Cyber attacks no longer invoke images of hooded figures, frantic binary code and the overuse of the term “hack.” Rather, they now invoke thoughts of companies and municipalities bleeding millions of dollars as they combat ransomware attacks, panic as employees scramble to recover sensitive information that has been compromised and made public, as well as fears of utilities failing under cyberattacks. Lawmakers and the White House have taken notice.

The Biden administration recently released its National Cybersecurity Strategy, which is divided into five key pillars that entail some key areas, including critical infrastructure and ensuring resilience in data protection. In recent years we’ve also seen an avalanche of state and federal legislative policies emerge. There are three main reasons why.

For starters, cybersecurity’s wrath is indiscriminate. While geopolitical bellicosity hogs the headlines, cybersecurity can affect everyone. Whether you’re a mom-and-pop small business or a multibillion-dollar financial hegemon, malicious code can wreak havoc. Hospitals, schools, universities, Main Street shops, military bases, police departments, fire stations, oil refineries, solar farms and e-commerce websites are all in the crosshairs. 

Secondly, in large part due to this, assuring robust cyber defense is a bipartisan issue. Democrat and Republican-majority legislatures are passing bills at a fervent pace, perhaps to keep up with each other, but also because of a simple truth: The United States needs to be cyber-secure, holistically. The financial and economic interconnections within the country are so indelibly interwoven that, when it comes to cyber threats, Oregon hypothetically losing power due to a malicious attack on its grid has the potential to be calamitous for California and vice versa. It is positive and advantageous to encourage the same level of market competition for cybersecurity firms and technologies as the one for telecommunications and financial entities. This bears fruit in cutting-edge solutions. 

Thirdly, an imperative skills gap has been widening; codification and legislative urgency is the only remedy for it. InfoSecurity reports that the global cybersecurity workforce gap has increased to 26.2 percent through 2021 — signifying an insufficient number of vetted, qualified cyber-fluent young professionals to accomplish public and private benchmarks within the evergreen sector satisfactorily. Thus, states are rushing to pass bills for training and education measures.

Can we legislate our way to cyber resilience?

In the past six months, over 120 bills with “cybersecurity” in their title have been introduced nationwide. The sheer scope of what these bills concern speaks to the indiscriminate, pervasive nature of how universal of a threat cyberattacks are. At the federal level, these bills concern cybersecurity within mobile network providers, the establishment of an Office of Policy Development and Cybersecurity, the direction of the Secretary of Energy to introduce reporting regulations on cyber incidents, and even a bill to authorize cooperation between Taiwan and the U.S. on “preparedness against cyber threats” as China’s bellicosity looms. Thanks to the aforementioned bipartisan appeal, the bills being introduced are extensions of Biden’s Cybersecurity Strategy — instruments through which Biden’s cyber legacy is cemented.

Similarly, the rate at which legislation is being produced by state Senates is astonishing. In the past month alone, the Senates of New York, Maryland, Utah, Kentucky, Hawaii, Texas, Florida and Oregon, to name a few, have all introduced substantial laws relating to cybersecurity procedures, best practices and the creation of new intra-state agencies to respond to cyber crises. Now that Biden’s strategy is published, more are expected.

These, in tandem with the various cyber defense initiatives the Biden administration has promulgated, make for a nation that has its cyber resiliency at the forefront of this outlook. In announcing the strategy, the White House was quick also to define that it has already taken steps to promote its digital agenda through Executive Order 14028, “Improving the Nation’s Cybersecurity,” National Security Memorandum no.5, which pertains to critical infrastructure, and Memorandum no.10, which delves into the nebulous yet promising world of quantum computing. 

In light of the legislative avalanche at the state and federal level coupled with the administration’s strategy, the U.S. has articulated its cyber posture in an unprecedented, steadfast manner. Yet, possible hindrances in ensuring the strategy’s efficacy lies ahead. 

How Biden can avoid slippery slopes

The strategy’s success lies within a key pillar that outlines promoting public-private partnerships. The Cybersecurity and Infrastructure Security Agency (CISA) has an opportunity to foster and promote the expertise of private entities in bolstering the strategy’s agenda, notably because CISA has already conceived info-sharing committees that already champion the consultation of private sector experts. The strategy must further empower the Sector Coordinating Councils, the main organs for CISA, to resource-pool with private sector organizations.

Then on the private sector end, attention should be directed toward the National Council of ISACs. ISACS, which is short for Information Sharing and Analysis Centers, are member-driven consortiums of companies that aim to ensure the safety of critical infrastructure. ISACS exist on an industry-by-industry basis: there is a finance ISAC, a healthcare ISAC, a natural gas ISAC and so on. Biden’s strategy mentions defending critical infrastructure at the “speed and scale necessary” — embracing laissez-faire, ISAC-first championing is the most viable path to ensuring this. The Biden administration need to be wary of cluttering the strategy’s public-private onus with too much of the former, as the experts lie in the latter.

The other problem Biden’s strategy may encounter may be within another of its core tenets: “Shape Market Forces to drive Security & Resilience.” This is comprised of promoting privacy and safeguarding personal data, but it may add further friction to the fractious relationship between the government and tech companies. The strategy’s opaque objective of data security must be expanded concerning the challenges that it may face. Tech companies have refused to grant encryption backdoors to the National Security Administration (NSA) and agencies writ large. If Biden’s administration tries to seize the reins of power from the one contingent of companies that can best combat cybercrime, infighting can ensue and undermining the goal of common security standards. To make the most of the strategy, the Biden administration must be willing to allow tech companies to drive the conversation around data security — their resources and R&D are far more sophisticated and well-equipped to handle the challenges of tomorrow than those of the government. 

The Biden administration has a unique opportunity to confront the cybersecurity dilemma. The strategy is firmly a step in the right direction. Should it be successful, it will posit the U.S. as the world’s authority on effective cyber posture — and may well define Biden’s legacy.

Carolyn Kissane, Ph.D., is assistant dean of the graduate programs in Global Affairs and Global Security, Conflict and Cyber at the Center for Global Affairs and a clinical professor at NYU School of Professional Studies, Center for Global Affairs. She is the director of the SPS NYU Energy, Climate Justice and Sustainability Lab. 

Shahid Mahdi is a software product manager at energy policy data and analytics company EnerKnol and holds a master’s degree in global security, conflict and cybercrime from New York University.