Biden plans to bolster cybersecurity
WASHINGTON – An ambitious and wide-ranging White House cybersecurity plan released Thursday calls for bolstering protections on critical sectors and making software companies legally liable when their products don’t meet basic standards. The strategy document promises to use “all instruments of national power” to preempt cyberattacks.
The Democratic administration also said it would work to “impose robust and clear limits” on private sector data collection, including of geolocation and health information.
The strategy largely codifies work already underway during the last two years following a spate of high-profile ransomware attacks on critical infrastructure. A 2021 attack on a major fuel pipeline caused panic at the pump, resulting in an East Coast fuel shortage, and other damaging attacks made cybersecurity a national priority. Russia’s invasion of Ukraine compounded those concerns.
The 35-page document lays the groundwork for better countering rising threats to government agencies, private industry, schools, hospitals and other vital infrastructure that are routinely breached. In the past few weeks, the FBI, U.S. Marshals Service and Dish Network were among intrusion victims.
“The defense is hardly winning. Every few weeks someone gets hacked terribly,” said Edward Amoroso, CEO of the cybersecurity firm TAG Cyber.
He called the White House strategy largely aspirational. Its boldest initiatives – including stricter rules on breach reporting and software liability – are apt to meet resistance from businesses and Republicans in Congress. The strategy’s data-collection component is also expected to meet stiff headwinds in Congress, though polls say most Americans favor federal data privacy legislation.
In a new report, the tech data firm Forrester Research said state-sponsored cyberattacks rose nearly 100% between 2019 and 2022 and their nature changed, with a greater percentage now carried out for data destruction and financial theft. The threats are mostly from abroad: Russia-based cybercrooks and state-backed hackers from Russia, China, North Korea and Iran.
President Joe Biden’s administration has already imposed cybersecurity regulations on certain critical industry sectors, such as electric utilities, gas pipelines and nuclear facilities. The strategy calls for expanding them to other vital sectors.
In a statement accompanying the document, Biden says his administration is taking on the “systemic challenge that too much of the responsibility for cybersecurity has fallen on individual users and small organizations.” That will mean shifting legal liability onto software makers, holding companies rather than end users accountable.
The White House wants to put greater responsibility on the software companies.
“Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance,” the document says.