White House cybersecurity strategy pivots to regulation
The White House has unveiled a national cybersecurity strategy calling for comprehensive regulation of the nation’s vital services, acknowledging in a 38-page blueprint that reliance on voluntary cybersecurity measures has stopped short of preventing billions in economic losses following a spike in ransomware attacks, as well as “inadequate and inconsistent outcomes” across critical infrastructure like energy pipelines, food companies, schools and hospitals.
The new framework, led by the Office of the National Cyber Director in the White House, calls out China, Russia, Iran and North Korea for aggressive cyber tactics exhibiting “reckless disregard for the rule of law” and elevates ransomware attacks, such as the 2021 Russia-linked offensive on Colonial Pipeline, to issues of national security.
“For government, we have a duty to the American people to double down on tools that only government can wield — including the law enforcement and military authorities — to disrupt malicious cyber activity and pursue their perpetrators,” Acting National Cyber Director Kemba Walden said during a briefing with reporters this week.
Senior administration officials previewing the plan noted that “the criminal justice system isn’t going to be able to on its own address this problem,” adding that the Biden administration will employ “other elements of national power” including sanctions and “rewards for justice” offerings that hamper cybercriminal operations.
“We want to shrink the surface of the earth [in which] people can conduct malicious cyber activity with impunity — to put pressure on them and make their lives a little bit less pleasurable,” one senior administration official added. “And if a criminal is restricted to living in Russia and can’t leave the borders, then perhaps that might create a bit of a deterrent effect.”
But, according to the White House strategy, it is China that “now presents the broadest, most active, and most persistent threat to both government and private sector networks and is the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so.”
China’s growing cyber capabilities have prompted ominous warnings from U.S. officials, with growing concerns about the hijacking of U.S. telecommunications, mass-pollution of U.S. waterways or targeting of the U.S. power grid.
“Attacks against our critical infrastructure in the event of a Chinese invasion of Taiwan is unfortunately not farfetched,” CISA Director Jen Easterly said Monday.
“As we’ve recently hit the one-year mark of the war in Ukraine, we’ve seen the cyber threat at the forefront of geopolitical crises,” said Deputy National Security Advisor Anne Neuberger, adding that the U.S. previously pushed back against Iranian intelligence services following an attack on the government networks of Albania, a NATO member.
The looming prospect of crippling cyber attacks on U.S. critical infrastructure has also motivated the Biden administration to go beyond traditional, voluntary means of information sharing and public-private partnership to impose regulations within critical sectors “that level the playing field.”
Officials stress that America’s 10-year cybersecurity roadmap will help shift the burden of cyber risk beyond consumers and ensure “companies are not trapped in a competition to underspend their peers on cybersecurity.”
But the Biden administration has already kickstarted cybersecurity mandates intended to shore up oil and gas pipelines, rail and aviation. Officials have previewed plans for the Environmental Protection Agency (EPA) to issue a rule for the water sector. A 2021 survey of 606 drinking and wastewater organizations by the Water Sector Coordinating Council found half spent less than 5% of their budget on IT security.
“We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities,” the strategy read.
“Every American should be able to benefit from cyberspace,” said Walden. “But every American should not have the same responsibility to keep it secure. Congress previously passed legislation requiring critical infrastructure owners and operators to report to the federal government within 72 hours in the event of a major cyberattack.
“Where Federal departments and agencies have gaps in statutory authorities to implement minimum cybersecurity requirements or mitigate related market failures, the Administration will work with Congress to close them,” according to the strategy.
White House officials plan to unroll a corresponding “implementation plan” in the coming months to help discharge its newly minted strategy.
The document, which will be signed by the president in the coming days, comes on the heels of major cyber incidents, including a massive ransomware attack at the world’s largest meat supplier, and a slew of ransomware attacks targeting U.S. schools and hospitals.
Most recently, the U.S. Marshals Service discovered a major cyber attack compromising some of its most sensitive information, including law enforcement materials, and the personal information of employees and potential investigative targets.
National Cyber Director Chris Inglis stepped down from his post last month, retiring after almost two years at the helm of the agency responsible for coordinating a patchwork of agencies and offices tasked with safeguarding the nation’s critical infrastructure. President Biden has yet to nominate his replacement.