The Biden administration on Thursday released a new National Cybersecurity Strategy that builds on work of previous administrations but goes in new directions in several areas including calling for expanding regulations to more critical infrastructure sectors, making software companies liable for security shortcomings, and bringing to bear all tools of national power to thwart threat actors.
Much of the new strategy had been telegraphed if not discussed outright by White House and other administration officials in the past months. The strategy is undergirded by constant, increasing and evolving cyber threats and intrusions to the nation’s critical infrastructures as the economy is becoming more digitized and attack surfaces are growing.
Over the past two years, and in particular the last year following Russia’s invasion of Ukraine, “we’ve seen the cyber threat be at the forefront of geopolitical crises,” Anne Neuberger, deputy national security adviser for cyber and emerging technology at the White House, said Wednesday evening during virtual media event that was embargoed until the strategy was released Thursday morning.
She also mentioned Iranian cyber-attacks against Albania’s government networks that led to an immediate response by the U.S. and Europe to help Albania, and cyber threats to the homeland.
“Which is important, because the Biden administration’s fundamental commitment is that Americans must be able to have confidence that they can rely on critical services, hospitals, gas pipelines…water services, even if they are being targeted by our adversaries,” Neuberger said.
Some federal agencies already have authorities to impose cybersecurity regulations in areas of the economy. Following a ransomware attack in 2021 against gas pipeline operator Colonial Pipeline, the Transportation Security Administration leveraged existing authorities to require pipeline operators to report cyber incidents and assess their security posture and address vulnerabilities. Later, the agency expanded those requirements to portions of the rail sector.
In 2022, Congress approved and President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act that requires critical infrastructure entities to report “covered” cybersecurity incidents and ransomware payments to the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA). CISA is working on a proposed rulemaking to implement the law.
Some sectors such as the electricity grid, nuclear facilities and others already required cybersecurity practices as part of a larger security plan and in other sectors the authorities are less clear or haven’t been implemented, a senior administration official said during the media call. In these areas, the goal of the new strategy is to ensure best practices across industry are learned and used, the official said.
However, for other sectors there are no cyber regulations in place and any cybersecurity program is voluntary, the official said. The components of a cybersecurity regime are all basic things, the official said, such as multi-factor authentication and encryption.
“And so, the bar we’re setting is not a high bar,” the official said. “We really are just hoping owners and operators do the basics, and over time we’re going to be able to bring and raise all ships.”
The goal to expand cybersecurity regulations falls under the “defend critical infrastructure” pillar of the strategy and has already run into resistance from one key House Republican, Mark Green (Tenn.), the new chairman of the Homeland Security Committee. Green wants the federal government to continue working with critical infrastructure entities to adopt stronger cybersecurity postures on a voluntary basis instead of burdening industry with “duplicative and ineffective regulatory regimes.”
Another pillar of the strategy is to “shape market forces to drive security and resilience,” and here the administration wants to ensure security by design when software is assembled or before it becomes part of a product.
Liability needs to be put “where it will do the most good,” so that wouldn’t be on a small team of developers of open source software but instead it will likely go on the “company that is building and selling the software” so they “work to reduce vulnerabilities and use best practices,” the administration official said.
It will take time and work with industry to get it right, the official said.
Getting the liability component to the strategy right is a “long-term process” and will take a “decade,” the official said. With the strategy, “we will need to begin this process working with industry and Congress to establish what some kind of liability shield for the adoption of those practices would look like,” the official said.
To a degree, the U.S. has been using its national power to pursue cyber threat actors. During the Obama administration, the U.S. and Israel reportedly used a computer virus to destroy Iranian uranium centrifuges and, beginning in 2018, U.S. Cyber Command has conducted “hunt forward operations” at the request of allies and partners that entails deploying with them to hunt for vulnerabilities and adversaries on their networks.
Cyber Command also worked with CISA on hunt forward operations following the SolarWinds software supply chain vulnerability disclosure to attribute that attack to Russian intelligence.
Neuberger said that the administration is elevating ransomware as a “threat to national security rather than just a criminal challenge.” The senior administration official speaking on background pointed out that ransomware investigations are typically handled by the criminal justice system and by working with other “responsible countries” to help investigate and collect evidence.
On the other hand, there are countries that don’t cooperate.
The official highlighted that Russia is a “de facto safe haven” for cyber criminals, which is why other “elements of national power” such as sanctions levied by the Treasury Department need to be leveraged to deal with the ransomware threat. There are tools that can’t be talked about, including intelligence, that can be used to understand the threats and “tip victims” to prevent a successful attack, the official said.
Efforts under the “disrupt and dismantle threat actors” pillar of the strategy “may integrate diplomatic, information, military (both kinetic and cyber), financial, intelligence, and law enforcement capabilities,” the strategy says. “Our goal is to make malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States.”
The strategy also contains two other pillars, investing in a resilient future, which is ongoing, and strengthening international partnerships. In the coming months, the administration expects to issue an implementation plan for the strategy.