An ambitious and comprehensive White House cybersecurity plan released Thursday calls for strengthening protections for critical industries and holding software companies legally accountable if their products fail to meet basic standards. The strategy paper promises to use “all instruments of national power” to prevent cyber-attacks.
The Democratic administration also said it will work to impose “robust and clear limits” on private sector data collection, including geolocation and health information.
“We have a long way to go before every American is confident that cyberspace is safe for them,” acting national cyber director Kemba Walden said at an online forum Thursday. “We expect that school districts will largely go it alone with transnational criminal organizations. It’s not just unfair. It’s not effective.”
The strategy largely codifies the work already undertaken over the past two years following a spate of high-profile ransomware attacks against critical infrastructure. A 2021 attack on a major fuel pipeline that caused panic at the pump and led to a fuel shortage on the East Coast, and other damaging attacks made cybersecurity a national priority. The Russian invasion of Ukraine has exacerbated these concerns.
The 35-page document provides the foundation for better addressing escalating threats to government agencies, the private sector, schools, hospitals and other critical infrastructure that is routinely breached. In recent weeks, the FBI, the US Marshals Service and Dish Network, among others, have been victims of hacking attacks.
“The defense rarely wins. Every few weeks someone gets horribly hacked,” said Edward Amoroso, CEO of cybersecurity firm TAG Cyber.
He called the White House strategy largely ambitious. His boldest initiatives, including tougher infringement and software liability rules, are likely to meet opposition from businesses and Republicans in Congress.
Brandon Valeriano, a former senior adviser to the federal government’s Cyberspace Solarium Commission, agreed.
“There is a lot to experience here. There’s just a lot of detail missing,” said Valeriano, a distinguished senior fellow at Marine Corps University. “They’re making a paper that’s very pro-regulation at a time when the United States is very anti-regulation.”
The data collection component of the strategy is also expected to meet opposition in Congress, though polls show that most Americans support federal privacy laws.
In a new report, technology data firm Forrester Research said state-sponsored cyberattacks increased by nearly 100% between 2019 and 2022 and have changed in nature, with a larger percentage now being carried out for data destruction and financial theft. The threats mostly come from abroad: Russian-based cybercriminals and state-sponsored hackers from Russia, China, North Korea and Iran.
President Biden’s administration has already imposed cybersecurity regulations on certain critical industrial sectors, such as electric utilities, gas pipelines and nuclear power plants. The strategy envisages expansion into other key sectors.
In a statement accompanying the document, Biden says his administration is addressing the “systemic challenge that too much responsibility for cybersecurity has fallen on individual users and small organizations.” This would mean shifting legal responsibility to software producers and holding companies accountable rather than end users.
As a nation, we tend to shift the responsibility for cybersecurity down the line. We call on individuals, small businesses and local governments to take on a significant burden to defend us all,” Walden said.
The White House wants to impose more responsibility on software companies.
“Too many vendors ignore secure development best practices, ship products with insecure default configurations or known vulnerabilities, and integrate unmanaged or unknown third-party software,” the document states. That needs to change, he adds, saying the White House will work with Congress and the private sector on accountability legislation.
The agency’s director of cybersecurity and infrastructure security, Jen Easterly, drew an analogy to the auto industry in a speech at Carnegie Mellon University on Monday, before consumer advocates led by Ralph Nader pushed for safety reforms, including seatbelts and airbags: “The burden of security should never rest solely on the customer. Technology manufacturers must take responsibility for their customers’ security outcomes.”
But Amoroso, the cybersecurity expert, called this comparison misleading because software is another beast that is inherently complex and hackers are constantly finding ways to crack it. The liability initiative will likely go to court because of industry resistance, he said. “If you’re a cybersecurity advocate, that’s manna from heaven.”
When asked if it is fair to hold software companies liable in court for damages caused by cyberattacks, industry association BSA – The Software Alliance said in a statement: “Cybersecurity is constantly evolving and provides incentives for companies to adopt best practices for secure software design and development. . for the benefit of the entire ecosystem.”
The group, which includes Microsoft, Adobe, SAP, Oracle and Zoom, added, “We look forward to working with the administration and Congress on proposed legislation to promote best practices.” Amoroso said he appreciates positives of the strategy, such as securing clean energy technologies and strengthening cyber security forces, which currently lack 700,000 workers across the country.
The document also calls for more aggressive efforts to prevent cyber-attacks using military, law enforcement, diplomatic and private sector assistance. Such offensive operations, it said, should be conducted with “greater speed, greater range and greater frequency.”
The disruption of enemy cyber activities by “Forward Defense” is already underway.
The FBI and the US Cyber Command are now regularly active against cybercriminals and state-sponsored hackers in cyberspace, working with foreign partners to thwart ransomware operations and election interference in 2018 and 2020. The government has already recognized ransomware as a threat to national security, and the document says it will continue to use methods such as “hacking the hacker” to combat it.
AP reporter Rebecca Santana contributed to this report.
Source: LA Times