Biden's new cybersecurity strategy shifts the burden from people to Big Tech
- Oops!Something went wrong.Please try again later.
The Biden administration on Thursday rolled out an ambitious new National Cybersecurity Strategy that asks America's tech industry and software makers to take more responsibility over protecting their systems from hackers. It also calls on U.S. law enforcement and military agencies to more proactively neutralize the growing underworld of ransomware bandits and other digital thieves, including some associated with foreign adversaries like Russia and China.
President Joe Biden said the strategy recognizes that a strong collaboration between the public and private sectors is essential to securing cyberspace, and that the status quo of making most cybersecurity efforts voluntary isn't working. It also takes on the systemic challenge, Biden wrote, that too much of the responsibility for cybersecurity has – for decades – fallen on individual users and small organizations.
"As I have often said, our world is at an inflection point. That includes our digital world," Biden wrote. "The steps we take and choices we make today will determine the direction of our world for decades to come. This is particularly true as we develop and enforce rules and norms for conduct in cyberspace."
More: Biden says 'we are prepared to respond' if Russia launches cyberattack against US
What does the new strategy do?
The strategy aims to:
Rebalance the responsibility for cybersecurity to be more effective, fair and impartial, working in partnership with industry; civil society; and state, local, tribal and territorial governments.
Realign corporate incentives to favor long-term investments in security, resilience, and new technologies.
Work with nation-state allies and non-governmental partners to strengthen norms of responsible state behavior; hold countries like China, Russia, North Korea and Iran accountable for malicious behavior in cyberspace; and disrupt the networks of criminals behind dangerous cyberattacks around the world.
Work with Congress to provide the resources and tools necessary to ensure effective cybersecurity practices are implemented across U.S. critical infrastructure, with more of it mandatory rather than voluntary.
Biden's plan shifts burden from individuals to Big Tech
In a briefing with reporters, Acting National Cyber Director Kemba Walden said a key element of the new strategy involves shifting the burden of cybersecurity from those who bear the biggest brunt of it now – individuals, small businesses and local governments – to those with the expertise and money to handle it, including software developers and "Big Tech" companies.
"It will rebalance the responsibility for managing cyber risk on to those who are most able to bear it," Walden said.
"This strategy asks more of industry," Walden added, "but also commits more from the federal government with respect to industry."
More: Hackers beware: Justice Department doubles down on efforts to thwart global cybercrime
What's new in it?
Walden and other current U.S. cybersecurity officials, along with former officials and private-sector experts, note that some key elements of the new strategy are already in place or in the process of being implemented.
Some of those came in response to a series of high-profile ransomware attacks on U.S. critical infrastructure, or the 16 sectors – usually managed by private companies – whose assets, systems and networks are considered so vital to the U.S. that their shutdown or destruction would undermine national security.
That includes managing the fallout from Russia’s compromise of the SolarWinds Orion network and China's compromise of servers running Microsoft Exchange, the new strategy report said. It also noted that Biden elevated the importance of cybersecurity within White House leadership and established new positions at the National Security Council and Office of National Cyber Director.
Months later, the administration was forced to deal with high-profile ransomware hacks that temporarily shut down the Colonial Pipeline and meat processing company JBS.
At the time, Deputy Attorney General Lisa Monaco said those were only a tiny sampling of the attacks against America’s critical infrastructure every day.
A national security memorandum issued by the White House in May of 2022 laid out a list of requirements and deadlines for federal agencies to change their means of encryption to new standards that will be hardened against cyberattacks from future generations of more powerful quantum computers.
Joshua Corman, former chief strategist at the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, said Biden's decision to put critical infrastructure at the forefront "is an important and deliberate one."
Corman, vice president of Cyber Safety at Claroty, urged those rolling out the new cyber-strategy to focus especially intensively on protecting key critical infrastructure systems where downtime can lead to loss of life or "a crisis of confidence" by the American public. That includes water supplies, hospitals, electricity and power plants and food and water production and distribution, he said. Claroty is a cybersecurity company that protects these systems, known as industrial control networks, from cyber attacks.
"Many of the owners and operators of these lifeline functions happen to also be what I’ve called, 'target rich, cyber poor' – meaning they are among the most attractive targets for threat actors, with the least amount of resources to protect themselves," Corman said.
Will it work?
Every president since the advent of the digital age has had their own initiative for cybersecurity, portraying it as a significant and growing national security issue.
Mike Hamilton, the former vice-chair for the Department of Homeland Security's State, Local, Tribal and Territorial Government Coordinating Council, said he thinks Biden's stands out from the others in some important ways.
"Every other strategy from the federal government has been essentially ignored. This one is very clear-eyed and mostly specific," said Hamilton, the former top cybersecurity official for the city of Seattle, who is now chief information security officer for the firm Critical Insight, which helps private firms prevent, and respond to, breaches of their systems.
Hamilton said the new strategy addresses some frequently overlooked but important issues such as addressing "tech debt in federal systems," or the use of outdated systems.
More: The next big cyberthreat isn't ransomware. It's killware. And it's just as bad as it sounds.
Too much or not enough?
Craig Burland, the chief information security officer for cybersecurity risk management firm Inversion6, said the new strategy "is a shot across the bow that signals tougher standards are coming."
"How those manifest themselves will be fascinating to watch," Burland said. "Will the administration try to enact laws with associated fines? Will they pressure industry groups to do self-improvement? Can they become a catalyst for real change and help get cybersecurity past the tipping point where best practices are the only accepted practices?”
More: Local governments are more vulnerable to cyberattacks than ever before. DHS wants mayors to step up.
This article originally appeared on USA TODAY: Joe Biden wants Big Tech to be more responsible for cybersecurity
