The White House on Thursday released an ambitious national cybersecurity strategy that calls for new federal regulation of vulnerable critical infrastructure firms and for software makers to be held liable when their products leave gaping holes for hackers to exploit.
The strategy – shaped by major hacking incidents that threatened key public services in the first year of the Biden administration – embraces the US government’s regulatory and purchasing power to force companies that are critical to economic and national security to raise their cyber defenses.
It reflects a widely held belief in the US government that market forces have failed to keep the nation safe from cybercriminals and an array of foreign governments such as Russia and China.
“We ask individuals, small businesses and local government to shoulder a significant burden for defending us all. This isn’t just unfair, it’s ineffective,” Acting National Cyber Director Kemba Walden told reporters Wednesday. “This strategy asks more of industry, but also commits more from the government.”
The strategy is a policy document and not law, but it could shape corporate behavior for years to come as firms compete for billions of dollars in federal contracts that increasingly require a minimum set of cybersecurity defenses. And the White House says it wants to work with Congress to develop legislation that holds software makers liable when their products and services don’t provide adequate protections from sabotage.
The goal of US government and corporate work on cybersecurity should be to “correct market failures, minimize the harms from cyber incidents to society’s most vulnerable,” a copy of the strategy states.
The strategy does not specify which sectors of the economy the administration could regulate next, but US officials have previously signaled that one area of focus could be health care. Ransomware attacks – hacks that lock up computer systems and demand a fee – have put an even greater stress on hospitals across the country struggling with the coronavirus pandemic.
So far, the Biden administration has imposed cybersecurity requirements on sectors such as aviation and oil and gas pipelines. The genesis for those regulations in many ways was a May 2021 ransomware attack by an alleged Russian-speaking hacker that shut down 5,500 miles of fuel pipelines in the US for days.
Corporations have sometimes balked at the regulations.
After oil and gas industry groups complained that cybersecurity regulations from the Transportation Security Administration were too onerous and unrealistic, the Biden administration last year revised the regulations to give pipeline operators more time to report cyber incidents to the government.
Multiple administrations, including the Trump and Obama administrations, have tried to shore up federal defenses against hacking threats and in some cases drive big changes that make agencies safer in the long term.
There has been some progress. Agencies now have more visibility into malicious cyber activity than ever before, officials say.
But in other cases, bureaucratic inertia has gotten in the way. The Government Accountability Office, a federal watchdog, says it has made over 700 public recommendations for federal agencies to improve their cyber defenses since 2010. About a fifth of the recommendations had not been implemented as of December, according to GAO.
Geopolitics is also a roadblock. The US has for years tried to blunt the impacts of hacking operations from Russia, China, Iran and North Korea, to limited effect. And US officials have accused all of those governments of harboring, or even enlisting, cybercriminals that attack US organizations – accusations those governments deny.
After the big pipeline hack in 2021, President Joe Biden made a big push to get Russian President Vladimir Putin to crack down on cybercriminals operating from Russia. But any chances of bilateral cooperation on cybercrime have dimmed after Russia’s full-scale invasion of Ukraine a year ago.
A senior administration official acknowledged the obstacle when rolling out the new cybersecurity strategy.
“We do have a problem where Russia is serving as a de facto safe haven for cybercrime,” the official told reporters.