Biden plan puts burden on firms for cybersecurity
Latest strategy would require protective measures for digital infrastructure
WASHINGTON — The Biden administration issued a cybersecurity strategy Thursday that calls on software makers and American industry to take far greater responsibility to assure that their systems cannot be hacked, while accelerating efforts by the FBI and the Defense Department to disrupt hackers and ransomware groups around the world.
For years, the government has pressed companies to voluntarily report intrusions in their systems and regularly “patch” their programs to shut down newly discovered vulnerabilities, much as an iPhone does with automatic updates every few weeks. But the new National Cybersecurity Strategy concludes that such voluntary efforts are insufficient in a world of constant attempts by hackers, often backed by Russia, China, Iran or North Korea, to get into critical government and private networks.
Every administration since that of President George W. Bush, 20 years ago, has issued a cybersecurity strategy of some kind, usually once in a presidency. But President Joe Biden’s differs from previous versions in several respects, chiefly by urging far greater mandates on private industry, which controls the vast majority of the nation’s digital infrastructure, and by expanding the role of the government to take offensive action to preempt cyberattacks, especially from abroad.
The Biden administration’s strategy envisions what it calls “fundamental changes to the underlying dynamics of the digital ecosystem.” If enacted into new regulations and laws, it would force companies to enact minimum cybersecurity measures for critical infrastructure — and, perhaps, impose liability on firms that fail to secure their code, much like automakers and their suppliers are held liable for faulty air bags or defective brakes.
“It just reimagines the American cybersocial contract,” said Kemba Walden, the acting national cyber director, a White House post created by
Congress two years ago to oversee both cyberstrategy and cyberdefense. “We are expecting more from those owners and operators in our critical infrastructure,” added Walden, who took over last month after the country’s first national cyber director, Chris Inglis, a former deputy director of the National Security Agency, resigned.
The government also has a heightened responsibility, she added, to shore up defenses and disrupt the major hacking groups that have locked up hospital records or frozen the operations of meatpackers around the country.
“We have a duty to do that,” Walden said, “because the internet is now a global commons, essentially. So we expect more from our partners in the private sector and the nonprofits and industry, but we also expect more of ourselves.”
Imposing new forms of liability would require major legislative changes, and some White House officials acknowledged that with Republicans controlling the House, Biden may face insurmountable opposition if he seeks to pass what would amount to sweeping new corporate regulation.