Photo of Evan D. WolffPhoto of Matthew B. WellingPhoto of Maida Oringher LernerPhoto of Jennie Wang VonCannonPhoto of Neda ShaheenPhoto of Jacob CanterPhoto of Garylene “Gage” JavierPhoto of Sarah RippyPhoto of Alexis WardPhoto of Maria Sokova

On March 2, 2023, the Biden Administration released the 35-page National Cybersecurity Strategy (the “Strategy”) with a goal “to secure the full benefits of a safe and secure digital ecosystem for all Americans.”

Summary and Analysis

The Strategy highlights the government’s commitment to investing in cybersecurity research and new technologies to protect the nation’s security and improve critical infrastructure defenses.  It outlines five pillars of action, each of which implicates critical infrastructure entities, from strengthening their cybersecurity processes, to receiving support from the federal government. For example, the Strategy highlights improving the security of Internet of Things (IoT) devices and expanding IoT cybersecurity labels, investing in quantum-resisting systems, developing a stronger cyber workforce, evolving privacy-enhancing platforms, and adopting security practices that are aligned with the National Institute of Standards and Technology (NIST) framework are some other suggested approaches that the private sector could take.

The Strategy makes evident the Administration’s desire to shift the burden of cybersecurity (and its associated costs and liability) from individuals, small businesses, and local government to the entities with the greatest expertise and resources, e.g., large owners and operators of critical infrastructure, vendors and software developers. To that end, we should expect legislation regarding baseline cybersecurity measures and establishing new liabilities for providers of software products and services. Further, the Administration emphasizes its support for legislative efforts for data minimization and increasing protection for sensitive data, which puts additional pressure on Congress to pass a federal privacy law.

The Strategy builds on sustained efforts by the Biden Administration to protect the nation’s critical infrastructure, including:

  • The 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) – expands the reporting obligations of covered entities;
  • The 2022 Creating Helpful Incentives to Produce Semiconductors (CHIPS) Act – reduces reliance on China-based suppliers of emerging technologies by providing a financial incentive for investment in U.S. semiconductor manufacturing and the creation of collaborative networks for research and innovation;
  • President Biden’s 2021 Executive Order – strengthens the nation’s cybersecurity defenses by mandating all federal agencies use basic cybersecurity measures (such as multifactor authentication and requiring new security standards for software makers that contract with the federal government); and
  • President Biden’s 2021 national security memorandum – directs his administration to develop cybersecurity performance goals for U.S. critical infrastructure.

The Five Pillars

Replacing the 2018 Trump Administration strategy, which focused on voluntary public-private partnerships and information-sharing practices, the new framework mapped out by the Strategy pushes for a more aggressive and comprehensive regulatory approach. Combining government actions with new requirements for the private sector, which owns the majority of the country’s critical infrastructure, the Strategy aims to tackle some of our nation’s most difficult and complex issues in cybersecurity, software liability, and regulatory programs by centering on the following five pillars:

  1. Defend Critical Infrastructure;
  2. Disrupt & Dismantle Threat Actors;
  3. Shape Market Forces to Drive Security and Resilience;
  4. Invest in a Resilient Future; and
  5. Forge International Partnerships to Pursue Shared Goals.

I. Defend Critical Infrastructure

The Administration makes clear that this pillar “is vital to our national security, public safety, and economic prosperity.” This pillar focuses on private-public collaboration to equitably distribute risk and responsibility, and includes five strategic objectives:

  1. Establish Cybersecurity Requirements to Support National Security and Public Safety. Protecting critical services is essential to the American people’s confidence in the nation’s infrastructure and the economy, and the Strategy breaks out three categories of activity to accomplish this objective:
  2. Scale Public-Private Collaboration. The Strategy stresses the importance of creating a distributed network of cyber defense, developed by collaboration between defenders and enabled by the automated exchange of information. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) will employ Sector Risk Management Agencies (“SRMAs”) to coordinate with and support critical infrastructure owners to protect the assets they operate. The government plans to invest in developing SRMA capabilities to enable security and resilience improvements across critical infrastructure sectors and support maturation of third-party collaboration mechanisms. Additionally, information sharing and analysis organizations (“ISAOs”), sector-focused information sharing and analysis centers (“ISACs”), and similar organizations will be leveraged to facilitate cyber defense operations.

    The Strategy also acknowledges that machine-based solutions will be required to improve the sharing of information and coordination of defensive efforts. To accomplish this, CISA and SRMAs will explore technical and organizational mechanisms in partnership with the private sector to enhance and evolve data sharing, and the federal government will deepen its collaborative efforts with software, hardware, and managed service providers which have the capability to provide greater cybersecurity and resilience.
  3. Integrate Federal Cybersecurity Centers. Federal Cybersecurity Centers will serve as collaborative nodes that bring together capabilities across entities involved with homeland defense, law enforcement, intelligence, and diplomatic, economic, and military missions to drive intragovernmental coordination and support non-federal partners.
  4. Update Federal Incident Response Plans and Processes. The federal government will aim to present a unified, coordinated, whole-of-government response to cyber incidents when federal assistance is required, including, for example, that CISA will update the National Cyber Incident Response Plan (“NCIRP”). The Strategy discusses how these efforts will harmonize new requirements, such as CIRCIA’s to-be-finalized requirement that covered entities report cybersecurity incidents to CISA within hours in order to strengthen the collective defense, and current efforts by the Cyber Safety Review Board (CSRB), which is comprised of private and public sector cybersecurity leaders and will review incidents and guide industry remediation.
  5. Modernize Federal Defenses. The Administration will focus on long-term efforts to defend federal systems in accordance with zero-trust principles. In addition, it commits to develop plans to collectively defend federal civilian agencies, modernize federal technology systems, and defend national security systems.

II. Disrupt & Dismantle Threat Actors

Pillar 2 discussed the commitment to use “all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests,” focusing on heading off “sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States.”  One of the ways to accomplish this is to make cyber-enabled campaigns unprofitable. There are five strategic objectives for disrupting and dismantling threat actors:

  1. Integrate Federal Disruption Activities. The Strategy outlines three commitments to integrate the federal government’s disruption efforts. First, the DOD will update its departmental cyber strategy so that it is aligned with “the National Security Strategy, National Defense Strategy, and [the] Strategy” to ensure that cyberspace operations are integrated into other strategic defense efforts. Second, the National Cyber Investigative Joint Task Force (“NCIJTF”) will “expand its capacity to coordinate takedown and disruption campaigns with greater speed, scale and frequency.”  Third, the DOD and the intelligence community “commit[s] to bringing to bear their full range of complementary authorities to disruption campaigns.”
  2. Enhance Public-Private Operational Collaboration to Disrupt Adversaries. To enhance the collaboration between the public and private sectors, the Strategy “encourage[s]” private companies to organize cyber-disruption efforts “through one or more nonprofit organizations that can serve as hubs for operational collaboration with the Federal Government, such as the National Cyber-Forensics and Training Alliance (NCFTA).”  The Strategy also commits the government to lowering barriers in the interests of supporting and leveraging collaboration.
  3. Increase the Speed and Scale of Intelligence Sharing and Victim Notification. One aspect of disruption and dismantling threat actors is to increase the speed and scale of intelligence sharing, both to and from victims. The Strategy commits to “proactively warn cyber defenders and notify victims when the government has information that an organization is being actively targeted or may already be compromised.” Part of implementing this is to “review declassification policies and processes to determine the conditions under which extending additional classified access and expanding clearances.” The Strategy also calls on “SRMAs, in coordination with CISA, law enforcement agencies, and the [Cyber Threat Intelligence Integration Center (CTIIC)to] identify intelligence needs and priorities within their sector and develop processes to share warnings, technical indicators, threat context, and other relevant information with both government and non-government partners.”
  4. Prevent Abuse of U.S.-Based Infrastructure. The Strategy commits to working with cloud and infrastructure providers to address the full gamut of issues that they may face, from quickly identifying malicious use of such infrastructure, notifying the government in the event of such malicious use, making it easier for victims to report such abuse, and preventing the malicious use in the first place. This strategy also places an expectation on “[a]ll services providers” to “make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior.”
  5. Counter Cybercrime, Defeat Ransomware. The Strategy calls out ransomware in particular as a threat and identifies four processes to combat it: “(1) leveraging international cooperation to disrupt the ransomware ecosystem and isolate those countries that provide safe havens for criminals; (2) investigating ransomware crimes and using law enforcement and other authorities to disrupt ransomware infrastructure and actors; (3) bolstering critical infrastructure resilience to withstand ransomware attacks; and (4) addressing the abuse of virtual currency to launder ransom payments.”  This effort includes contributions from the Counter-Ransomware Initiative (CRI) with 30 other countries and the Joint Ransomware Task Force. It also includes further consideration of international anti-money laundering and combating the financing of terrorism (AML/CFT) standards. To achieve these objectives, the Strategy focuses on mounting “disruption campaigns and other efforts that are so sustained, coordinated, and targeted that they render ransomware no longer profitable.”  Accordingly, the Strategy repeats the position that the U.S. government has held for years: “strongly discourag[ing] the payment of ransoms” and encouraging victims to report the incidents to law enforcement and other appropriate agencies.

III. Shape Market Forces to Drive Security and Resilience

Pillar 3 of the Strategy focuses on shaping market forces to reduce risk and strengthen our digital ecosystem to keep our country resilient and secure. To drive broader adoption of best practices in cybersecurity, market forces are important, but the Administration will shape the long-term security and resilience of the digital ecosystem by: increasing accountability, driving development of more secure connected devices, reshaping existing laws, using federal purchasing power to incentivize security, and stabilizing insurance markets against catastrophic risk with the following six strategic objectives:

  1. Hold the Stewards of our Data Accountable. The Administration supports legislative efforts to protect consumers by imposing limitations on technologies that collect personal information. Failures to protect personal information pass the harm on to consumers, and often the greatest harm falls upon the most vulnerable populations. To protect consumers, legislation should provide strong protections for personal and sensitive data and set national requirements to secure data consistent with the standards and guidelines developed by NIST.
  2. Drive the Development of Secure IoT Devices. Many IoT devices today are vulnerable to cybersecurity threats and exploitation by bad actors. The Administration will continue to improve IoT cybersecurity through research and development and risk management efforts under the 2020 IoT Cybersecurity Improvement Act and security labeling programs under Executive Order 14028, “Improving the Nation’s Cybersecurity” (the “Cybersecurity Executive Order”) The goal is to expand IoT security labels, allowing consumers to compare protections for different IoT products, and create market incentive for greater security for IoT devices.
  3. Shift Liability for Insecure Software Products and Services. The Administration will begin to shift liability onto entities that fail to take reasonable precautions to secure their software while at the same time recognizing that even advanced software security programs cannot prevent all vulnerabilities.  Legislation will be designed to prevent manufacturers and software publishers from fully disclaiming liability and establish higher security standards, while also providing a safe harbor for companies that do securely develop and maintain their software products and services. These so-called safe harbor provisions will draw from current best practices, such as the NIST Secure Software Development Framework, but will also need to be flexible enough to evolve over time to keep up with technological advancements. The Administration also encourages coordinated vulnerability disclosures and further development of Software Bill of Materials (SBOMs), as well as processes for identifying and mitigating the risk of unsupported software used by critical infrastructure.
  4. Use Federal Grants and Other Incentives to Build in Security. The Administration is committed to investing in programs to improve infrastructure and the digital ecosystem supporting it, and balancing cybersecurity requirements. The federal government will collaborate with State, Local, Tribal and Territorial (“SLTT”) entities, private sector stakeholders, and other partners to drive investment in secure and resilient products and to fund cybersecurity research, development, and demonstration programs.
  5. Leverage Federal Procurement to Improve Accountability. One successful method of improving cybersecurity has been to implement specific contracting requirements for federal government vendors. The Cybersecurity Executive Order expands cybersecurity requirements for contracts, ensuring that such standards are strengthened and standardized across federal agencies. The Department of Justice’s (“DOJ’s”) Civil Cyber-Fraud Initiative (CCFA) will hold accountable entities that knowingly: put data at risk through deficient cybersecurity products or services, misrepresent cybersecurity practices or protocols, or violate obligations to monitor and report cyber incidents and breaches.
  6. Explore a Federal Cyber Insurance Backdrop. The Administration will assess the need for and the potential structure of a federal response to a catastrophic cyber event, which will include analyzing current cyber insurance offerings.  Input will be sought from Congress, state regulators, and industry stakeholders to determine if a plan is necessary and how to structure a response to stabilize and aid recovery to prepare for a catastrophic cyber event before one occurs.

IV. Invest in a Resilient Future 

The Strategy’s fourth pillar relies on the following five strategic objectives to accomplish the Administration’s commitment to investing in the concept of resilience in the face of near-certain cyber-attacks:

  1. Cybersecurity Research & DevelopmentThe Strategy recognizes that cyber adversaries have been weaponizing American innovation and using it against our country to steal intellectual property, sow dissent, interfere with elections, and undermine our national defenses. Because of this, the Strategy recommends that investment and innovation must go hand-in-hand with cybersecurity efforts, and that it will be critical for our government to harness emerging technologies for cybersecurity purposes as those technological advancements are made. 
  2. Securing the Technical Foundation of the InternetAcknowledging that the very foundation of the Internet has inherent vulnerabilities that need to be addressed (specifically mentioning the Domain Name System and Border Gateway Protocol), the Strategy prioritizes protection of the multistakeholder model of Internet governance and standards development. Principles such as transparency, openness, and consensus are at the core of our nation’s values and will drive the evolution of more secure technical standards and technologies. 

    Because of the rapid pace at which technologies are advancing, the Strategy advocates for the Federal Research and Development enterprise to direct projects to advance cybersecurity and resilience in areas such as encryption, the protection of industrial control systems, and artificial intelligence.
  3. Preparing for a Post-Quantum FutureThe Strategy recommends preparation for a post-quantum future to protect the encryption systems that undergird the methods by which we protect data, authenticate users, and certify the accuracy of information. The means transitioning the nation’s cryptographic systems to interoperable quantum-resistant systems and advancing the notion of cryptographic agility to address unknown threats arising from quantum computing. This is one area of the Strategy that specifically recommends that the private sector follow the government’s Strategy to prepare for a post-quantum future.
  4. Development of a Digital Identity EcosystemData breaches, COVID-19 fraud, and identity theft have caused billions in losses for the federal government because we do not yet have a comprehensive, secure, and accessible digital identity system. The Strategy promotes investment in strong, verifiable, privacy-enhancing digital identity platforms that comport with the values of transparency and accountability. 
  5. Strengthen Our Cyber WorkforceGreat efforts will be made to address unfilled vacancies for cybersecurity positions in workforces across the nation. The need for cybersecurity professionals across industries means that the federal government will be coordinating a comprehensive strategy for cyber education and training pathways for all persons who wish to develop a career in cybersecurity, with a particular focus on the public’s need to develop and recruit cybersecurity talent to protect critical infrastructure. The Strategy is also committed to addressing the lack of diversity in the nation’s cybersecurity workforce as “both a moral necessity and strategic imperative.” 

V. Forge International Partnerships to Pursue Shared Goals

Pillar 5 consists of five strategic objectives that aim to “scale the emerging model of collaboration by national cybersecurity stakeholders to cooperate with the international community” using the following five strategic objectives:

  1. Build coalitions to counter threats to our digital ecosystemThe U.S. will leverage existing partnerships, intergovernmental forums, and trade agreements to advance shared goals in cyberspace.  This includes using a variety of mechanisms, including the Declaration for the Future of the Internet (DFI), the Quadrilateral Security Dialogue (the Quad), the Indo-Pacific Economic Framework for Prosperity (IPEF), the U.S.-EU Trade and Technology Council (TTC), and the Americas Partnership for Economic Prosperity (APEP), among others. Coordination and collaboration with allies and partners are important, particularly in sharing cyber threat information, exchanging model cybersecurity practices, comparing security-specific expertise, driving secure-by-design principles, and coordinating policy and incident response activities.
  2. Strengthen international partner capacityAs the U.S. builds a coalition to advance shared goals, it will also strengthen capacity of allies and partners that support shared interests in cyberspace. To achieve this goal, the U.S. will “marshal expertise across agencies, the public and private sectors, and among advanced regional partners to pursue coordinated and effective” cyber capacity. The Strategy emphasizes the importance of working with law enforcement and explains distinct actions in which the DOJ, the DOD, and the Department of State (“DOS”) will engage. Specifically, the DOJ will work with law enforcement for more robust cybercrime cooperation, the DOD will strengthen military-to-military relationships to bolster collective cybersecurity posture, and the DOS will coordinate with the whole-of-government to ensure that federal capacity, as well as U.S., allied, and partner interests are strategically aligned.
  3. Expand U.S. ability to assist allies and partnersThe U.S.  will provide support to allies and partners to investigate, respond to, and recover from cyberattacks. The U.S. will also establish policies to determine when such support is in the national interest, develop mechanisms to identify and deploy this support, and, when needed, “rapidly seek to remove existing financial and procedural barriers to provide such operational support.”
  4. Build coalitions to reinforce global norms of responsible state behaviorThe U.S. will reinforce political commitments that every member of the United Nations has made to endorse peacetime norms and refrain from cyber operations that may “intentionally damage critical infrastructure” by holding irresponsible states accountable through meaningful and collaborative consequences, such as “diplomatic isolation, economic cost, counter-cyber and law enforcement operations, or legal sanctions, among others.”
  5. Secure global supply chains for information, communications, and operation technology products and servicesThe strategy recognizes that complex and globally interconnected supply chains are critical to the nation’s economy. Our dependency on foreign products and services introduces a degree of risk, which must be mitigated through long-term, strategic collaborations between public and private sectors in the U.S. and abroad. The federal government will work with allies and partners to “implement best practices in cross-border supply chain risk management and work to shift supply chains to flow through partner countries and trusted vendors,” making supply chains “more transparent, secure, resilient, and trustworthy.” 

We would like to thank Kate Growley, Crowell & Moring International LLC’s Director, for assisting us with this alert.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Photo of Matthew B. Welling Matthew B. Welling

Matthew B. Welling is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the firm’s Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling…

Matthew B. Welling is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the firm’s Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling and regulatory matters. His experience includes cybersecurity and privacy incident response, compliance reviews, risk assessments, and the development of corporate policies and procedures, such as incident response plans. Matthew has a diverse background in M&A and other corporate transactional issues, with specific recent experience with technology transactions, cybersecurity issues, and critical infrastructure project development.

Photo of Maida Oringher Lerner Maida Oringher Lerner

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber…

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber and physical security compliance and risk management, homeland security, and administrative matters, including trade associations and companies in the pipeline, transportation, government contracts, education, health care, and manufacturing sectors.

Photo of Jennie Wang VonCannon Jennie Wang VonCannon

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory…

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory inquiries and subpoenas, and cybersecurity and privacy incidents. Her impeccable judgment has been honed over 11 years as a federal prosecutor, culminating in her selection to serve with distinction as the deputy chief of the Cyber and Intellectual Property Crimes Section of the National Security Division of the U.S. Attorney’s Office for the Central District of California.

Photo of Neda Shaheen Neda Shaheen

Neda M. Shaheen is an associate in the Washington, D.C. office of Crowell & Moring, and is a member of the Privacy and Cybersecurity and International Trade Groups. Neda focuses her practice on representing her clients in litigation and strategic counseling involving national…

Neda M. Shaheen is an associate in the Washington, D.C. office of Crowell & Moring, and is a member of the Privacy and Cybersecurity and International Trade Groups. Neda focuses her practice on representing her clients in litigation and strategic counseling involving national security, technology, cybersecurity, trade and international law. Neda joined the firm after working as a consultant at Crowell & Moring International (CMI), where she supported a diverse range of clients on digital trade matters concerning international trade, national security, privacy, and data governance, as well as advancing impactful public-private partnerships.

Photo of Jacob Canter Jacob Canter

Jacob Canter is an attorney in the San Francisco office of Crowell & Moring. He is a member of the Litigation and Privacy & Cybersecurity groups. Jacob’s areas of emphasis include technology-related litigation, involving competition, cybersecurity and digital crimes, copyright, trademark, and patent…

Jacob Canter is an attorney in the San Francisco office of Crowell & Moring. He is a member of the Litigation and Privacy & Cybersecurity groups. Jacob’s areas of emphasis include technology-related litigation, involving competition, cybersecurity and digital crimes, copyright, trademark, and patent, as well as general complex commercial matters.

Jacob graduated from the University California, Berkeley School of Law in 2018, where he launched Berkeley’s election law outreach program and pro bono project. He joins the firm after a year of practice at an international law firm in Washington, D.C., and a year clerking in the Southern District of New York for the Hon. Lorna G. Schofield. Jacob was exposed to and provided support in a variety of complex substantive and procedural legal topics during the clerkship, including trade secrets, insurance/reinsurance, contracts, class actions, privacy, intellectual property, and arbitrability.

Photo of Garylene “Gage” Javier Garylene “Gage” Javier

Garylene “Gage” Javier, CIPP/US is a Privacy & Cybersecurity associate in the firm’s Washington, D.C. office. Gage practices focuses on privacy, data security, and consumer protection, assisting financial services clients overcome regulatory challenges and achieve their business goals. Gage assists clients concerns that…

Garylene “Gage” Javier, CIPP/US is a Privacy & Cybersecurity associate in the firm’s Washington, D.C. office. Gage practices focuses on privacy, data security, and consumer protection, assisting financial services clients overcome regulatory challenges and achieve their business goals. Gage assists clients concerns that arise from state and federal laws that apply to data privacy and information security, including: the Gramm-Leach-Bliley Act (GLBA); California Consumer Privacy Act (CCPA); California Privacy Rights Act (CPRA); California Financial Information Privacy Act (CFIPA); the Fair Credit Reporting Act (FCRA) and its Affiliate Marketing Rule; the Virginia Consumer Data Protection Act (CDPA); and the EU General Data Protection Regulation (GDPR).

Photo of Sarah Rippy Sarah Rippy

Sarah Rippy is an attorney in Crowell & Moring’s Denver office and a member of the Privacy & Cybersecurity Group.

During law school, Sarah was executive editor of the Colorado Technology Law Journal and an active member of the Silicon Flatirons Center. She…

Sarah Rippy is an attorney in Crowell & Moring’s Denver office and a member of the Privacy & Cybersecurity Group.

During law school, Sarah was executive editor of the Colorado Technology Law Journal and an active member of the Silicon Flatirons Center. She joins the firm after a year serving as a Westin Research Fellow at the International Association of Privacy Professionals, where she focused on state law developments, including the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), and the Virginia Consumer Data Protection Act (VCDPA).

Photo of Alexis Ward Alexis Ward

Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity

Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity and Government Contracts groups, Alexis has assisted clients in matters including False Claims Act investigations; developing corporate policies, procedures and governance; and in diverse matters involving cybersecurity and data privacy compliance, risk assessment and mitigation, and incident response.

During law school, Alexis founded USC Gould’s Privacy and Cybersecurity Law Society and was on the board of OUTLaw. Alexis also worked as a teaching assistant for the graduate programs’ Information Privacy Law course. Her paper The Oldest Trick in the Facebook: Would the General Data Protection Regulation Have Stopped the Cambridge Analytica Scandal? was published by the Trinity College Law Review.

Photo of Maria Sokova Maria Sokova

Maria Sokova is an attorney in the San Francisco office of Crowell & Moring, where she is a member of the Litigation Group.

Maria has experience representing clients in state and federal courts in technology-related litigation, copyright infringement and DMCA, trade secret and…

Maria Sokova is an attorney in the San Francisco office of Crowell & Moring, where she is a member of the Litigation Group.

Maria has experience representing clients in state and federal courts in technology-related litigation, copyright infringement and DMCA, trade secret and trademark misappropriation, and complex commercial matters. Using her litigation experience, Maria also counsels clients on matters related to technology transactions, IP protection, and terms and policies for companies ranging from start-ups to market leaders.