White House cybersecurity strategy to force large companies to make systems secure by design
A forthcoming White House cybersecurity strategy document aims to force large companies to shoulder greater responsibility for designing secure products and to redesign digital ecosystems to be more secure, Camille Stewart Gloster, the deputy national cyber director for technology and ecosystem security, said at a CyberScoop event Thursday.
By “shifting the burden back from the smaller players” and toward larger players “that can build in security by design” the strategy aims to deliver broad security gains, Stewart Gloster said. The strategy documents also looks at how to “rearchitect our digital ecosystem” so “that we are creating future resilience,” she said.
According to an early draft of the document obtained by Slate — which White House officials have emphasized is not a final document — the strategy includes a wide range of mandatory regulations on American critical infrastructure companies to improve security and authorizes law enforcement and intelligence agencies to take a more aggressive approach to hack into foreign networks to prevent attacks or retaliate after they have occurred.
The strategy document is expected to broadly abandon the mostly voluntary approach that has defined U.S. policy in recent years in favor of more comprehensive regulation.
The Biden administration has worked to draft the strategy over the past year, an initiative that was spurred by a string of major breaches early in the administration — among them the SolarWinds and Kaseya breaches — that saw attackers exploit vulnerabilities at companies that occupy central positions in the computer security ecosystem.
Breaching these companies allowed attackers access to large numbers of client systems, and by mandating greater security requirements at companies that occupy these systemically important positions, the White House is looking to create security improvements for the large numbers of clients and users that rely on their services.
The recently retired National Cyber Director Chris Inglis served as the primary author of the document, and following his retirement last week, the highly anticipated strategy is expected to be released imminently.