Biden’s Cybersecurity Strategy Assigns Responsibility to Tech Firms
WASHINGTON — The Biden administration plans to issue a cybersecurity strategy on Thursday that calls on software makers and American industry to take far greater responsibility to assure that their systems cannot be hacked, while accelerating efforts by the F.B.I. and the Defense Department to disrupt hackers and ransomware groups around the world.
For years, the government has pressed companies to voluntarily report intrusions in their systems and regularly “patch” their programs to shut down newly discovered vulnerabilities, much as an iPhone does with automatic updates every few weeks. But the new National Cybersecurity Strategy concludes that such voluntary efforts are insufficient in a world of constant attempts by sophisticated hackers, often backed by Russia, China, Iran or North Korea, to get into critical government and private networks.
Every administration since that of George W. Bush, 20 years ago, has issued a cybersecurity strategy of some kind, usually once in a presidency. But President Biden’s differs from previous versions in several respects, chiefly by urging far greater mandates on private industry, which controls the vast majority of the nation’s digital infrastructure, and by expanding the role of the government to take offensive action to pre-empt cyberattacks, especially from abroad.
The Biden administration’s strategy envisions what it calls “fundamental changes to the underlying dynamics of the digital ecosystem.” If enacted into new regulations and laws, it would force companies to enact minimum cybersecurity measures for critical infrastructure — and, perhaps, impose liability on firms that fail to secure their code, much like automakers and their suppliers are held liable for faulty airbags or defective brakes.
“It just reimagines the American cybersocial contract,” said Kemba Walden, the acting national cyber director, a White House post created by Congress two years ago to oversee both cyberstrategy and cyberdefense. “We are expecting more from those owners and operators in our critical infrastructure,” added Ms. Walden, who took over last month after the country’s first national cyber director, Chris Inglis, a former deputy director of the National Security Agency, resigned.
The government also has a heightened responsibility, she added, to shore up defenses and disrupt the major hacking groups that have locked up hospital records or frozen the operations of meatpackers around the country.
“We have a duty to do that,” Ms. Walden said, “because the internet is now a global commons, essentially. So we expect more from our partners in the private sector and the nonprofits and industry, but we also expect more of ourselves.”
Read alongside past cyberstrategies issued by the previous three presidents, the new document reflects how cyberoffense and -defense have become increasingly central to national security policy.
The Bush administration never publicly acknowledged American offensive cybercapabilities, even as it mounted the most sophisticated cyberattack one state has ever directed at another: a covert effort to use code to sabotage Iran’s nuclear fuel facilities. The Obama administration was reluctant to name Russia and China as the powers behind major hacks of the U.S. government.
The Trump administration bolstered American offensive initiatives against hackers and state-backed actors abroad. It also raised the alarm about having Huawei, the Chinese telecommunications giant it accused of being an arm of the Chinese government, set up high-speed 5G networks in the United States and among allies, fearing the company’s control of such networks would aid in Chinese surveillance or allow Beijing to shut down systems at a time of conflict.
But the Trump administration was less active in requiring American companies to establish minimum protections on critical infrastructure, or seeking to make those firms liable for damage if vulnerabilities they left unaddressed were exploited.
How Times reporters cover politics. We rely on our journalists to be independent observers. So while Times staff members may vote, they are not allowed to endorse or campaign for candidates or political causes. This includes participating in marches or rallies in support of a movement or giving money to, or raising money for, any political candidate or election cause.
Imposing new forms of liability would require major legislative changes, and some White House officials acknowledged that with Republicans now controlling the House, Mr. Biden may face insurmountable opposition if he seeks to pass what would amount to sweeping new corporate regulation.
Many elements of the new strategy are already in place. In some ways, it is catching up with steps the Biden administration took after struggling through its first year, which began with major hacks of systems used by both private industry and the military.
After a Russian ransomware group shut down the operations of Colonial Pipeline, which handles much of the gasoline and jet fuel along the East Coast, the Biden administration used little-known legal authorities held by the Transportation Security Administration to regulate the nation’s vast network of energy pipelines. Pipeline owners and operators are now required to submit to far-reaching standards set largely by the federal government, and later this week, the Environmental Protection Agency is expected to do the same for water pipelines.
There are no parallel federal authorities for requiring minimum standards of cybersecurity at hospitals, which are largely state regulated. They have been another target of attacks, from Vermont to Florida.
“We should have been doing many of these things years ago after cyberattacks were first used to disrupt power to thousands of people in Ukraine,” Anne Neuberger, Mr. Biden’s deputy national security adviser for cyber and emerging technologies, said on Wednesday. She was referring to a series of attacks on the Ukrainian power grid that began seven years ago.
Now, she said, “we are literally cobbling together an approach sector by sector that covers critical infrastructure.”
Ms. Neuberger cited Ukraine as an example of proactively building up cyberdefenses and resiliency: In the weeks after the Russian invasion, Ukraine changed its laws to allow ministries to move their databases and many government operations to the cloud, backing up computer servers and data centers around Kyiv and other cities that were later targets for Russian artillery. Within weeks, many of those server farms were destroyed, but the government kept running, communicating to servers abroad using satellite systems like Starlink, also brought in after the war broke out.
The strategy is also catching up with an offensive program that has become increasingly aggressive. Two years ago, the F.B.I. began to use search warrants to find and dismantle fragments of malicious code found on corporate networks. More recently, it hacked into the networks of a ransomware group, removed the “decryption keys” that would unlock documents and systems belonging to the group’s victims and foiled efforts to collect large ransoms.
The F.B.I. can operate in domestic networks; it is up to the U.S. Cyber Command to go after Russian hacking groups like Killnet, a pro-Moscow group responsible for a series of denial-of-service attacks starting in the early days of the war for Ukraine. The Cyber Command also slowed the operations of Russian intelligence agencies around the 2018 and 2020 American elections.
But none of those are permanent solutions; some groups the United States has targeted have formulated themselves anew, often under different names.
Mr. Biden’s only face-to-face meeting as president with Russia’s leader, Vladimir V. Putin, in 2021 in Geneva, was driven largely by the fear that rising ransomware attacks were affecting the lives of consumers, hospital patients and factory workers. Mr. Biden warned the Russian leader that his government would be held responsible for attacks emanating from Russian territory.
There was a lull for a number of months, and a prominent hacking group was raided by Russian authorities in Moscow. But that cooperation ended with the opening of the war in Ukraine.
In a speech this week at Carnegie Mellon University, Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, described the efforts of the administration as “shifting liability onto those entities that fail to live up to the duty of care they owe their customers.”
“Consumers and businesses alike expect that products purchased from a reputable provider will work the way they are supposed to and not introduce inordinate risk,” Ms. Easterly added, arguing that the administration needed to “advance legislation to prevent technology manufacturers from disclaiming liability by contract,” a common practice that few notice in the fine print of software purchases.