A White House cybersecurity official expressed confidence that the U.S. can solve many of its systemic cybersecurity problems, but stressed that the public and private sectors will “only be able to do it together” while hinting the Biden administration could look to Congress to impose additional authorities.
The Office of the National Cyber Director is in the final stages of completing a new national cyber strategy that is expected to call for a more robust regulatory approach in pushing the private sector to build more secure products by design and impose basic cybersecurity protections for users.
Matt Cronin, director of national cybersecurity operations and planning at the Office of the National Cyber Director, said Friday that the administration’s message was ultimately “a message of hope” as well as "a call to action" about the ability of government, the private sector and individuals to tackle the great challenges of their time.
He compared the administration’s vision to other problems — like the space race, mobilization during World War II and rearchitecting city codes and regulations to prevent great fires — that required similar whole-of-society efforts to solve and pushed back against the idea that the U.S. government was incapable of meeting the administration’s lofty ambitions for changing the cyber landscape for the better.
“We are a nation that put a man on the moon. You don’t think we’re capable of stopping some rando Russian from hacking a school? No, we absolutely can and we absolutely will, [but] there’s a caveat to that: it will only work if we do it together,” said Cronin while appearing on the Resilient Cyber Podcast, hosted by Aquia co-founder and CISO Chris Hughes and Dr. Nikki Robinson.
Sources who have seen different drafts of the strategy told SC Media earlier this month that the administration will seek to leverage existing regulatory authorities where it can, while also considering new legislation to impose mandatory requirements in industries or sectors where those authorities are weaker.
Cronin likened creating a resilient cyber infrastructure and secure-by-design principles in a liberal democracy to “hard mode” in a video game, noting that authoritarian governments don’t have to balance their digital security priorities with the private property rights or civil liberties of its citizenry the same way the U.S. and other democracies do.
But he also suggested that if private sector entities weren’t willing to come to the table and work with the government on these problems voluntarily, Congress may step to compel further action, saying “you cannot secure a liberal democracy if we’re all just out on our own [and] out for ourselves. It simply will not work.”
“If every company, every executive, every individual, every government agency decides ‘it’s not my problem, I’m not going to disclose a breach or I’m not going to be secure by design, it’s too expensive,” then yeah, it’s going to take a lot longer. And honestly I’m going to guess — I’m not speaking for Congress — they’re going to create way more laws to increase the burden until people get it.”
Republicans on the Hill may not play ball
However, any push in the near term for new regulations or federal powers is likely to run headlong into a Republican-controlled House that has thus far shown little interest in facilitating the administration’s ambitious cyber agenda.
This week, House Homeland Committee Chair Mark Green, R-Tenn., sent reporters a statement blasting the Biden administration’s “scattershot cybersecurity regulations” while praising a recent report by the industry-led National Security Telecommunications Advisory Board urging the administration to spend more time harmonizing existing cyber mandates on the private sector.
“While we continue to wait in anticipation for the release of the National Cyber Strategy, which I am concerned will strike the exact opposite tone by encouraging more regulation, I’m glad to see that the NSTAC recommends that the national cyber director work to resolve and streamline duplicative and burdensome regulatory obligations, most of which stem from the White House push for cross-sector mandates,” Green said. “I look forward to pursuing strong oversight over this administration’s scattershot cybersecurity regulations this Congress and I look forward to working with CISA to ensure the red tape doesn’t strangle industry as they complete the congressionally mandated Cyber Incident Reporting for Critical Infrastructure Act rulemaking.”
Not every congressional Republican appears dead set against the prospects of additional cyber mandates. A bill introduced this week by Rep. Tim Walberg, R-Mich., would charge the Department of Energy with setting up new cyber incident reporting regulations for electrical critical infrastructure. A law passed last year empowered the Cybersecurity and Infrastructure Security Agency to set up similar reporting regulations for all critical infrastructure sectors, including the energy sector.
The text of the bill and its details have yet to be made public on Congress.gov. Walberg’s office did not respond to requests from SC Media for a copy of the bill or questions about possible overlap between potential Energy reporting requirements and CISA’s parallel incident reporting regime.
Even if Congress is reluctant to pass new legislation, many U.S. companies may find themselves compelled to impose similar mandates in order to do business in other countries and markets.
As an example, a representative from one U.S.-based industry lobbying group pointed to new legislation under consideration by the European Union that would require certain technology products to meet a minimum level of cybersecurity checks and impose fines of €15 million or more on violators, regardless of whether their products are produced in Europe or elsewhere.
Those rules and others could force larger companies with a global footprint and customer base into making many of the same changes the Biden administration is seeking.
“When regulatory trains get moving down the track in Europe, they don’t get derailed the way they’re often derailed in Congress here,” the official said, who spoke to SC Media under the condition of anonymity because they were not authorized to comment on the U.S. cyber strategy until it has been officially released. “That’s just a reality, so that’s going to happen and that’s why I think most people will have an open mind to [regulation] and say ‘OK, let’s have an honest conversation about what actually makes sense and what we need.’”