The Spokesman-Review Newspaper
The Spokesman-Review Newspaper The Spokesman-Review
Spokane, Washington  Est. May 19, 1883
Current Temperature
34°F
Current Conditions
Mist
View complete weather report

Color Scheme

Subscribe now

Biden administration unveils cyber strategy that takes more aggressive regulatory approach

A cyber hack of the Colonial Pipeline in 2021 led to gas shortages.  (Matt McClain/Washington Post)
By Tim Starks Washington Post

WASHINGTON — The Biden administration on Thursday unveiled a national cyber strategy that calls for imposing federally mandated security rules on critical infrastructure, holding software manufacturers accountable for insecure products and pressing the government’s fight against malicious hackers.

The plan’s focus on putting in place new regulations in some areas is likely to draw opposition from congressional Republicans and pushback from different industries.

But administration officials said the approach is warranted, while emphasizing that it is still seeking to foster a cooperative relationship between federal agencies and the private sector to protect key parts of the economy and national security infrastructure from cyberattacks.

“The president’s strategy fundamentally reimagines America’s cyber social contract,” Kemba Walden, the acting national cyber director, told reporters Wednesday. “It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it. … This strategy asks more of industry, but also commits more from the federal government.”

In many ways, the strategy reflects work already underway in the Biden administration that came in response to cyberattacks, beginning with a sprawling alleged Russian cyberespionage campaign that President Biden inherited in the early days of his tenure and continuing into the attack on Colonial Pipeline in mid-2021 that sparked a gasoline panic.

But it also includes new initiatives and goals that could take a decade or more for the United States to complete, said senior administration officials who spoke on the condition of anonymity to brief reporters in advance of the strategy’s release. Some of the goals depend on congressional action, which could be challenging for a Democratic president standing opposite a Republican-controlled House.

The plan is more ambitious in its reach and more specific in its aims than past strategies, said Michael Daniel, who served as the top White House cyber official in the Obama administration.

“One of my concerns when I was in the White House was, could we actually get a strategy out the door that said more than, ‘Cybersecurity is good, and we should have more of it?’” said Daniel, now president and chief executive of the Cyber Threat Alliance. “That’s the first thing that jumps out at me is that it actually has some substance to it. The other thing is that it really does cover a broad swath of policy areas and starts to take on some long-standing issues that we know that we have to do, but will generate potentially some opposition from industry and the Republican Party.”

That includes the embrace of new regulations that stands in contrast to the past government approach of focusing on voluntary measures and collaboration between the federal agencies and industry.

Several agencies have already begun imposing mandatory security rules, the first of which were for pipelines after the Colonial Pipeline attack. Those rules, for instance, required the most critical pipeline operators to notify the Transportation Security Administration within 24 hours of a major hack and to produce plans for responding to incidents when they happen.

Other plans for regulations, though, such as cybersecurity rules for the communications sector, will require Congress to give new powers to the executive branch.

Walden emphasized the history of bipartisanship in Congress on cybersecurity issues. But in one indicator of potential clashes ahead, new House Homeland Security Committee Chairman Mark Green, R-Tenn., – whose committee would play a role in approving or denying some of the strategy’s legislative goals – had already voiced skepticism last month about the strategy’s expected focus on regulation that he feared might “strangle” industry.

The administration contends that the lack of mandatory requirements has penalized critical infrastructure owners who prioritize cybersecurity.

“Today’s marketplace insufficiently rewards – and often disadvantages – the owners and operators of critical infrastructure who invest in proactive measures to prevent or mitigate the effects of cyber incidents,” the strategy released Thursday states. “Regulation can level the playing field, enabling healthy competition without sacrificing cybersecurity or operational resilience.”

But the strategy also says “the federal government will focus on points of leverage, where minimally invasive actions will produce the greatest gains in defensibility and systemic resilience.” And it says the administration will strive for rules that are flexible and catered to each sector, that don’t conflict with other cybersecurity requirements and take into account how expensive they might be.

Furthermore, it asserts, lackluster cybersecurity hurts smaller businesses more than large corporations.

“In too many cases, organizations that choose not to invest in cybersecurity negatively and unfairly impact those that do, often disproportionately impacting small businesses and our most vulnerable communities,” it states. “While market forces remain the first, best route to agile and effective innovation, they have not adequately mobilized industry to prioritize our core economic and national security interests.”

Joshua Steinman, who served as senior director of cyber policy for President Donald Trump’s National Security Council, said there are potential hazards to the new strategy’s approach.

“There is probably going to be a lot of goodness in that,” said Steinman, now chief executive of industrial security company Galvanick. “But in the last administration, we took a sanguine attitude, as we understood that no matter what regulatory architectures you put in place, powerful and well-resourced companies will find ways to do the minimum, while smaller companies – mom-and-pop shops, start-ups and critical infrastructure companies – may not have the resources, for a variety of reasons.”

Another way in which the strategy seeks to shift cyber responsibility is in its call for legislation that would establish liability for software makers. That’s an idea that has been around for decades but that has seen almost no action.

Administration officials argue that software manufacturers are financially incentivized to prioritize speeding their products to market and giving short shrift to security along the way. That, in turn, puts the onus on consumers to continually apply patches, effectively making them – rather than major technology companies – responsible for security.

The idea hasn’t gotten very far for many reasons, among them because it’s difficult to determine where to assign legal liability for failed security and how long a company should be liable for a product’s security, as well as concerns in industry about how secure a product must be to avoid facing legal fallout.

A senior administration official told reporters Wednesday that the proposal would be to place liability “where it would do the most good,” primarily “the company that is building and selling the software.”

Advancing the legislation is a long-term process that will involve working with industry and Congress to also apply a “safe harbor” liability shield for companies that meet secure software standards. “We don’t anticipate that this is something where we’re going to see a new law on the books within the next year,” the official said.

As much as the strategy is a break from tradition, in some ways it’s a continuation. It endorses more aggressive action to disrupt malicious hackers, an area of concentration for the Trump administration, which authorized Cyber Command to more freely undertake offensive missions in cyberspace.

The strategy calls for increasing the “volume and speed” of disruption campaigns; enhanced collaboration with the private sector to disrupt botnets that take over victim computers to launch malware; and countering ransomware gangs with law enforcement investigations and prevention of the abuse of cryptocurrency.

Steinman said he was “proud” of Trump administration policies to disrupt hackers “and excited to see they want to go out and disrupt and dismantle.”

Although some elements of the strategy could meet congressional resistance, Biden is likely to have allies in the Democratic-controlled Senate.

“The Biden administration’s National Cybersecurity Strategy is a significant step to ensuring our nation is ready to strengthen our defenses and fight back against foreign adversaries and cybercriminals that continue targeting our systems,” Sen. Gary Peters, D-Mich., chairman of the Senate Homeland Security and Governmental Affairs Committee, told The Washington Post. “I will closely examine this strategy, quickly consider the parts of it that will require congressional action and continue leading efforts to strengthen our nation’s cybersecurity defenses.”