SHORING UP CYBERSECURITY —

Biden administration wants to hold companies liable for bad cybersecurity

Amid an onslaught of cyberespionage and ransomware, Biden calls on tech to step up.

Aerial View of The White House at 1600 Pennsylvania Avenue and Lafayette Square, Washington DC, USA.
Getty Images

The Biden administration on Thursday pushed for new mandatory regulations and liabilities to be imposed on software makers and service providers in an attempt to shift the burden of defending US cyberspace away from small organizations and individuals.

"The most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem,” administration officials wrote in a highly anticipated updated National Cybersecurity Strategy document. “Today, end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, yet these actors’ choices can have a significant impact on our national cybersecurity."

Increasing regulations and liabilities

The 39-page document cited recent ransomware attacks that have disrupted hospitals, schools, government services, pipeline operations, and other critical infrastructure and essential services. One of the most visible such attacks occurred in 2021 with a ransomware attack on the Colonial Pipeline, which delivers gasoline and jet fuel to much of the Southeastern US. The attack shut down the vast pipeline for several days, prompting fuel shortages in some states.

In the wake of that attack, the administration imposed new regulations on energy pipelines. Thursday’s strategy document signaled that similar frameworks are likely coming to additional industries.

“Our strategic environment requires modern and nimble regulatory frameworks for cybersecurity tailored for each sector’s risk profile, harmonized to reduce duplication, complementary to public-private collaboration, and cognizant of the cost of implementation,” the document stated. “New and updated cybersecurity regulations must be calibrated to meet the needs of national security and public safety, in addition to the security and safety of individuals, regulated entities, and their employees, customers, operations, and data.”

Another key focus of the strategy is favoring long-term investments by “striking a careful balance between defending ourselves against urgent threats today and simultaneously strategically planning for and investing in a resilient future."

One of the initiatives that’s likely to be among the most controversial for the tech industry is the push to hold companies liable for vulnerabilities in their software or services. Under existing legal frameworks, these companies often face little, if any, legal consequences when their products or services are exploited, even when the vulnerabilities result from insecure default configurations or known weaknesses.

“We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities,” the document stated. “Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers.”

Five pillars

The document lists five “pillars” to these objectives. They are:

1. Defending critical infrastructure. Besides expanding regulations on critical sectors, the plan calls for enabling public-private collaboration in defending critical infrastructure and public safety and defending and modernizing federal networks and federal incident responses.

2. Disrupting and dismantling threat actors to blunt their threat to national security and public safety. Means for achieving this include employing “all tools of national power” to thwart threat actors, engaging the private sector to do the same, and addressing the threat of ransomware through a comprehensive federal approach that’s coordinated with international partners.

3. Shaping market forces to boost security and resilience. This includes giving responsibility to those within the digital ecosystem in the best position to reduce risk. This pillar emphasizes promoting the privacy and security of private data, shifting liability on software and services, and ensuring federal grant programs foster investments in new, more secure infrastructure.

4. Investing in a resilient future through “strategic investments and coordinated, collaborative action.” This would include reducing vulnerabilities across the digital ecosystem, making it more resilient against transnational repression, prioritizing cybersecurity research and development, and creating a more robust national cybersecurity workforce.

5. Forging international partnerships to achieve common goals. Some of the means for accomplishing this objective are by implementing or leveraging international coalitions and partnerships to counter threats, increasing the cybersecurity defense capabilities of partners, and working with allies.

The last time a president laid out a national cybersecurity blueprint was in 2018 under President Donald Trump. In the five years since, the US has experienced a flurry of damaging cyberattacks. Besides the Colonial Pipeline, they include the Solar Winds supply chain attack that came to light in December 2020. By compromising SolarWinds' software distribution system, threat actors working on behalf of the Kremlin pushed malware to roughly 18,000 customers who used the network management product. The hackers then sent follow-up payloads to about 10 US federal agencies and about 100 private organizations.

Ransomware attacks are now more common than five years ago. In the strategy, administration officials wrote:

Given ransomware’s impact on key critical infrastructure services, the United States will employ all elements of national power to counter the threat along four lines of effort: (1) leveraging international cooperation to disrupt the ransomware ecosystem and isolate those countries that provide safe havens for criminals; (2) investigating ransomware crimes and using law enforcement and other authorities to disrupt ransomware infrastructure and actors; (3) bolstering critical infrastructure resilience to withstand ransomware attacks; and (4) addressing the abuse of virtual currency to launder ransom payments.

The document also reclassifies ransomware as a national security threat, whereas previously, it was seen as a criminal threat.

The plan will be coordinated by the National Security Council, the White House’s Office of Management and Budget, and the Office of the National Cyber Director. Those bodies provide annual reports to the president and the US Congress to update the plan's implementation and effectiveness. These bodies will also give guidance each year to federal agencies. The White House provided this factsheet summarizing the plan.

Channel Ars Technica