The Biden administration on Thursday launched an ambitious new national cybersecurity strategy that calls on America’s tech industries and software makers to take more responsibility for protecting their systems from hackers. It also calls on US law enforcement and military agencies to be more proactive in neutralizing the growing underworld of ransomware bandits and other digital thieves, including some linked to foreign adversaries such as Russia and China.
President Joe Biden said the strategy recognizes that strong collaboration between the public and private sectors is essential to securing cyberspace and that the status quo of making most cybersecurity efforts voluntary does not work. It also takes on the systemic challenge, Biden wrote, that too much responsibility for cybersecurity has — for decades — rested with individual users and small organizations.
“As I have often said, our world is at a turning point. That includes our digital world,” Biden wrote. “The steps we take today and decisions we make today will determine the direction of our world for decades to come. This is especially true as we develop and enforce rules and norms for behavior in cyberspace.”
More:Biden says “we stand ready to respond” if Russia launches cyberattack on US
What does the new strategy bring?
The strategy aims to:
- Rebalancing cybersecurity responsibility to be more effective, fair and impartial, in collaboration with industry; civil society; and state, local, tribal and territorial governments.
- Realign business incentives to encourage long-term investments in security, resiliency and new technologies.
- Work with nation-state allies and non-state partners to strengthen norms of good governance; Hold countries like China, Russia, North Korea and Iran accountable for malicious behavior in cyberspace; and disrupt the networks of criminals behind dangerous cyber attacks around the world.
- Work with Congress to provide the resources and tools needed to ensure effective cybersecurity practices are implemented throughout critical U.S. infrastructure, with more mandatory than voluntary.
Biden’s plan shifts the burden from individuals to Big Tech
In a briefing with reporters, acting national cyber director Kemba Walden said a key element of the new strategy is shifting the burden of cybersecurity from those currently bearing the greatest brunt — individuals, small businesses and local governments — to those who can the expertise and money to deal with it, including software developers and “big tech” companies.
“It will shift the responsibility for managing cyber risk to those who are best placed to bear it,” Walden said.
“This strategy requires more from industry,” Walden added, “but also requires more from the federal government in terms of industry.”
More:Hackers beware: The Justice Department is stepping up efforts to thwart global cybercrime
What’s new about it?
Walden and other current U.S. cybersecurity officials, as well as former officials and private sector experts, note that some key elements of the new strategy are already in place or in the process of being implemented.
Some of these have come in response to a series of high-profile ransomware attacks targeting critical US infrastructure or the 16 sectors – typically managed by private companies – whose assets, systems and networks are deemed so important to the US that their shutdown or destruction to do so would undermine national security.
This includes dealing with the aftermath of Russia’s compromise of the SolarWinds Orion network and China’s compromise of servers running Microsoft Exchange, the new strategy report said. It also noted that Biden has increased the prominence of cybersecurity in the White House leadership and created new positions on the National Security Council and the Office of the National Cyber Director.
Months later, the administration was forced to deal with high-profile ransomware hacks that temporarily crippled the Colonial Pipeline and meat processing company JBS.
At the time, Assistant Attorney General Lisa Monaco said these were just a tiny sample of the daily attacks on America’s critical infrastructure.
A national security memorandum issued by the White House in May 2022 set out a list of requirements and deadlines for federal agencies to transition their encryption means to new standards hardened against cyberattacks from future generations of more powerful quantum computers.
Joshua Corman, former chief strategist for the Department of Homeland Security’s agency for cybersecurity and infrastructure security, said Biden’s decision to prioritize critical infrastructure was “an important and conscious decision.”
Corman, vice president of cybersecurity at Claroty, urged those adopting the new cyber strategy to put an extra intense focus on protecting vital critical infrastructure systems where downtime could result in fatalities or a “crisis of confidence” by the American public. These include water supply, hospitals, electricity and power plants, and the production and distribution of food and water, he said. Claroty is a cybersecurity company that protects these systems, known as Industrial Control Networks, from cyberattacks.
“Many of the owners and operators of these lifeline functions also happen to be what I’ve termed ‘target rich, cyber poor’ — meaning they are among the most attractive targets for threat actors with the fewest resources to protect themselves,” he said Corman.
Will it work?
Since the dawn of the digital age, each President has taken his own initiative on cybersecurity, portraying it as a significant and growing national security concern.
Mike Hamilton, former vice chairman of the Coordinating Council of State, Local, Tribal and Territory Governments at the Department of Homeland Security, said he thinks Biden stands out from the rest on a few key points.
“Every other federal government strategy has been essentially ignored. This is very perspicacious and mostly specific,” said Hamilton, the city of Seattle’s former chief cybersecurity officer who is now the chief information security officer at Critical Insight, which helps private businesses prevent and respond to breaches of their systems.
Hamilton said the new strategy addresses some commonly overlooked but important issues like how to deal with “tech debt in federal systems” or the use of legacy systems.
More:The next big cyber threat isn’t ransomware. It’s killware. And it’s just as bad as it sounds.
Too much or not enough?
Jamie Gerber, Chief Financial Officer at Simspace, a global leader in military-grade cyber products, called The new strategy will present companies with new challenges.
He said “such voluntary efforts are insufficient” in a world of constant attempts by sophisticated hackers, often aided by Russia, China, Iran or North Korea.
“Threats will remain numerous unless businesses, governments and organizations take aggressive action now.”
More:Local governments are more vulnerable to cyberattacks than ever before. DHS wants the mayors to stand up.