The Biden administration is promising to hold software developers and critical infrastructure to tougher security standards and apply more pressure on ransomware gangs as part of its first national cybersecurity strategy, released Thursday.
Why it matters: The nearly 40-page document provides a roadmap for new laws and regulations over the next few years aimed at helping the United States prepare for and fight emerging cyber threats.
The big picture: The strategy — which was crafted by the two-year-old Office of the National Cyber Director (ONCD) — has five “pillars”: defend critical infrastructure; disrupt and dismantle threat actors; shape market forces to drive security and resilience; invest in a resilient future; and forge international partnerships.
Details: The strategy includes a wide range of tasks, from modernizing federal systems’ cybersecurity defenses to increasing offensive hacking capabilities in the intelligence community.
The strategy also declares ransomware a “threat to national security, public safety and economic prosperity,” opening a door to dedicating more intelligence community resources to fighting the problem.
- Cybersecurity requirements will continue to be baked into federal grant programs and the procurement process as an incentive for companies to improve their cybersecurity.
- The administration plans to review gaps in current cybersecurity regulations for critical infrastructure sectors to determine what new rules and regulatory powers are needed.
- The Defense Department will develop its own strategy that clarifies how U.S. Cyber Command and other offices “integrate cyberspace operations” into existing missions.
What they’re saying: “The president’s strategy fundamentally reimagines America’s cyber social contract,” Kemba Walden, acting national cyber director, told reporters during a press briefing.
- “It will rebalance the responsibility for managing cyber risk on those who are most able to bear it.”
Between the lines: Much of the national cybersecurity strategy builds on existing work already being done throughout the Biden administration, such as cracking down on ransomware gangs and reviewing what regulations are in place for critical infrastructure sectors.
- “A lot of the work we’ve done on critical infrastructure is already underway,” Anne Neuberger, deputy national security adviser for cyber and emerging tech, told reporters. “The strategy codifies the first two years of putting in minimum cybersecurity requirements for pipelines, for railways, and shortly for additional sectors we’ll be announcing.”
Yes, but: A senior administration official told reporters the administration sees the strategy as a long-term, 10-year plan, rather than something that can be implemented overnight.
- Legislation to make software makers liable for data security issues would need to pass Congress and require input from the private sector, for example.
What’s next: The Biden administration anticipates it will publicly release the implementation plan for the strategy in “the coming months,” per the senior administration official.
- The ONCD will lead implementation of the strategy and plans to submit an annual report to the president, Congress and the assistant to the president for national security affairs on the effectiveness of the strategy.
Sign up for Axios’ cybersecurity newsletter Codebook here.