The White House on Thursday released an ambitious national cybersecurity strategy that calls for new federal regulation of vulnerable critical infrastructure firms and for software makers to be held liable when their products leave gaping holes for hackers to exploit.
The strategy – shaped by major hacking incidents that threatened key public services in the first year of the Biden administration – embraces the US government’s regulatory and purchasing power to force companies that are critical to economic and national security to raise their cyber defenses.
“We have to drive the entire ecosystem to be more cyber vigilant,” Homeland Security Secretary Alejandro Mayorkas said in an interview with CNN on Thursday.
The Biden administration will look for new regulatory authorities if necessary “to make sure that we are shoring up our critical infrastructure” in the face of advanced hacking threats “because the adversaries are not decreasing in activity, only increasing.”
Acting National Cyber Director Kemba Walden said that too often small businesses and local governments bear the brunt of cyberattacks.
“This isn’t just unfair, it’s ineffective,” said Walden, a White House official, told reporters on Wednesday.
The strategy is a policy document and not law, but it could shape corporate behavior for years to come as firms compete for billions of dollars in federal contracts that increasingly require a minimum set of cybersecurity defenses. And the White House says it wants to work with Congress to develop legislation that holds software makers liable when their products and services don’t provide adequate protections from sabotage.
The goal of US government and corporate work on cybersecurity should be to “correct market failures, minimize the harms from cyber incidents to society’s most vulnerable,” a copy of the strategy states.
The strategy does not specify which sectors of the economy the administration could regulate next, but US officials have previously signaled that one area of focus could be health care. Ransomware attacks – hacks that lock up computer systems and demand a fee – have put an even greater stress on hospitals across the country struggling with the coronavirus pandemic.
So far, the Biden administration has imposed cybersecurity requirements on sectors such as aviation and oil and gas pipelines. The genesis for those regulations in many ways was a May 2021 ransomware attack by an alleged Russian-speaking hacker that shut down 5,500 miles of fuel pipelines in the US for days.
Corporations have sometimes balked at the regulations.
After oil and gas industry groups complained that cybersecurity regulations from the Transportation Security Administration were too onerous and unrealistic, the Biden administration last year revised the regulations to give pipeline operators more time to report cyber incidents to the government.
Multiple administrations, including the Trump and Obama administrations, have tried to shore up federal defenses against hacking threats and in some cases drive big changes that make agencies safer in the long term.
There has been some progress. Agencies now have more visibility into malicious cyber activity than ever before, officials say.
But in other cases, bureaucratic inertia has gotten in the way. The Government Accountability Office, a federal watchdog, says it has made over 700 public recommendations for federal agencies to improve their cyber defenses since 2010. About a fifth of the recommendations had not been implemented as of December, according to GAO.
In the last month, the US Marshals Service was hit by a ransomware attack that affected sensitive law enforcement information, and the FBI has had to deal with a cyber incident involving a computer network used in investigations of child sexual exploitation.
In the interview Thursday, Mayorkas said it was incumbent on the federal government to share what it learns from hacking incidents so the private sector can protect itself.
“The lessons learned should spread throughout the entire cyber ecosystem and not be limited to the particular domain in which it occurs,” Mayorkas told CNN.
Geopolitics has also been a roadblock to improved cybersecurity. The US has for years tried to blunt the impacts of hacking operations from Russia, China, Iran and North Korea, to limited effect. And US officials have accused all of those governments of harboring, or even enlisting, cybercriminals that attack US organizations – accusations those governments deny.
After the big pipeline hack in 2021, President Joe Biden made a big push to get Russian President Vladimir Putin to crack down on cybercriminals operating from Russia. But any chances of bilateral cooperation on cybercrime have dimmed after Russia’s full-scale invasion of Ukraine a year ago.
A senior administration official acknowledged the obstacle when rolling out the new cybersecurity strategy.
“We do have a problem where Russia is serving as a de facto safe haven for cybercrime,” the official told reporters.
In the last few years, including during the Trump administration, US officials have rallied support from allies in Europe and elsewhere to condemn alleged hacking operations from Russia and China, and to arrest cybercriminals who travel to Europe.
“[T]he criminal justice isn’t going to be able to on its own address this problem,” the senior official added, “so we do need to look at other elements of national power to be going after the threat.”
The official cited US Treasury Department sanctions on hackers and the State Department’s multi-million-dollar offers for information on criminal gangs and intelligence operatives. US military and intelligence services also conduct their own hacking operations to collect intelligence or to try to deter foreign governments in cyberspace.
“We want to shrink the surface of the earth that people can conduct malicious cyber activity with impunity,” the senior official said, “and put pressure on them and make their lives a little bit less pleasurable.”