White House Unveils Biden's National Cybersecurity StrategyFocus Includes Critical Infrastructure Security, Secure Software Development
The White House on Thursday unveiled the Biden administration's long-awaited national cybersecurity strategy.
The strategy details challenges and threats facing the U.S., as well as priorities for addressing them.
"Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense," President Joe Biden says in his written introduction to the strategy.
One major new change introduced by the strategy is that organizations in critical infrastructure sectors, as expected, will be required to meet certain basic cybersecurity requirements. In addition, the administration wants commercial sellers and producers of software and hardware to take much more responsibility for keeping their wares secure, not least via secure development practices.
"Too much of the responsibility for cybersecurity has fallen on individual users and small organizations," Biden says.
National Cybersecurity Strategy: 5 Pillars
The new strategy replaces the 2018 national cyber strategy released by the Trump administration.
"This strategy asks more of industry but also commits more from the federal government," Acting National Cyber Director Kemba Walden said in a briefing on the new strategy. "With respect to industry, we will identify gaps and reduce burdens in existing authorities where targeted and narrow regulations are necessary to improve public safety and cybersecurity."
The new strategy has five pillars:
- Defend critical infrastructure: The strategy will set minimum cybersecurity requirements for organizations across all critical infrastructure sectors, while also seeking to expand public-private collaboration and modernize federal networks.
- Target and disrupt threat actors: The administration has vowed to use "all instruments of national power" to target malicious actors, bring more private sector expertise to bear, and continue targeting ransomware "in lockstep with our international partners."
- Use market forces to improve security and resilience: The administration wants a greater focus on "promoting privacy and the security of personal data" to drive data holders to better secure it, and it wants commercial developers and sellers of software and hardware to be liable if they fail to employ recognized security development practices.
- Invest in resilience: The strategy highlights the need to reduce vulnerabilities in foundational technology, prioritize research and development for emerging technologies such as "post-quantum encryption, digital identity solutions and clean energy infrastructure," and expand the size of the nation's cyber workforce.
- Enhance international partnerships: Promoting "responsible state behavior" as well as allies' own cybersecurity resilience and supply chain security remains a goal, as does attempting to impose costs on countries that engage in "irresponsible behavior," according to the strategy.
Challenges and Risks
As the strategy says, the COVID-19 pandemic in particular demonstrated how digital connectivity has a greater impact than ever before on the safe and secure functioning of society.
But challenges abound. Advances in technology such as the rise of artificial intelligence and quantum computing, plus the greater interconnectivity of systems and supply chains and widespread adoption of advanced operational technology, complicate attempts to build and keep systems and data secure.
On the geopolitical front, the strategy calls out in particular the risk that Chinese cyber operations and economic espionage pose to U.S. national interests. Meanwhile, cybercrime and especially ransomware - much of it emanating from safe havens such as Russia - are causing billions of dollars in damages annually.
To address these problems, the new national cybersecurity strategy builds on the administration's previous efforts, including executive orders focused on improving national cybersecurity, securing critical infrastructure control systems, and getting the U.S. government to adopt zero trust principles and cryptographic systems able to resist advances in quantum computing.
"Expanding on these efforts, the strategy recognizes that cyberspace does not exist for its own end but as a tool to pursue our highest aspirations," the White House says.
The new strategy is being coordinated by the White House's Office of the National Cyber Director, and officials say its implementation is already underway. For example, pipelines and railways have already been required to meet basic cybersecurity standards, and the Environmental Protection Agency will soon begin to require the same from the water sector.
"Water facility owners and operators will have to incorporate some cybersecurity elements in their regularized sanitary survey program, where they're looking at drinking water safety issues and equipment," said a senior administration official, speaking on condition of anonymity.
This isn't a new power being wielded by the EPA, but rather "it's an interpretation and adding additional elements into an existing authority" that will soon come into force, the official said. This will be the model for other sectors, and the administration will seek "ways to close gaps" in cybersecurity, including mandating minimum requirements for what today might be voluntary.
"The bar we're setting is not a high bar; we really are just hoping that owners and operators do the basics," the official said (see: Basics Will Block Most Ransomware Hits, Says UK Cyber Chief).
Not all goals articulated in the strategy can be achieved in the near term, officials acknowledge. In particular, "we see shifting liability as a long-term process," the senior administration official said. "When we think about this strategy, we're looking out a decade." As envisioned, the new approach would include Congress creating a "liability shield" for organizations that hew to industry-defined secure software development best practices (see: US Official Reproaches Industry for Bad Cybersecurity).
Already underway as well are advanced efforts by the administration to disrupt cybercrime. "As we continue our focus on disrupting and dismantling threat actors, we're elevating our work on ransomware, declaring ransomware a threat to national security rather than just a criminal challenge," said Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, speaking at a briefing on the new strategy.
The White House says "national power" options available to the president for disrupting cybercrime include diplomacy, law enforcement, intelligence, economic and financial tools, as well as military capabilities. Since so many criminals continue to operate from "safe havens" such as Russia, however, the White House says it has been using additional strategies, such as the State Department's Rewards for Justice program, to complicate criminals' lives as much as possible.
"We want to shrink the surface of the Earth that people can conduct malicious cyber activity with impunity and put pressure on them and make their lives a little less pleasurable," a senior administration official said. "If a criminal is restricted to living in Russia and can't leave the borders, then perhaps that might create a bit of a deterrent effect."
With reporting by ISMG's David Perera in Washington, D.C.