Biden team unveils new anti-cyberattack strategy
The new national cyber strategy will also take steps to defend forward against adversaries, and updates plans for responding to major attacks.
The Biden administration will pursue a policy of more aggressive regulation to secure critical systems like banks, electric utilities and hospitals against cyberattacks, according to a new national cyber strategy unveiled Thursday.
That approach signals a break from two decades of efforts to get companies in critical sectors to voluntarily strengthen their cybersecurity. It comes as officials are increasingly worried about cyberattacks on U.S. soil from Russia and China, and as cybercriminals ramp up “ransomware” attacks where they hold networks hostage for payments.
“Information sharing and public-private partnerships are inadequate for the threats we face when we look at critical infrastructure,” Anne Neuberger, deputy national security advisor for cyber and emerging technology, told reporters in a briefing about the strategy. It’s time, she said, “to implement minimum mandates.”
Neuberger pointed to work already done by the Transportation Security Administration to secure pipelines and railroads against attacks, and said that additional sectors where cybersecurity regulations will be put in place will be announced soon.
The plan — put together by the White House’s Office of the National Cyber Director — is the first new cyber strategy in five years, and serves as a roadmap for setting out the administration’s goals for securing the nation in cyberspace. A senior administration official said that the White House is working on an “implementation plan” to put into action the goals the strategy lays out. The plan will be released in the coming months. The White House provided the briefing to reporters on the condition that the official be granted anonymity.
It’s been a rough few years for those trying to protect U.S. networks from hackers. In May 2021, Russian-linked hackers launched a ransomware attack against Colonial Pipeline that forced the company to temporarily shut down the flow of gas to the East Coast for a week. Similar strikes hit food supply lines. And the Russian invasion of Ukraine last year led to major cyber threats against the U.S. electric grid and other critical infrastructure sectors from Russian hackers.
The strategy outlines a vision for the federal government to use existing authorities to protect critical sectors from cyberattacks. Where there are “gaps” in relevant authorities, the strategy reads, the administration will work with Congress to build new regulatory tools over key sectors. The strategy also says the government may need to provide resources to critical infrastructure groups that may not have the funds to afford to implement the new requirements.
The strategy seeks to “rebalance the responsibility for cyber risk to those who are most able to bear it,” Acting National Cyber Director Kemba Eneas Walden told reporters in the briefing. “The biggest, most capable, and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe.”
The industry has long pushed back against greater cyber regulations, and it’s something that Congress has hesitated to move on. The White House brought representatives in from across industries to review the strategy as it was being developed last year, and the senior administration official stressed that the new regulations would not be complex.
“The bar we’re setting is not a high bar, we’re really just hoping that owners and operators do the basics,” the official said.
POLITICO reached out to a number of industry groups about the administration's plan to more heavily regulate critical sectors at risk of hacks, but did not get responses. In publicly released statements, such groups were measured and cautious in their language, and did not directly address the strategy's emphasis on regulation.
Jonathan Spalter, president and CEO of USTelecom, which represents broadband groups including AT&T and Verizon, said that already, "broadband providers across the country are deeply committed to enhancing our nation's cybersecurity."
”Makers of enterprise software take seriously their responsibilities to customers and the public, and continuously work to evolve the security of their products to meet new threats,” said Victoria Espinel, president and CEO of software trade group BSA, the Software Alliance.
The strategy also makes clear that the U.S. plans to be aggressive against foreign adversaries who try to hack into American networks.
The U.S. “will use all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests,” the strategy says. This will include the Defense Department updating its cyber strategy to better integrate operations in cyberspace into overall defensive measures against adversary nations, and stepping up efforts to disrupt hacking groups that use ransomware to shut down networks and demand payments to turn services back on. A major part of this is declaring ransomware a national security threat, not just a criminal concern.
The strategy also outlines a plan to increase coordination across the federal government so that agencies can nimbly respond to a major cyberattack. According to the document, the Cybersecurity and Infrastructure Security Agency will update the National Cyber Incident Response Plan to enhance coordination across all agencies involved in cybersecurity issues, such as TSA or the Department of Energy.
On the international front, the strategy calls for the Biden administration to “develop mechanisms” to help identify when and how to respond to cyberattacks on other countries, such as the widespread attacks on Albania last year that were linked to Iran that the U.S. and other countries condemned.
While many experts praised the strategy's overall approach, some key Republicans expressed opposition to the regulation portion of the plan. House Homeland Security Committee Chair Mark Green (D-Tenn.) and cyber subcommittee Chair Andrew Garbarino (R-N.Y.) said in a joint statement Thursday that the strategy only adds more "red tape."
"The Biden administration must prioritize streamlining existing regulations while working with the private sector to identify new opportunities for partnership, rather than punishment, particularly through their implementation of this strategy," Green and Garbarino said.
However, a number of Republicans and Democrats who have been involved in U.S. government cybersecurity efforts commended the overall approach.
“The notion that we can do this all on a voluntary basis, the risk-reward is just too great," Senate Intelligence Committee Chair Mark Warner (D-Va.) said Thursday. He pointed to threats from nation states to critical infrastructure without more cybersecurity requirements, and warned that "we have still not seen the worst of Russian potential."
Brian Harrell, the former assistant secretary for infrastructure protection at the Department of Homeland Security under the Trump administration, said new regulations will make it easier to make sure products are designed with more protections from the start.
“Building security into the product from the beginning, rather than a bolt-on after the fact is a more secure and cost-conscious approach,” Harrell said. “Of course, it’s not possible to eliminate all defects, but right now there’s little incentive — beyond just general market reputation — to invest in a dramatic reduction of cyber vulnerabilities.”
John Costello, who recently left the position as chief of staff to the Office of the National Cyber Director, said that new emphasis on regulation reflects a recognition within the government that there has been “a massive shift in the [technology] ecosystem” as the country has grown more reliant on digital service providers.
However, “regulation, legislation, and an understanding of that risk and opportunity has not kept pace with these changes,” he said. The strategy “finally aligns the U.S. government position with what analysts and public policy people have been calling on for years, which is all this stuff is great, but it isn’t working.”