data security group, agrees with the power and limitations of the presidency and suggests for cybersecurity there may be more than the possibility of bipartisan consensus due to real national security threats that animate both sides of the aisle.
The National Cybersecurity Strategy seeks to promote a national background on which cybersecurity can thrive. It seeks to develop a national approach to cybersecurity based on a joined-up patchwork of individual regulations set by the federal agencies and to make its own systems more defensible and resilient. It supports the potential for a national personal privacy regulation and encourages and enables investments in digital identity solutions, as well as promoting transparency and measurement. It also seeks to forge international partnerships to pursue shared goals, such as facilitating the development of technical standards and mechanisms to enable cross-border data flows.
The problem with data flows between the EU and the US is fundamental to existing laws governing privacy in the EU, and intelligence and law enforcement in the US. Governments on both sides of the Atlantic agree with the need for free flows of data, but are hampered by their respective laws that are almost impossible to change. Each court case can take several years to resolve and so far, the European Court has declared all ‘wordings’ to be unconstitutional within Europe (because of GDPR).
Without the agreement of Congress, the National Cybersecurity Strategy must ultimately be considered a wish list of the administration’s desires, not a statement on what will happen nationally. Nevertheless, it is worth examining Biden’s strategy in greater detail and considering the possible outcomes of this National Cybersecurity Strategy. It is difficult to see an acceptable conclusion to this process – but if the two governments continue to strive to create a better cybersecurity solution, then it is possible that the Strategy may provide a superior approach than a single regulation covering all sectors.