The Biden administration is pushing for more comprehensive federal regulations to keep the online realm safer against hackers, including by shifting cybersecurity responsibilities away from consumers to industry and treating ransomware attacks as national security threats.
The plan is part of the National Cyber Strategy that the administration released Thursday, outlining long-range goals for how individuals, government and businesses can safely operate in the digital world. This includes placing the burden on the computer and software industry to develop “secure by design” products that are purposefully designed, built and tested to significantly reduce the number of exploitable flaws before they’re introduced into the market.
The strategy “fundamentally reimagines America’s cyber social contract” and will “rebalance the responsibility for managing cyber risk onto those who are most able to bear it,” Acting National Cyber Director Kemba Walden said Wednesday in a press briefing to preview the strategy.
Walden stressed that asking individuals, small businesses and local governments to shoulder the bulk of the cybersecurity burden “isn’t just unfair, it’s ineffective.”
“The biggest, most capable and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risks and keeping us all safe,” she added.
The administration’s strategy is organized around five pillars; defend critical infrastructure; disrupt and dismantle threat actors; shape market forces to drive security and resilience; invest in a resilient future; and forge international partnerships to pursue shared goals.
The strategy was crafted in the aftermath of a series of major cyberattacks including the 2021 Colonial Pipeline ransomware attack and the Solar Winds cyberbreach of federal government agencies in 2019-20. Attackers in those incidents exploited vulnerabilities of companies central to a computer security ecosystem, allowing access to a large number of clients. By mandating greater security requirements on companies that are central to a cybersecurity system, the administration is hoping there will be less risk of security breaches affecting users and clients.
Previous administrations’ approaches to cybersecurity focused more on voluntary public-private partnerships and information-sharing practices. While the Biden White House strategy also seeks to enhance cooperation with the private sector, it’s the first one to push for more aggressive and comprehensive federal cybersecurity regulation.
With Republicans now controlling the House of Representatives, however, the administration has an uphill battle to make these legislative changes. A senior administration official acknowledged that creating laws to shift liability to industry is a long-term process, possibly a decade.
There is expected pushback not just from the big tech industry but also the U.S. Chamber of Commerce which has lobbied against mandating security standards in the past. A representative from the chamber told VOA they will work with the administration “to ensure that good intentions do not lead to undesirable policy outcomes.”
“The U.S. Chamber of Commerce shares a mutual interest in advancing regulatory harmonization, strong liability protections, and federal preemption, said Senior Vice President for Cyber, Space, and National Security Policy, Christopher Roberti in an email statement. “Achieving these key objectives will help further our goal of transitioning from traditional public-private partnerships to public-private operational collaboration.”
Ransomware as national security threats
Pointing to the Iranian cyberattacks on Albania’s government networks in 2022, Anne Neuberger, deputy national security adviser for cyber and emerging technology, warned that criminals and state actors have conducted destructive cyber and ransomware attacks across the globe.
Under the strategy, ransomware threats will be dealt with as national security problems rather than criminal activities.
“Americans must be able to have confidence that they can rely on critical services, hospitals, gas pipelines, air, water services, even if they are being targeted by our adversaries,” she said, underscoring the administration’s commitment to building a more resilient cyber infrastructure and strengthening international partnerships to deter cyberattacks.
The strategy lays the groundwork for a much more aggressive response from the federal government, including law enforcement and military authorities, to disrupt malicious cyber activity and pursue their perpetrators.
“We are certainly in a more forward-leaning position to make sure that we’re protecting the American people from these threats,” a senior administration official said, adding that the administration will take diplomatic and intelligence actions and financial sanctions as necessary.
“And military tools as necessary. These are options that the president has, and we’re certainly open to using all of them,” the official said.
The White House would not say whether the options would include hack-back operations against criminals or foreign governments.
“I don’t think we’re going into the tactics here,” John Kirby, Coordinator for Strategic Communications at the National Security Council, said in a press briefing Thursday, noting only that the strategy gives the U.S. “more flexibilities with going after bad actors.”
The strategy calls out China, Russia, Iran, North Korea and “other autocratic states with revisionist intent,” accusing them of “aggressively using advanced cyber capabilities” to pursue objectives that run counter to U.S. interests and international norms. It singles out China as the country presenting the “broadest, most active and most persistent threat to both government and private sector networks.”
Investments in cyber infrastructure
The strategy also calls for long-term investments in the U.S. cyber workforce, infrastructure and digital ecosystems, and underlining technologies to improve national resilience and economic competitiveness.
However, the White House will be implementing the strategy without a national cyber director. Christopher Inglis, who led the Office of the National Cyber Director established by Congress in 2021, stepped down in mid-February. His deputy Kemba Walden is acting national cyber director until a new one is appointed by the president and approved by the Senate.
VOA National Security Correspondent Jeff Seldin contributed to this report.
…