Plan sets cybersecurity rules for industry
WASHINGTON — The Biden administration issued a cybersecurity strategy Thursday that calls on software-makers and U.S. industry to take far greater responsibility to assure that their systems cannot be hacked, while accelerating efforts by the FBI and the Defense Department to disrupt hackers and ransomware groups around the world.
For years, the government has pressed companies to voluntarily report intrusions in their systems and regularly “patch” their programs to shut down newly discovered vulnerabilities, much as an iPhone does with automatic updates every few weeks. But the new National Cybersecurity Strategy concludes that such voluntary efforts are insufficient in a world of constant attempts by sophisticated hackers, often backed by Russia, China, Iran or North Korea, to get into critical government and private networks.
Every administration since that of George W. Bush 20 years ago, has issued a cybersecurity strategy of some kind, usually once in a presidency. But President Joe Biden’s differs from previous versions in several respects, chiefly by urging far greater mandates on private industry, which controls the vast majority of the nation’s digital infrastructure, and by expanding the role of the government to take offensive action to preempt cyberattacks, especially from abroad.
The Biden administration’s strategy envisions what it calls “fundamental changes to the underlying dynamics of the digital ecosystem.” If enacted into new regulations and laws, it would force companies to enact minimum cybersecurity measures for critical infrastructure — and, perhaps, impose liability on businesses that fail to secure their code, much like automakers and their suppliers are held liable for faulty air bags or defective brakes.
“It just reimagines the American cybersocial contract,” said Kemba Walden, the acting national cyber director, a White House post created by Congress two years ago to oversee cyber strategy and cyber defense. “We are expecting more from those owners and operators in our critical infrastructure,” added Walden, who took over last month after the country’s first national cyber director, Chris Inglis, a former deputy director of the National Security Agency, resigned.
The government also has a heightened responsibility, she added, to shore up defenses and disrupt the major hacking groups that have locked up hospital records or frozen the operations of meatpackers around the country.
“We have a duty to do that,” Walden said, “because the internet is now a global commons, essentially. So we expect more from our partners in the private sector and the nonprofits and industry, but we also expect more of ourselves.”
Read alongside past cyber strategies issued by the previous three presidents, the new document reflects how cyber offense and defense have become increasingly central to national security policy.
The administration of President George W. Bush never publicly acknowledged U.S. offensive cyber capabilities, even as it mounted the most sophisticated cyber attack one state has ever directed at another: a covert effort to use code to sabotage Iran’s nuclear fuel facilities. The Obama administration was reluctant to name Russia and China as the powers behind major hacks of the U.S. government.
The Trump administration bolstered U.S. offensive initiatives against hackers and statebacked actors abroad. It also raised the alarm about having Huawei, the Chinese telecommunications giant it accused of being an arm of the Chinese government, set up high-speed 5G networks in the United States and among allies, fearing that the company’s control of such networks would aid in Chinese surveillance or allow Beijing to shut down systems at a time of conflict.
But the Trump administration was less active in requiring U.S. companies to establish minimum protections on critical infrastructure or seeking to make those businesses liable for damage if vulnerabilities they left unaddressed were exploited.
Imposing new forms of liability would require major legislative changes, and some White House officials acknowledged that with Republicans now controlling the House, Biden may face insurmountable opposition if he seeks to pass what would amount to sweeping new corporate regulation.
Many elements of the new strategy are already in place. In some ways, it is catching up with steps the Biden administration took after struggling through its first year, which began with major hacks of systems used by private industry and the military.
After a Russian ransomware group shut down the operations of Colonial Pipeline, which handles much of the gasoline and jet fuel along the East Coast, the Biden administration used littleknown legal authorities held by the Transportation Security Administration to regulate the nation’s vast network of energy pipelines. Pipeline owners and operators are now required to submit to far-reaching standards set largely by the federal government, and, this week, the Environmental Protection Agency is expected to do the same for water pipelines.
There are no parallel federal authorities for requiring minimum standards of cybersecurity at hospitals, which are largely state regulated. They have been another target of attacks, from Vermont to Florida.
“We should have been doing many of these things years ago after cyber attacks were first used to disrupt power to thousands of people in Ukraine,” Anne Neuberger, Biden’s deputy national security adviser for cyber and emerging technologies, said Wednesday.
She was referring to a series of attacks on the Ukrainian power grid that began seven years ago.
Now, she said, “we are literally cobbling together an approach sector by sector that covers critical infrastructure.”