In March 2023, the Biden administration released a new National Cybersecurity Strategy, which makes it clear that the time for private companies voluntarily opting into cybersecurity has long passed. Instead, the new strategy promises to support new regulatory frameworks that will shift liability and create incentives for private firms to defend against critical vulnerabilities. This article discusses three concrete things business leaders should know about the new strategy. First, every company will need to identify their distinct vulnerabilities and risks. Second, companies will then need to adopt measures that address those vulnerabilities. Third, the strategy categorically states that it will push for legislation to hold these firms liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers.
On March 2, 2023, the Biden administration released its long-awaited National Cybersecurity Strategy. In light of cyberattacks targeting American infrastructure, business, and governmental agencies, the document elevates cybersecurity as a critical component of the United States’ economic prosperity and national security. It also intimates a fundamental dilemma, which is that the private sector — with key stakeholders consisting of software firms, small- and medium-sized businesses, broadband providers, and utility companies — holds the key to the public good of cybersecurity:
By Sarah Kreps and Amelia C. Arsenault via Harvard Business Review