Image Credit : The White House
On Thursday, the Biden administration proposed new required laws and responsibilities for software and service providers to shift the expense of cyber defense from small firms and people.
Government officials stated in an anticipated updated National Cybersecurity Strategy,
“The most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem.”
“End users shoulder too much cyber risk mitigation. Individuals, small enterprises, state and local governments, and infrastructure operators have limited resources and competing agendas, yet their actions can affect national cybersecurity.”
Photo Credit: Government Technology
Increased regulations and liabilities
The 39-page dossier mentioned recent ransomware attacks that impacted hospitals, schools, government agencies, pipeline operations, and other important infrastructure and essential services. In 2021, a ransomware attack on the Colonial Pipeline, which supplies gasoline and jet fuel to the southeastern US, made headlines. The attack knocked down the massive pipeline for days, causing fuel shortages in certain areas.
After that incident, the administration regulated energy pipelines. Thursday’s strategy release hinted at more industry-wide guidelines:
“Our strategic environment requires modern and nimble cybersecurity regulatory frameworks customized for each sector’s risk profile, harmonized to reduce duplication, complimentary to public-private partnership, and aware of the cost of implementation,” the memo stated. “New and revised cybersecurity regulations must fulfill the needs of national security and public safety, as well as the security and safety of persons, regulated businesses, and their employees, customers, operations, and data.”
“Striking a careful balance between protecting ourselves against pressing challenges today and concurrently strategically planning for and investing in a resilient future is another strategic goal.”
The IT industry’s drive to make firms accountable for software or service flaws is sure to be divisive. Even when their products or services are exploited due to unsafe default configurations or known deficiencies, these corporations rarely face legal consequences.
Photo Credit: CNBC
The letter read. “We must begin to shift accountability onto those businesses who fail to take reasonable efforts to safeguard their software while acknowledging that even the most modern software security tools cannot avoid all vulnerabilities, software companies must be free to innovate, but they must also be held accountable when they fail to meet their duty of care to consumers, enterprises, or vital infrastructure providers.”
Five “pillars” support these goals:
- Protecting key infrastructure. The initiative also encourages public-private collaboration to protect key infrastructure, public safety, and federal networks and incident responses.
- Disrupting and destroying threat actors to protect national security and public safety. This can be done by using “all levers of the national authority” to stop threat actors, enlisting the private sector, and taking a coordinated federal response against ransomware.
- Influencing market forces for security and resilience. This includes assigning risk-reduction duty to the digital ecosystem best. This pillar promotes data privacy and security, shifts liability to software and services, and ensures federal grant programs support modern, secure infrastructure.
- “Strategic investments and coordinated, collaborative action” for resilience. This includes minimizing digital ecosystem vulnerabilities, making it more resilient to international repression, prioritizing cybersecurity research and development, and strengthening the national cybersecurity workforce.
- Form worldwide alliances to attain aims. Using or utilizing multinational coalitions and alliances to address threats, expanding partner cybersecurity defense capabilities, and engaging with allies can achieve this goal.
Trump’s 2018 cybersecurity plan was the final. Cyberattacks have plagued the US for five years. These include the December 2020 Solar Winds supply chain attack and the Colonial Pipeline. The Kremlin’s cyber actors infiltrated SolarWinds’ software distribution system and spread malware to 18,000 network management clients. Hackers issued follow-up payloads to 10 US federal agencies and 100 private entities.
Five years ago, ransomware was rare. Officials wrote:
“Given ransomware’s impact on key critical infrastructure services, the United States will employ all elements of national power to counter the threat along four lines of effort:
- “Leveraging international cooperation to disrupt the ransomware ecosystem and isolate those countries that provide safe havens for criminals
- Investigating ransomware crimes and using law enforcement and other authorities to disrupt ransomware infrastructure and actors.
- Bolstering critical infrastructure resilience to withstand ransomware attacks
- Addressing the abuse of virtual currency to launder ransom payments.”
Photo Credit: The Wall Street Journal
Ransomware is now a national security danger, instead of a criminal threat
The National Security Council, White House Office of Management and Budget, and National Cyber Director will coordinate the plan. The president and US Congress get annual reports on the plan’s implementation and effectiveness from those bodies. These bodies will advise federal departments annually. This White House brochure summarizes the plan.