White House cybersecurity strategy to force large companies to make systems secure by design

The highly anticipated strategy document aims to deliver security improvements to the broader digital ecosystem.

A forthcoming White House cybersecurity strategy document aims to force large companies to shoulder greater responsibility for designing secure products and to redesign digital ecosystems to be more secure, Camille Stewart Gloster, the deputy national cyber director for technology and ecosystem security, said at a CyberScoop event Thursday.

By “shifting the burden back from the smaller players” and toward larger players “that can build in security by design” the strategy aims to deliver broad security gains, Stewart Gloster said. The strategy documents also looks at how to “rearchitect our digital ecosystem” so “that we are creating future resilience,” she said.

According to an early draft of the document obtained by Slate — which White House officials have emphasized is not a final document — the strategy includes a wide range of mandatory regulations on American critical infrastructure companies to improve security and authorizes law enforcement and intelligence agencies to take a more aggressive approach to hack into foreign networks to prevent attacks or retaliate after they have occurred.

The strategy document is expected to broadly abandon the mostly voluntary approach that has defined U.S. policy in recent years in favor of more comprehensive regulation.


The Biden administration has worked to draft the strategy over the past year, an initiative that was spurred by a string of major breaches early in the administration — among them the SolarWinds and Kaseya breaches — that saw attackers exploit vulnerabilities at companies that occupy central positions in the computer security ecosystem.

Breaching these companies allowed attackers access to large numbers of client systems, and by mandating greater security requirements at companies that occupy these systemically important positions, the White House is looking to create security improvements for the large numbers of clients and users that rely on their services.

The recently retired National Cyber Director Chris Inglis served as the primary author of the document, and following his retirement last week, the highly anticipated strategy is expected to be released imminently.

Elias Groll

Written by Elias Groll

Elias Groll is a senior editor at CyberScoop. He has previously worked as a reporter and editor at Foreign Policy, covering technology and national security, and at the Brookings Institution, where he was the managing editor of TechStream and worked as part of the AI and Emerging Technology Initiative. He is a graduate of Harvard University, where he was the managing editor of The Harvard Crimson.

Latest Podcasts