The Biden administration will pursue a policy of more aggressive regulation to secure critical systems like banks, electric utilities and hospitals against cyberattacks, according to a new national cyber strategy unveiled Thursday.
That approach signals a break from two decades of efforts to get companies in critical sectors to voluntarily strengthen their cybersecurity. It comes as officials are increasingly worried about cyberattacks on U.S. soil from Russia and China, and as cybercriminals ramp up “ransomware” attacks where they hold networks hostage for payments.
“Information sharing and public-private partnerships are inadequate for the threats we face when we look at critical infrastructure,” Anne Neuberger, deputy national security advisor for cyber and emerging technology, told reporters in a briefing about the strategy. It’s time, she said, “to implement minimum mandates.”
Neuberger pointed to work already done by the Transportation Security Administration to secure pipelines and railroads against attacks, and said that additional sectors where cybersecurity regulations will be put in place will be announced soon.
The plan — put together by the White House’s Office of the National Cyber Director — is the first new cyber strategy in five years, and serves as a roadmap for setting out the administration’s goals for securing the nation in cyberspace. A senior administration official said that the White House is working on an “implementation plan” to put into action the goals the strategy lays out. The plan will be released in the coming months. The White House provided the briefing to reporters on the condition that the official be granted anonymity.
It’s been a rough few years for those trying to protect U.S. networks from hackers. In May 2021, Russian-linked hackers launched a ransomware attack against Colonial Pipeline that forced the company to temporarily shut down the flow of gas to the East Coast for a week. Similar strikes hit food supply lines. And the Russian invasion of Ukraine last year led to major cyber threats against the U.S. electric grid and other critical infrastructure sectors from Russian hackers.
The strategy outlines a vision for the federal government to use existing authorities to protect critical sectors from cyberattacks. Where there are “gaps” in relevant authorities, the strategy reads, the administration will work with Congress to build new regulatory tools over key sectors. The strategy also says the government may need to provide resources to critical infrastructure groups that may not have the funds to afford to implement the new requirements.
The strategy seeks to “rebalance the responsibility for cyber risk to those who are most able to bear it,” Acting National Cyber Director Kemba Eneas Walden told reporters in the briefing. “The biggest, most capable, and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe.”
The industry has long pushed back against greater cyber regulations, and it’s something that Congress has hesitated to move on. The White House brought representatives in from across industries to review the strategy as it was being developed last year, and the senior administration official stressed that the new regulations would not be complex.
“The bar we’re setting is not a high bar, we’re really just hoping that owners and operators do the basics,” the official said.
A number of industry representatives declined to comment before the official release of the report.
Some affirmed their commitment to security without addressing the plan to more heavily regulate critical sectors at risk of hacks.
”Makers of enterprise software take seriously their responsibilities to customers and the public, and continuously work to evolve the security of their products to meet new threats,” said Victoria Espinel, president and CEO of software trade group BSA, the Software Alliance, said in a statement released at the same time that the strategy was unveiled.
The strategy also makes clear that the U.S. plans to be aggressive against foreign adversaries who try to hack into American networks.
The U.S. “will use all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests,” the strategy says. This will include the Defense Department updating its cyber strategy to better integrate operations in cyberspace into overall defensive measures against adversary nations, and stepping up efforts to disrupt hacking groups that use ransomware to shut down networks and demand payments to turn services back on. A major part of this is declaring ransomware a national security threat, not just a criminal concern.
The strategy also outlines a plan to increase coordination across the federal government so that agencies can nimbly respond to a major cyberattack. According to the document, the Cybersecurity and Infrastructure Security Agency will update the National Cyber Incident Response Plan to enhance coordination across all agencies involved in cybersecurity issues, such as TSA or the Department of Energy.
On the international front, the strategy calls for the Biden administration to “develop mechanisms” to help identify when and how to respond to cyberattacks on other countries, such as the widespread attacks on Albania last year that were linked to Iran that the U.S. and other countries condemned.
A number of Republicans and Democrats who have been involved in U.S. government cybersecurity efforts commended the overall approach.
Brian Harrell, the former assistant secretary for infrastructure protection at the Department of Homeland Security under the Trump administration, said new regulations will make it easier to make sure products are designed with more protections from the start.
“Building security into the product from the beginning, rather than a bolt-on after the fact is a more secure and cost-conscious approach,” Harrell said. “Of course, it’s not possible to eliminate all defects, but right now there’s little incentive — beyond just general market reputation — to invest in a dramatic reduction of cyber vulnerabilities.”
John Costello, who recently left the position as chief of staff to the Office of the National Cyber Director, said that new emphasis on regulation reflects a recognition within the government that there has been “a massive shift in the [technology] ecosystem” as the country has grown more reliant on digital service providers.
However, “regulation, legislation, and an understanding of that risk and opportunity has not kept pace with these changes,” he said. The strategy “finally aligns the U.S. government position with what analysts and public policy people have been calling on for years, which is all this stuff is great, but it isn’t working.”