White House pushes for mandatory regulations, more offensive cyber action under National Cyber Strategy
The White House unveiled its long-awaited National Cybersecurity Strategy on Thursday, laying out a holistic approach to improving digital security across the country.
The plan is built around five basic pillars:
- Minimum cybersecurity requirements for critical infrastructure
- Offensive cyber actions against hackers and nation states
- Shifting liability onto software manufacturers
- Diversifying and expanding the cyber workforce
- Continuing to build international partnerships.
“This strategy recognizes that robust collaboration, particularly between the public and private sectors, is essential to securing cyberspace. It also takes on the systemic challenge that too much of the responsibility for cybersecurity has fallen on individual users and small organizations,” President Joe Biden said in a statement attached to the document.
The president said the country must “rebalance the responsibility for cybersecurity to be more effective and more equitable.”
“We will realign incentives to favor long-term investments in security, resilience, and promising new technologies. We will collaborate with our allies and partners to strengthen norms of responsible state behavior, hold countries accountable for irresponsible behavior in cyberspace, and disrupt the networks of criminals behind dangerous cyberattacks around the globe," Biden said. "And we will work with the Congress to provide the resources and tools necessary to ensure effective cybersecurity practices are implemented across our most critical infrastructure.”
It is the country’s first cybersecurity blueprint since the administration of former President Donald Trump released a National Cyber Strategy in 2018. Since then, high-profile attacks on the U.S. government — like the one involving software company SolarWinds in 2020 — as well as a cascade of daily ransomware attacks, data breaches and escalating threats from state-backed criminal hacking groups have increased the need for a more coordinated cybersecurity plan.
The plan touts many of the cybersecurity regulations already handed down for oil and natural gas pipelines, aviation, rail and water systems. But it notes that more will be needed and the White House plans to work with Congress to fill “gaps in statutory authorities to implement minimum cybersecurity requirements or mitigate related market failures.”
Senior administration officials were tightlipped about which industries would require congressional action to regulate or what sectors would be next to receive mandatory regulations. But they mentioned that the Environmental Protection Agency will begin enforcing new cybersecurity rules on water facilities in the coming months.
In addition to the Cybersecurity and Infrastructure Security Agency (CISA) leading the way on a new National Cyber Incident Response Plan and incident reporting rules, the strategy made clear that the federal government needs to do a better job of outlining how private sector partners can reach federal agencies for support during cyber incidents and what forms of support the federal government may provide.
The plan also focuses heavily on the need for U.S. agencies to go on the offensive against cyber threat actors, both through more forceful means and through methods currently in use like sanctions and court action.
Ransomware as a 'national security threat'
Ransomware featured heavily in the strategy. Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said one of the biggest changes was a shift to declaring the issue a “national security threat.”
In a press briefing, she said ransomware was something they had “already begun to tackle through domestic work targeting the most virulent ransomware actors.” She touted the recent FBI action taken to dismantle infrastructure used by the Hive ransomware group and highlighted the International Counter Ransomware Initiative, which involves the U.S. and 36 countries.
“[The strategy] will disrupt and dismantle threat actors by using all instruments of national power, to make it harder for malicious cyber actors to threaten the national security or public safety of the United States,” she said.
A senior administration official said the decision to reclassify ransomware from a criminal justice problem to a national security threat was based on the reality that little can be done legally to solve the issue when many cybercriminals have safe havens in countries like Russia, North Korea and Iran.
The official said the administration wants to continue to “shrink the surface of the Earth” for ransomware hackers by making it impossible for them to leave safe havens without fear of arrest.
Liability for software manufacturers
One of the most important — and controversial — pillars of the plan involves shifting liability for software vulnerabilities onto manufacturers.
CISA Director Jen Easterly mentioned the idea during a speech earlier this week, causing concern among some security experts, who questioned how officials would determine who was responsible for vulnerabilities in products that had thousands of components.
White House officials made clear that they did not want to punish underfunded open source developers — instead shifting the onus onto final-goods assemblers who profit from the software.
“The company that is building and selling the software, they need to be liable for what they put in it and work to reduce vulnerabilities and use best practices. We can't have them devolving that responsibility down to a two-person open source project that hasn't received any funding in the last five years,” a senior administration official said.
“That's not going to get us the outcome that we want. We see shifting liability as a long-term process. When we think about this strategy, we're looking out a decade. And so our anticipation is that we will need to begin this process – working with industry to really establish what better software development practices look like."
The White House is hoping to work with industry stakeholders and Congress on creating laws around the concept, but officials acknowledged that it will take time for lawmakers to act.
Implementation and outcomes
According to recently departed National Cyber Director Chris Inglis, who spearheaded the plan, his office solicited feedback on the document from stakeholders, including more than 300 organizations within the U.S. government and private sector.
Responses came from the National Security Council, CISA, FBI and a “broad range of federal agencies and departments,” Inglis said. Inglis added in September that two-thirds of the organizations they consulted with about the strategy were with the private sector.
The 35-page plan includes dozens of other measures that will be coordinated by the National Security Council as well as the White House's Office of Management and Budget (OMB) and Office of the National Cyber Director (ONCD).
The implementation plan will be organized primarily by the cyber director, whose office will measure progress, outcomes and effectiveness. ONCD will report on the progress to the president and Congress annually.
ONCD and OMB will work together on issuing annual guidance on cybersecurity budgeting priorities to departments and agencies while the White House will work with Congress to fund cybersecurity efforts.
“Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense. From the very beginning of my Administration, we have moved decisively to strengthen cybersecurity,” Biden said.
“The steps we take and choices we make today will determine the direction of our world for decades to come. This is particularly true as we develop and enforce rules and norms for conduct in cyberspace.”
Additional reporting was provided by James Reddick.
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.