The Biden administration released its long-awaited national cybersecurity strategy, calling on governments, businesses, critical infrastructure and the public to cast aside the status quo and embrace a far more aggressive and collaborative approach to solving collective insecurity in the digital world.
The strategy, released Thursday morning, seeks to create “fundamental shifts” across two areas: broadly moving responsibility for insecure technology from the users and small businesses who are often victims of cyberattacks to the manufacturer and compelling more long-term investments in the way such technology is designed, built and secured.
The ultimate goal: to change a status quo where “a single person’s momentary lapse in judgement, use of an outdated password or errant click on a suspicious link” can have consequences across multiple organizations or sectors and negatively impact national or economic security.
To do that, the strategy pushes a series of actions that SC Media and other outlets have largely reported, including beefing up regulatory standards around cyber for sectors of critical infrastructure, dismantling the IT infrastructure used by hacking groups to carry out their malicious campaigns, pushing “reshape” laws that govern liability for data loss, insecure software and other products, and forging greater partnerships with international allies to defend the vision of a free, open and safe internet around the world.
“As I have often said, our world is at an inflection point. That includes our digital world,” reads a letter signed by President Joe Biden in the introduction. “The steps we take and the choices we make today will determine the direction of our world for decades to come.”
The strategy flags China as the country’s “broadest, most active and most persistent threat” in cyberspace, along with other nations like Russia, Iran and North Korea also wielding top tier or growing cyber programs. But in an overdue recognition that the problem extends beyond nation-states, it also places “criminal syndicates” such as ransomware groups alongside those countries as American businesses and critical infrastructure have been under constant siege from financially-motivated hackers encrypting or stealing data for profit.
Perhaps the most anticipated section casts aside the federal government’s decades-long reluctance to raise the floor of commercial cybersecurity through regulatory mandates, something the administration has already begun to put in place in industries like the oil and gas, aviation, rail and water sectors.
The White House said it has engaged with different critical infrastructure sectors to build a “consistent, predictable” framework for cybersecurity regulation, and anticipates that at least some new authorities will need to be created to touch certain sectors, or else similar requirements can be imposed by independent or state regulators.
"All cyber is local. It happens in the backyards of mayors and municipalities," said Kemba Walden, acting National Cyber Director while speaking Thursday at an event in Washington D.C. hosted by the Center for Strategic and International Studies.
Sources told SC Media last month that the administration sees voluntary cybersecurity performance goals developed by CISA and industry for critical infrastructure last year — a set of voluntary standards that call for things like multifactor authentication, encryption, restricting access to high-privilege credentials, securing and segregating sensitive data — as a potential roadmap for some of the common cybersecurity practices that the government would like to be mandatory across different industries. They also said that the administration views third-party providers, particularly cloud services, as an essential third-party service that requires more regulatory scrutiny in order to protection businesses.
Both details made it into the final version, though the strategy notes that it will need to identify “gaps in authorities” around cloud regulation and work with Congress and industry to pass new laws.
The focus on critical infrastructure is no accident: it's where the federal government's regulatory authorities are typically strongest. It also reflects the sectors that officials have spent the most time studying and assisting over the past decade due to the essential services that would be disrupted in a cyber attack.
Danielle Jablanski, a cybersecurity strategist for Nozomi Networks who focuses on a number of critical infrastructure sectors, including energy and critical manufacturing, told SC Media that prior experience will help the government develop smarter regulatory principles and encourage industry buy in.
"The sector risk management agencies have been talking with industry within specific sectors for months and months and months about their own successes and failures, what success looks like and what failure looks like. The TSA had it's own snafu with industry when it came to pipeline regulations, the EPA knows what kind of landmines to avoid for water," said Jablanski.
Republican skeptical of new mandates, while Democrats praise Biden strategy
At the CSIS event, Anne Neuberger, Deputy National Security Advisor for Cybersecurity and Emerging Technology for the White House, said the administration has already identified the education and critical manufacturing industries as sectors where they intend to work with Congress to develop new authorities.
Meanwhile, Walden described efforts to pass data privacy and software liability bills as a "multi-year, multi-stakeholder" effort and expressed optimism that the national security aspects of the problem will help woo skeptical Republicans.
"It's going to take a while to get there. We need Congress' to help us get there, we need the software development community to help us get there because they will understand how to make sure that we do this effectively," said Walden.
As SC Media has reported, the administration is likely to run into skeptical Republicans on the Hill when it comes to passing new mandates on the private sector. Rep. Mark Green, R-Tenn., chair of the House Homeland Security Committee, preemptively criticized the administration's strategy last week and its emphasis on imposing new regulatory mandates on the private sector.
In a joint statement sent to press after the strategy was released, Green and Subcommittee on Cybersecurity and Infrastructure Protection Chair Andrew Garbarino, R-N.Y., said they were pleased that the strategy recognizes the role that adversarial nations like China and Russia play in the problem and the focus in some areas on public-private collaboration, but again questioned the administration’s focus on pushing through new cyber regulations.
"The key to building trust with our private sector partners is employing harmonization across government, rather than encouraging disparate and competing efforts. We must clarify federal cybersecurity roles and responsibilities, not create additional burdens, to minimize confusion and redundancies across the government,” Green and Garbarino said. “We are concerned that while the administration expresses their desire to harmonize, their actions have only encouraged or forced new regulations from multiple agencies … the Biden administration must prioritize streamlining existing regulations while working with the private sector to identify new opportunities for partnership, rather than punishment, particularly through their implementation of this strategy.”
But the White House push could have the backing of key Democratic allies in the Senate and House. Homeland Security and Governmental Affairs Committee chair Gary Peters signaled openness to passing new cybersecurity mandates similar to the cyber incident reporting law he helped shepherd through Congress last year.
“I will closely examine this strategy, quickly consider the parts of it that will require congressional action, and continue leading efforts to strengthen our nation’s cybersecurity defenses,” Peters, a Democrat from Michigan, said in a statement.
Reps. Bennie Thompson, D-Miss., and Eric Swalwell, D-Calif., ranking Democrats on the House Homeland Security Committee and Subcommittee on Intelligence and Counterterrorism, respectively, endorsed the administration's "full-court press" strategy, highlighting efforts to coordinate the disruption of state and criminal hacking groups, partnering with the private sector and investing in research and development.
They also noted that “as authorizers for the Department of Homeland Security, we will also work to ensure that the Cybersecurity and Infrastructure Security Agency is well positioned and appropriately resourced to carry out its responsibilities."
“We must ask more of the private sector, building on the collaborative partnerships the Biden-Harris administration has worked hard to develop over the past two years," Thompson and Swalwell said in a statement. "As cyberattacks increase in frequency and sophistication, smart, well-harmonized, performance-based security requirements for critical infrastructure could help ensure the critical infrastructure we rely on every day is sufficiently resilient to keep operating in the wake of a compromise."
The determination by White House that some of these actions will have to go through a divided Congress to implement means that some parts of the strategy may wind up on the cutting room floor. But for some, after years of falling short and bowing to the political realities around regulation, the federal government swinging big and missing - or hitting a double in the process - still represents a step forward in cyber policy.
"I don't know if [going through Congress] is a great plan, just given the history of [our] government, but I do think that everything is in the implementation and some things might fall short, but having big, audacious goals is what governments are really known for," said Jablanski.
Cybersecurity executive orders for federal agencies already underway
On the government side, federal agencies will continue to execute a series of cybersecurity executive orders and mandates imposed by the White House following the SolarWinds and Colonial Pipeline incidents. They will also bolster effective use of “nerve centers” like the Joint Cyber Defense Collaborative that put government officials and industry in the same room to work on systemic cybersecurity problems.
Noteworthy, too, is the plan for CISA to lead an update to the nation’s National Cyber Incident Response plan. That includes better integration of how law enforcement, intelligence agencies and industry work together to identify and shut down malicious infrastructure used by criminal hacking groups, generate actionable intelligence on hacking groups and claw back ransom money sent via cryptocurrencies. The National Cyber Investigative Joint Task Force — another government nerve center led the by FBI — will “expand its capacity to coordinate takedown and disruption campaigns with greater speed, scale and efficiency.”
In particular, the federal government would like to eliminate the potential for cybercriminals to use U.S.-based servers and other IT infrastructure to carry out attacks on American businesses. That will involve working more closely with cloud providers and internet service providers to share information, identify such infrastructure and make it easier for individuals to report signs of suspicious or abusive use.
Beyond the regulatory push in critical infrastructure, the most controversial provisions could be the administration’s support of “legislative efforts to impose robust, clear limits on the ability to collect, use, transfer and maintain personal data” as well as legislation that would establish a legal liability framework for software providers.
“Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product,” the strategy notes.
This story is developing. Check back for updates.
