Biden’s cybersecurity strategy assigns responsibility to tech companies
WASHINGTON — The Biden administration plans to release a cybersecurity strategy on Thursday, calling for greater responsibility on software makers and U.S. industry to ensure their systems cannot be hacked, while accelerating the FBI and Defense Department crackdown on Hacking and ransomware efforts by groups around the world.
For years, the government has urged companies to voluntarily report intrusions on their systems and to regularly “patch” their programs to close newly discovered vulnerabilities, much as the iPhone automatically updates itself every few weeks. But the new national cybersecurity strategy concludes that such voluntary efforts are insufficient in a world where sophisticated hackers, often backed by Russia, China, Iran or North Korea, are constantly trying to break into key government and private networks.
Every administration since George W. Bush 20 years ago has issued some kind of cybersecurity strategy, usually once during the presidency. But President Biden’s version differs from previous ones in several ways, primarily urging greater empowerment for the private sector that controls the vast majority of the country’s digital infrastructure, and an expanded role for the government to take offensive action to Pre-emptive cyber attacks, especially from abroad.
The Biden administration’s strategy envisions what it calls “fundamental changes to the underlying dynamics of the digital ecosystem.” If it goes into effect in new regulations and laws, it would force companies to institute minimum cybersecurity measures for critical infrastructure — and could impose liability on companies that fail to protect their code, just as automakers and their suppliers do to Faulty or defective airbags are as liable as brakes.
“It just reimagines America’s online social contract,” said Kemba Walden, the White House’s acting national cyber director, created by Congress two years ago to oversee cyber strategy and cyber defense. “We expect more from owners and operators of critical infrastructure,” Ms. Walden added, adding that last month, under former NSA Deputy Director Chris Inglis After resigning, she took over as the country’s first national cyber chief.
The government also has a greater responsibility to strengthen its defenses and disrupt major hacking groups that lock up hospital records or freeze the operations of meatpackers across the country, she added.
“We have a responsibility to do that,” Ms. Walden said, “because the Internet is now essentially the global commons. So we expect more from our partners in the private sector, nonprofits, and industry, but we also have expectations of ourselves.” Expect more.”
Read past cyber strategies issued by the first three presidents, and the new document reflects how cyber attack and cyber defense are at the heart of national security policy.
The Bush administration has never publicly acknowledged America’s offensive cyber capabilities, even as it launched the most sophisticated cyberattack ever undertaken by one country against another: a secretive effort to use code to sabotage Iran’s nuclear fuel facilities. The Obama administration has been reluctant to name Russia and China as behind a major U.S. government hack.
The Trump administration has stepped up U.S. offensive efforts against hackers and state-sponsored actors abroad. It also raised alarms over the building of high-speed 5G networks in the United States and allies by Chinese telecom giant Huawei, which is accused of being an arm of the Chinese government, over concerns that the company’s control over such networks will help China’s development. Monitor or allow Beijing to shut down systems in times of conflict.
But the Trump administration has been less aggressive in requiring U.S. companies to build in minimum protections for critical infrastructure, or seeking to hold those companies liable for damages if their unaddressed vulnerabilities are exploited.
How Times reporters cover politics. We rely on our journalists as independent observers. So while Times staff members may vote, they may not endorse or campaign for candidates or political causes. This includes attending a march or rally in support of a movement, or donating or raising funds to any political candidate or cause.
Imposing the new form of liability would require major changes to legislation, and some White House officials concede that with Republicans now controlling the House, Mr. Biden may face insurmountable opposition if he seeks to pass what amounts to sweeping new corporate regulations.
Many elements of the new strategy are already in place. In some ways, it is catching up to steps the Biden administration is taking after a rough first year that began with major hacks of systems used by private businesses and the military.
After a Russian ransomware group shut down operations at the Colonial Pipeline, which handles much of the East Coast’s gasoline and jet fuel, the Biden administration used little-known legal authority held by the Transportation Security Administration to oversee pipelines in the country’s sprawling energy network. . Pipeline owners and operators must now comply with far-reaching standards set largely by the federal government, and later this week the Environmental Protection Agency is expected to do the same for water pipelines.
There is no parallel federal agency requiring minimum standards for cybersecurity in hospitals, which are largely regulated by states. They were another target, from Vermont to Florida.
Anne Neuberger, Biden’s deputy national security adviser for cyber and emerging technologies, said Wednesday: “We should have started years ago after a cyber attack was first used to disrupt power to thousands of people in Ukraine. Do a lot of that,” she said, referring to a series of attacks on Ukraine’s power grid that began seven years ago.
Now, she said, “we’re actually piecing together a sector-by-sector approach to covering critical infrastructure.”
Ms. Neuberger cited Ukraine as an example of aggressively building cyber defenses and resilience: In the weeks after the Russian invasion, Ukraine changed its laws to allow ministries to move their databases and many government operations to the cloud, with backup computer servers and data centers in Kiev and around other cities that were later targeted by Russian artillery. Within weeks, many server farms were destroyed, but the government was still running, communicating with servers abroad using satellite systems like Starlink, also introduced after the war broke out.
The strategy also catches up with offensive plans that are becoming increasingly aggressive. Two years ago, the FBI began using search warrants to find and dismantle malicious code snippets found on corporate networks. More recently, it breached a ransomware group’s network, removed “decryption keys” that could unlock files and systems belonging to the group’s victims, and thwarted efforts to collect large ransoms.
The FBI can operate within domestic networks; U.S. Cyber Command is tasked with hunting down Russian hacking groups like Killnet, a pro-Moscow group responsible for a string of denial-of-service attacks beginning in the early days of the war in Ukraine. Cyber Command also slowed Russian intelligence operations around the 2018 and 2020 U.S. elections.
But these are not permanent solutions. Some of the groups targeted by the United States have reorganized, often under different names.
Mr. Biden’s only face-to-face meeting as president with Russian leader Vladimir V. Putin will be in Geneva in 2021, largely amid concerns that rising ransomware attacks are affecting consumers , the lives of hospital patients and factory workers. Mr. Biden warned the Russian leader that his government would be held responsible for attacks from Russian soil.
After months of calm, a prominent hacker group has been raided by Russian authorities in Moscow. But that cooperation ended with the outbreak of the war in Ukraine.
In a speech at Carnegie Mellon University this week, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, described the administration’s efforts as “shifting responsibility onto entities that fail to meet their duty of care to customers.”
Ms Easterly added: “Consumers and businesses alike expect products purchased from reputable suppliers to work as intended and not carry undue risk,” arguing the government needed to “move forward with legislation to to prevent technology manufacturers from passing contracts,” a common practice that is rarely noticed in the fine print of software purchases.