WASHINGTON — The Biden administration plans to issue a cybersecurity strategy Thursday that will call on software makers and American industry to take far greater responsibility for ensuring their systems can’t be hacked, while backing the efforts of the FBI and Department of Defense speed up disrupting hackers and ransomware groups around the world.
For years, the government has urged companies to voluntarily report breaches in their systems and regularly “patch” their programs to close newly discovered vulnerabilities, much like an iPhone does with automatic updates every few weeks. However, the new National Cybersecurity Strategy concludes that in a world of constant attempts by sophisticated hackers, often aided by Russia, China, Iran or North Korea, such voluntary efforts are not enough to break into critical government and private networks.
Every administration since George W. Bush 20 years ago has issued some kind of cybersecurity strategy, usually once in a presidency. But President Biden’s differs from previous versions in a number of ways, most notably in pushing far broader mandates for private industry, which controls most of the country’s digital infrastructure, and in expanding the government’s role to take offensive measures, to prevent cyber attacks. especially from abroad.
The Biden administration’s strategy involves what it calls “fundamental changes to the underlying dynamics of the digital ecosystem.” If translated into new regulations and laws, it would force companies to take minimum cybersecurity measures for critical infrastructure — and potentially hold companies liable for not backing up their code, much like automakers and their suppliers are liable for faulty or defective airbags brakes are made.
“It’s just reinventing America’s cyber-social contract,” said Kemba Walden, acting national cyber director, ret White House post prepared by Congress two years ago to oversee both cyber strategy and cyber defence. “We expect more from these owners and operators of our critical infrastructure,” added Ms. Walden, who took over last month after the country’s first national cyber director, Chris Inglis, a former deputy director at the National Security Agency, resigned .
The government also has an increased responsibility, she added, to bolster defenses and disrupt the major hacker groups that have locked up hospital records or frozen the operations of meatpacking companies across the country.
“We have a duty to do that,” Ms. Walden said, “because the Internet today is essentially a global commons. So we expect more from our private sector, non-profit and industry partners, but we also expect more from ourselves.”
The new document, to be read alongside previous cyber strategies issued by the previous three presidents, reflects how cyber-attacks and defense have become central to national security policies.
The Bush administration has never publicly acknowledged US offensive cyber capabilities, even as it launched the most sophisticated cyber attack one state has ever used on another: a covert attempt to use code to sabotage Iran’s nuclear fuel facilities. The Obama administration has been reluctant to name Russia and China as the powerhouses behind the US government’s major hacks.
The Trump administration supported American offensive initiatives against hackers and state-backed actors abroad. It also sparked alarm that Huawei, the Chinese telecoms giant it accused of being an arm of the Chinese government, had rolled out high-speed 5G networks in the United States and among allies over fears of the company’s control over such Networks would help prevent surveillance in Chinese or allow Beijing to shut down systems in times of conflict.
But the Trump administration has been less active in requiring American companies to put in place minimum protections for critical infrastructure, or to hold those companies liable for damages when exploiting unpatched vulnerabilities.
How Times reporters cover politics. We rely on our journalists to be independent observers. So while Times employees are allowed to vote, they are not allowed to endorse candidates or campaign for political causes. This includes attending marches or rallies in support of a movement, or donating or raising funds for political candidates or electoral causes.
Introducing new forms of liability would require major legislative changes, and some White House officials acknowledged that with Republicans now controlling the House, Mr. Biden could face insurmountable opposition to trying to enact sweeping new corporate regulation say goodbye.
Many elements of the new strategy are already in place. In a way, it’s catching up with the steps taken by the Biden administration after struggling through its first year, which began with major hacks of systems used by both private industry and the military.
After a Russian ransomware group cease operations of the Colonial Pipeline, which handles much of the gasoline and kerosene along the East Coast, the Biden administration used little-known legal bodies in the Transportation Security Administration to regulate the country’s vast network of energy pipelines. Pipeline owners and operators must now conform to far-reaching standards set largely by the federal government, and later this week the Environmental Protection Agency is expected to do the same for water pipelines.
There are no parallel federal agencies to demand minimum standards for cybersecurity in hospitals, which are largely state regulated. They were another target of attacks from Vermont to Florida.
“We should have done a lot of these things years ago, after cyberattacks were first used to cut power to thousands of people in Ukraine,” said Anne Neuberger, Mr. Biden’s deputy national security adviser for cyber and new Technologies, on Wednesday. She was referring to a series of attacks on Ukraine’s power grid that began seven years ago.
Now, she said, “we’re literally cobblering together an approach, sector by sector, that covers critical infrastructure.”
Ms. Neuberger cited Ukraine as an example of proactively building cyber defenses and resilience: In the weeks following the Russian invasion, Ukraine changed its laws to allow ministries to move their databases and many government operations to the cloud, around computer servers and data centers to secure around Kiev and other cities that were later targets of Russian artillery. Within weeks, many of these server farms were destroyed, but the government kept going, communicating with servers abroad via satellite systems like Starlink, which were also introduced after the war broke out.
The strategy is also catching up with an offensive program that has become more and more aggressive. Two years ago, the FBI began using search warrants to locate and disassemble fragments of malicious code found on corporate networks. More recently, it hacked into the networks of a ransomware group, removing “decryption keys” that would unlock documents and systems of the group’s victims, and thwarting efforts to collect large ransoms.
The FBI can operate on domestic networks; It’s up to the US Cyber Command to go after Russian hacker groups like Killnet, a pro-Moscow group responsible for a series of denial-of-service attacks that began in the early days of the war over Ukraine . Cyber Command also slowed Russian intelligence operations around the 2018 and 2020 American elections.
But none of these are permanent solutions; Some groups targeted by the United States have reformulated, often under different names.
Only Mr. Biden face-to-face meeting as President with Russia’s leaders, Vladimir V. Putin, in Geneva in 2021, was largely driven by fears that increasing ransomware attacks would affect the lives of consumers, hospital patients and factory workers. Mr. Biden warned the Russian leader that his government would be held responsible for attacks launched from Russian territory.
There was a lull for a few months, and a prominent hacking group was ambushed by Russian authorities in Moscow. But this cooperation ended with the opening of the war in Ukraine.
In a speech this week at Carnegie Mellon University, Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, described the administration’s efforts as “shifting liability onto those companies that fail to do their duty of care to their customers.”
“Consumers and businesses alike expect products bought from a reputable supplier to work as they are intended and not pose undue risk,” added Ms Easterly, arguing that the administration “needs to push legislation forward to prevent technology manufacturers from waiving liability”. contract,” a common practice few notice in the fine print of software purchases.