The Biden administration’s national cybersecurity strategy seeks to impose minimum security standards for critical infrastructure and to shift the responsibility for maintaining the security of computer systems away from consumers and small businesses onto larger software makers.
Released Thursday, the White House’s long-awaited strategy for improving the security of computer systems represents a shift in how Washington approaches cybersecurity, veering from the government’s long-standing emphasis on information sharing and collaboration toward a more strictly regulated approach.
The strategy calls for critical infrastructure owners and operators to meet minimum security standards, to expose software companies to liability for flaws in their products and for the U.S. to use all elements of its national power to prevent cyberattacks before they happen, an indication that the Biden administration intends to continue U.S. Cyber Command’s so-called “defend forward” strategy of seeking out malicious hackers on foreign networks.
The national cybersecurity strategy “fundamentally reimagines America’s cyber social contract,” Kemba Walden, the acting national cyber director, told reporters in a call Wednesday previewing the strategy. “It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it.”
“The biggest, most capable and best positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe,” Walden said.
Critical infrastructure security standards
After years of most critical infrastructure relying largely on voluntary guidelines to shape their approach to cybersecurity — a policy the the strategy document argues “resulted in inadequate and inconsistent outcomes” — the White House now calls for “minimum standards” for owners and operators that are performance-based, using existing frameworks such as the U.S. Cybersecurity and Infrastructure Security Agency performance goals or the National Institute of Standards and Technology’s framework for critical infrastructure.
But what these new regulations will look like and the security dividends for the critical infrastructure sectors they affect depends entirely on implementation, experts note. The administration is leaving the details of implementation up to the agencies in charge of overseeing the various critical infrastructure industries. States and independent regulators also will play a role in shaping any future regulation. The outcome of that reform process is highly uncertain.
Cyberattacks in recent years on critical infrastructure — such as the Colonial Pipeline ransomware attack that halted fuel deliveries to the East Coast — have spurred a move toward more stringent regulation, including the first-ever cybersecurity mandates for the pipeline industry. The Colonial Pipeline attack was not particularly sophisticated, but its impact was widespread and increased gas prices and created a public panic that resulted in long lines at the pump.
Shortly thereafter, the Transportation Security Administration released security directives governing the pipeline industry and is now at work on a more permanent rule. The pipeline attack — along with others, such as one targeting the meat supplier JBS — created demand for stricter, enforceable mandates against the companies that run basic human services like energy, water and wastewater, and health care among others in the 16 critical sectors.
The embrace of mandatory standards represents a stark difference from the Trump administration, which highlighted market incentives as the key driver for improving cybersecurity resilience in its 2018 national cyber strategy. The move to establish minimum standards builds on efforts in recent decades to write minimum security standards, especially in the energy industry, and Thursday’s document makes clear that similar measures are coming for other critical infrastructure sectors.
“A lot of the work we’ve done on critical infrastructure is already underway,” said Anne Neuberger, the deputy national security adviser for cyber and emerging technology. “The strategy codifies the first two years of putting in place minimum cybersecurity requirements.”
Indeed, the Biden administration has taken multiple steps to improve industrial cybersecurity. In 2021, Biden signed a national security memo that started with 100-day sprints under the Industrial Control Systems Cybersecurity Initiatives. Additionally, CISA has released performance goals for critical infrastructure with additional plans for sector-specific goals in the near future.
But many critical infrastructure sectors, including water and wastewater, currently lack minimum security standards. The water industry has released guidelines of its own, and the EPA is set to release a memo to add cybersecurity questions to sanitation surveys. However, the memo has received fierce pushback from both industry and cybersecurity experts who say that those who conduct the surveys are not equipped with the knowledge to audit industrial cybersecurity defenses.
The strategy also calls out the need to harmonize future regulations, which has been a key demand from critical infrastructure businesses that have to report to multiple agencies with sometimes overlapping or confusing jurisdiction.
“I don’t think we want to have 16 completely different sets of cybersecurity regulations. We do not want to have different reporting requirements and different timeframes and different prescriptive sort of standards,” Marty Edwards, vice president of operational technology security at Tenable and former director of ICS-CERT. Edwards cautioned that industry is likely to push back against additional regulation.
By harmonizing regulations, the strategy seeks to reduce the cost of compliance, and the strategy calls on regulators to work with industry to deduce how to pay for those new or updated regulations. But new regulations are going to both take time — likely years some experts note — to write and implement and may require additional authorities (and a beefed up budget) for those agencies that are in charge of critical infrastructure sectors.
In writing minimum security guidelines, the Biden administration plans to go through each sector and determine which would be most heavily affected and have the greatest impact if a catastrophic cyberattack were to occur — and how far the sector has to go in improving security. “We’ve taken up a sector by sector approach in looking at each critical infrastructure sector and thinking about one of the ways that we can improve this cybersecurity posture within that sector,” said a senior administration official speaking on condition of anonymity.
The new cybersecurity strategy also calls for cloud-based services to be included in the list for potential regulations, a welcome move according to Mark Montgomery, senior director of the Center on Cyber Technology and Innovation at the Foundation for Defense of Democracies. “Cloud service providers are a part of our long-term solution for securing our critical infrastructure, particularly for utilities, state and local governments,” he said. “If we’re going to rely on them to be such a critical element of our national security, we have to ensure that they’re meeting the standards the government believes in.”
Computer security experts have called for software makers to face some sort of liability for insecure code for the last 20 years. Exposing software makers to liability, however, represents something of a third-rail in cybersecurity, as it could open up tech companies to hugely expensive lawsuits and force them to pay stiff fines. Get it wrong, critics of software liability reform argue, and you could kill the software industry.
The White House strategy document plants a major flag in this debate on the side of those who would like to expose software makers to face liability. “Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers,” the strategy document argues.
By coming out in favor of software liability reform, the White House is acknowledging that the past two decades of cybersecurity policy has left the U.S. software industry with a skewed set of incentives that allows software makers to release flawed software to the public with few consequences. “It’s not possible to eliminate all defects, but right now there’s little incentive — beyond just general market reputation — to invest in a dramatic reduction of cyber vulnerabilities,” said Brian Harrell, the former assistant secretary for infrastructure protection at the Department of Homeland Security.
But actually imposing liability on software companies represents a major uphill battle. Rather than relying on executive action, the strategy document kicks the issue over to Congress, where it faces major hurdles, both technical and political. Among the challenges are how to define the circumstances in which companies would be held liable for vulnerable code. Another major hurdle is convincing a Republican-controlled House of Representatives to embrace a new regulatory regime.
To answer that question, the Biden administration plans to “begin to shape standards of care for secure software development” and to “drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.” Companies that deviate from these standards would presumably be exposed to legal liability, creating an incentive for companies to meet certain minimum security thresholds and, hopefully, improve the quality of their code and products.
Asked where in the software ecosystem the administration seeks to place liability, a senior administration official speaking on condition of anonymity said that the goal is to place it “where it will do the most good.” The goal is not to target open-source software developers, for example, but big software companies. “The company that is building and selling the software, they need to be liable for what they put in it and work to reduce vulnerabilities and use best practices,” the official said.
But getting that liability reform into law faces a major uphill battle and will require buy-in from Congress and industry. “I don’t think we should just sort of throw up our hands and say Congress is dysfunctional and therefore we can’t do anything,” said Michael Daniel, CEO of Cyber Threat Alliance. “There are things where you need Congress to act. Do I have any illusions that that will be simple or easy or fast? Of course not.”
The administration official was candid about the likelihood that software liability reform will move through Congress any time soon: “We don’t anticipate that this is something where we’re going to see a new law on the books within the next year.”
“We see shifting liability as a long-term process,” the official said. By establishing what better software development practices look like and then establishing a liability shield in cooperation with Congress, the Biden administration is playing a long game. “We’re looking out a decade,” the official said.
Though the software industry has historically been skeptical of software liability reform, a key trade group reacted cautiously to Thursday’s strategy document. In a statement, Victoria Espinel, the president and CEO of BSA | The Software Alliance, described the document as “thoughtful,” said that “makers of enterprise software take seriously their responsibilities to customers and the public,” and added that her organization looks forward to working with the administration “to advance shared priorities” that “will produce the greatest benefit.”
A more aggressive approach
Thursday’s strategy document broadly reiterates several themes of the Biden administration’s approach to cybersecurity, including on deterrence, investments and privacy. To tackle the scourge of ransomware, the U.S. government has sought to disrupt online criminal actors at the source, including by carrying out operations on foreign computer infrastructure. The cyber strategy calls for that effort to be strengthened.
“Disruption campaigns must become so sustained and targeted that criminal cyber activity is rendered unprofitable and foreign government actors engaging in malicious cyber activity no longer see it as an effective means of achieving their goals,” the strategy argues.
During the Trump administration, Cyber Command received far freer rein to carry out operations on foreign computer systems, and the Biden administration has largely maintained that aggressive approach. Thursday’s strategy document makes clear that these efforts will continue. “We are certainly in a more forward leaning position to make sure that we’re protecting the American people from these threats,” a senior administration official said.
The cyber strategy also calls for information-sharing efforts to be better integrated, including at its many cybersecurity centers, such as the Joint Cyber Defense Collaborative, at DHS and the the National Cyber Investigative Joint Task Force. The document also calls on the federal government’s response plans to be updated and its defenses modernized. The speed of intelligence sharing must be improved and public-private collaboration enhanced, it argues.
The strategy also makes clear that service providers have a responsibility to act as responsible stewards for consumer data well before threat actors strike. The strategy reiterates Biden’s call in his State of the Union address for legislation imposing clear limits on how companies collect and use data and strong protections for sensitive data such as health and geolocation data.
The strategy calls for building international coalitions to share cybersecurity threat information and advance a vision of internet governance that “promotes secure and trusted data flows, respects privacy, promotes human rights, and enables progress on broader challenges.” The document notes that preserving the free and open web will require sustained engagement with international standard-setting bodies.
Tonya Riley contributed reporting to this article.