WASHINGTON — The Biden administration plans to unveil a cybersecurity strategy Thursday that calls for software makers and U.S. industry to take more responsibility for ensuring their computers can’t be hacked, while the FBI and Defense Department step up efforts to disrupt hackers and ransomware. Groups around the world.
For years, companies have had to voluntarily report intrusions into their systems and regularly “patch” their programs to close newly discovered vulnerabilities, something the iPhone does with automatic updates every few weeks. But the new National Cyber Security Strategy concludes that such voluntary efforts are insufficient in a world of persistent efforts by sophisticated hackers backed by the likes of Russia, China, Iran or North Korea.
20 years ago George W. Every administration since the Bush administration, once in office, has released a cybersecurity strategy of some sort. But it differs from President Biden’s previous versions in several respects, chiefly by emphasizing greater mandates on private industry, which controls the majority of the nation’s digital infrastructure, and by expanding the government’s role to take offensive measures to preempt cyberattacks. Especially from abroad.
The Biden administration’s strategy calls for “fundamental changes in the fundamental dynamics of the digital ecosystem.” If enacted into new regulations and laws, it would force companies to implement minimum cybersecurity measures for critical infrastructure — and could impose liability on companies that fail to protect their code, just as automakers and their suppliers are held liable for faulty airbags or defects. brakes.
“It’s renegotiating the American cyber social contract,” said Kemba Walton, acting national cyber director, a White House position created by Congress two years ago that oversees both cyber strategy and cyber defense. “We expect more from those owners and operators of our critical infrastructure,” said Ms. Walton, who last month replaced the nation’s first national Internet director, Chris Inglis, a former deputy director of the National Security Agency.
He added that the government has a greater responsibility to strengthen security and disrupt major hacking groups that have locked up hospital records or crippled the operations of meatpackers across the country.
“We have an obligation to do that,” Ms. Walton said, “and the Internet is now a global commons, basically. So we expect more from our partners in the private sector and nonprofits and industry, but we also expect more from ourselves.
Read alongside past cyber strategies issued by the previous three presidents, the new document reflects how cybercrime and security have become increasingly central to national security policy.
While the Bush administration has not publicly acknowledged US offensive cyber capabilities, it has carried out the most sophisticated cyber attack directed by one state against another: a covert attempt to use code to sabotage Iran’s nuclear fuel facilities. The Obama administration has been reluctant to name Russia and China as the forces behind major hacks of the US government.
The Trump administration has strengthened US offensive efforts against hackers and state-sponsored actors abroad. China’s telecoms giant Huawei, accused of being an arm of the Chinese government, has also raised alarm over the deployment of high-speed 5G networks in the US and allied countries, fearing the company’s control over such networks could help China. Allowing Beijing to shut down systems during surveillance or conflict.
But the Trump administration has been less proactive in requiring U.S. companies to establish minimum protections for critical infrastructure or to hold those companies accountable for damage if vulnerabilities they left unattended are exploited.
How Times reporters see politics We trust our journalists to be independent observers. So when Times employees vote, they are not allowed to endorse or campaign for candidates or political causes. This includes participating in marches or rallies in support of a movement or giving money or raising money for any political candidate or election cause.
Imposing new kinds of responsibilities would require major legislative changes, and some White House officials said that since Republicans now control the House, Mr. They acknowledged that Biden would face insurmountable opposition if he sought to pass the equivalent of new corporate regulations.
Many elements of the new strategy are already in place. In some ways, the Biden administration is catching up to the steps it took after struggling in its first year, which began with major hacks of systems used by both private industry and the military.
After a Russian ransomware group shut down the Colonial Pipeline, which handles much of the gasoline and jet fuel on the East Coast, the Biden administration used little-known law enforcement officials from the Transportation Security Administration to regulate the nation’s vast energy network. Pipes. Pipeline owners and operators now must submit to far-reaching standards set mostly by the federal government, and later this week, the Environmental Protection Agency is expected to do the same for water pipes.
There are no equivalent federal authorities requiring minimum standards of cybersecurity in hospitals, which are often regulated by the state. They are another target of attacks from Vermont to Florida.
“We should have done these things years ago, after cyberattacks were first used to disrupt electricity for thousands of people in Ukraine,” said Mr. Ann Neuberger, Biden’s deputy national security adviser, said Wednesday. He was referring to a series of attacks on the Ukrainian power grid that began seven years ago.
Now, he said, “we’re really putting together a sector-by-sector approach that includes critical infrastructure.”
Mrs. Neuberger cited Ukraine as an example of pioneering cyber defenses and building resilience: In the weeks after the Russian invasion, Ukraine changed its laws to allow ministries to move their databases and many government functions to the cloud, backing up computer servers and data centers. Around Kiev and other cities were later targets for Russian artillery. Within weeks, many of those server farms were destroyed, but the government continued to operate, using satellite systems such as Starlink to communicate with servers overseas, brought in after the outbreak of war.
The strategy is catching up with an offensive plan that has become increasingly aggressive. Two years ago, the FBI began using search warrants to find and remove pieces of malicious code found on corporate networks. Most recently, it hacked a ransomware group’s networks, removed “decryption keys” that unlocked documents and systems belonging to the group’s victims, and thwarted efforts to collect large ransoms.
The FBI can operate on domestic networks; The U.S. Cyber Command is responsible for pursuing Russian hacking groups, such as Gilnet, a pro-Moscow group responsible for a series of denial-of-service attacks since the early days of the war for Ukraine. The cyber command slowed down the activities of Russian intelligence agencies in the 2018 and 2020 US elections.
But none of them are permanent solutions; Some of the groups the US has targeted have reinvented themselves, often under different names.
In Geneva in 2021, the President of Russia Vladimir V. Mr. Putin as president. Biden’s only face-to-face meeting came amid fears that rising ransomware attacks are affecting the lives of consumers, hospital patients and factory workers. Mr. Biden warned the Russian leader that his government must take responsibility for attacks emanating from Russian territory.
There was a lull for a few months, and a prominent hacking group was raided by Russian authorities in Moscow. But that cooperation ended with the outbreak of war in Ukraine.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, described the administration’s efforts in a speech at Carnegie Mellon University this week as “shifting responsibility onto companies that fail to meet their duty of care to their customers.” .”
“Consumers and businesses expect products purchased from a reputable supplier to perform as they expect and not introduce excessive risk,” Ms. Easterly said, adding that “the administration should advance legislation that prevents technology manufacturers from disclaiming responsibility.” Agreement,” is a common practice that some people notice in the fine print of software purchases.