WASHINGTON — The Biden administration plans to issue a cybersecurity strategy Thursday that urges American software makers and industry to take much greater responsibility for ensuring their systems cannot be hacked, while accelerating efforts by the FBI. and the Department of Defense to disrupt hackers and ransomware. groups from all over the world.
For years, the government has pressured companies to voluntarily report intrusions into their systems and regularly “fix” their programs to close newly discovered vulnerabilities, much like an iPhone does with automatic updates every few weeks. But the new National Cybersecurity Strategy concludes that such voluntary efforts are insufficient in a world of constant attempts by sophisticated hackers, often backed by Russia, China, Iran or North Korea, to break into critical government and private networks.
Every administration since George W. Bush’s 20 years ago has issued a cybersecurity strategy of some kind, usually once in a presidency. But President Biden’s version differs from previous versions in a number of ways, chiefly by calling for far greater mandates for private industry, which controls the vast majority of the nation’s digital infrastructure, and by expanding the role of government to take offensive action. to prevent cyber attacks. especially from abroad.
The Biden administration’s strategy envisions what it calls “fundamental changes in the underlying dynamics of the digital ecosystem.” If enacted into new regulations and laws, it would force companies to enact minimal cybersecurity measures for critical infrastructure, and perhaps hold companies that fail to secure their code, like automakers and their suppliers, liable. are responsible for faulty or faulty airbags. brakes.
“It just reinvents the American cybersocial contract,” said Kemba Walden, acting national cyber director, a White House position created by Congress two years ago to oversee both cyber strategy and cyber defense. “We look forward to more from those owners and operators on our critical infrastructure,” added Ms Walden, who took office last month after the country’s first national cyber director, Chris Inglis, a former deputy director of the National Security Agency, resigned. .
The government also has a greater responsibility, he added, to bolster defenses and disrupt major hacker groups that have blocked hospital records or frozen meatpacking operations across the country.
“We have a duty to do that,” Ms Walden said, “because the Internet is now a global commons, essentially. So we expect more from our partners in the private sector, nonprofits, and industry, but we also expect more from ourselves.”
Read alongside previous cyber strategies issued by the three previous presidents, the new document reflects how cyber offense and defense have become increasingly central to national security policy.
The Bush administration never publicly acknowledged America’s offensive cyber capabilities, not even when it mounted the most sophisticated cyber attack ever directed by one state at another: a covert effort to use code to sabotage Iran’s nuclear fuel facilities. The Obama administration was reluctant to name Russia and China as the powers behind major US government attacks.
The Trump administration strengthened US offensive efforts against hackers and state-backed actors abroad. He also raised the alarm that Huawei, the Chinese telecommunications giant he accused of being an arm of the Chinese government, installed high-speed 5G networks in the United States and among its allies, fearing that control of such networks by part of the company will help in China. surveillance or allow Beijing to shut down systems at a time of conflict.
But the Trump administration was less active in requiring American companies to put in place minimal protections on critical infrastructure, or in trying to hold those companies liable for damages if vulnerabilities they failed to address were exploited.
How Times reporters cover politics. We trust our journalists to be independent observers. So while Times staff members can vote, they are not allowed to endorse or campaign for political candidates or causes. This includes participating in marches or rallies in support of a movement or giving money or raising money for any political candidate or electoral cause.
Imposing new forms of accountability would require major legislative changes, and some White House officials acknowledged that now that Republicans control the House, Biden may face insurmountable opposition if he seeks to pass what would amount to sweeping new corporate regulation.
Many elements of the new strategy are already in place. In some ways, it’s catching up with the steps the Biden administration took after struggling through its first year, which began with major attacks on systems used by both private industry and the military.
After a Russian ransomware group shut down operations at Colonial Pipeline, which handles much of the gasoline and jet fuel along the East Coast, the Biden administration used little-known legal authorities held by the Security Administration. of Transport to regulate the country’s vast energy network. pipelines Pipeline owners and operators must now abide by far-reaching standards set largely by the federal government and, later this week, the Environmental Protection Agency is expected to do the same for water pipelines.
There are no parallel federal authorities to mandate minimum cybersecurity standards in hospitals, which are largely regulated by the state. They have been another target of attacks, from Vermont to Florida.
“We should have been doing a lot of these things years ago after cyberattacks were first used to knock out power to thousands of people in Ukraine,” Anne Neuberger, Biden’s deputy national security adviser for technologies, said Wednesday. emerging and cyber. She was referring to a series of attacks on the Ukrainian power grid that began seven years ago.
Now, he said, “we are literally cobbled together a sector-by-sector approach that covers critical infrastructure.”
Ms. Neuberger cited Ukraine as an example of proactively building cyber defenses and resilience: In the weeks after the Russian invasion, Ukraine changed its laws to allow ministries to move their databases and many government operations to the cloud, supporting computer servers and data centers. around kyiv and other cities that were later targets of Russian artillery. Within weeks, many of those server farms were destroyed, but the government continued to function, communicating with servers abroad using satellite systems like Starlink, also installed after the war broke out.
The strategy is also catching up with an offensive program that has become increasingly aggressive. Two years ago, the FBI began using search warrants to find and dismantle pieces of malicious code found on corporate networks. Most recently, he hacked into the networks of a ransomware group, removed “decryption keys” that would unlock the documents and systems belonging to the group’s victims, and thwarted efforts to collect large ransoms.
The FBI can operate on home networks; It’s up to US Cyber Command to go after Russian hacking groups like Killnet, a pro-Moscow group responsible for a series of denial-of-service attacks that began in the early days of the war for Ukraine. Cyber Command also slowed down the operations of Russian intelligence agencies around the 2018 and 2020 US elections.
But none of those are permanent solutions; some groups the US has targeted have been reformulated, often under different names.
Biden’s only face-to-face meeting as president with Russia’s leader Vladimir V. Putin, in 2021 in Geneva, was driven largely by fears that growing ransomware attacks would affect the lives of consumers, patients with hospitals and factory workers. Mr. Biden warned the Russian leader that his government would be responsible for attacks emanating from Russian territory.
There was a hiatus for several months, and Russian authorities raided a prominent hacker group in Moscow. But that cooperation ended with the opening of the war in Ukraine.
In a speech this week at Carnegie Mellon University, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, described the administration’s efforts as “shifting responsibility to those entities that fail to uphold the duty of care they owe to Your clients .”
“Consumers and businesses alike expect products purchased from a trusted vendor to work the way they are supposed to and not present undue risk,” Ms Easterly added, arguing that the administration needed to “move forward on legislation to prevent technology manufacturers from contractually indemnifying themselves,” a common practice few notice in the fine print of software purchases.
