The Biden administration wants to hold companies accountable for inadequate cybersecurity

On Thursday, the Biden administration pushed for new mandatory rules and obligations for software makers and service providers in an effort to shift the burden of protecting US cyberspace to small organizations and individuals.

“The most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem,” administration officials wrote in a highly anticipated updated National Cybersecurity Strategy. “Today, end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, yet these actors’ choices can have a significant impact on our national cybersecurity.”

Strengthening regulatory requirements and liabilities

The 39-page document cites recent ransomware attacks that disrupted hospitals, schools, government services, pipeline operations, and other critical infrastructure and vital services in the United States. One of the most notable such attacks occurred in 2021 when the ransomware attacked the Colonial Pipeline, which supplies gasoline and jet fuel to much of the southeastern United States. The attack shut down the huge pipeline for several days, leading to fuel shortages in some states.

In the wake of this attack, the administration implemented new regulations on energy pipelines. A policy document published on Thursday signals that similar rules are likely to be introduced in other industries.

“Our strategic environment requires modern and nimble regulatory frameworks for cybersecurity tailored for each sector’s risk profile, harmonized to reduce duplication, complementary to public-private collaboration, and cognizant of the cost of implementation,” the document stated. “New and updated cybersecurity regulations must be calibrated to meet the needs of national security and public safety, in addition to the security and safety of individuals, regulated entities, and their employees, customers, operations, and data.”

Another key focus of the strategy is to promote long-term investment by “striking a careful balance between defending ourselves against urgent threats today and simultaneously strategically planning for and investing in a resilient future.”

One initiative that is likely to be one of the most controversial for the tech industry is the push to hold companies accountable for vulnerabilities in their software or services. Under the current legal framework, these companies often face little (if any) legal consequences when their products or services are used.

“We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities,” the document stated. “Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers.”

Five pillars

The document lists five “pillars” for achieving these goals:

  1. Defending critical infrastructure. Besides expanding regulations on critical sectors, the plan calls for enabling public-private collaboration in defending critical infrastructure and public safety and defending and modernizing federal networks and federal incident responses.
  2. Disrupting and dismantling threat actors, to blunt their threat to national security and public safety. Means for achieving this include employing “all tools of national power” to thwart threat actors, engaging the private sector to do the same, and addressing the threat of ransomware through a comprehensive federal approach that’s coordinated with international partners.
  3. Shaping market forces to boost security and resilience. This includes giving responsibility to those within the digital ecosystem in the best position to reduce risk. This pillar emphasizes promoting the privacy and security of private data, shifting liability on software and services, and ensuring federal grant programs foster investments in new, more secure infrastructure.
  4. Investing in a resilient future through “strategic investments and coordinated, collaborative action.” This would include reducing vulnerabilities across the digital ecosystem, making it more resilient against transnational repression, prioritizing cybersecurity research and development, and creating a more robust national cybersecurity workforce.
  5. Forging international partnerships to achieve common goals. Some of the means for accomplishing this objective are by implementing or leveraging international coalitions and partnerships to counter threats, increasing the cybersecurity defense capabilities of partners, and working with allies.

The last time a US president laid out a national cybersecurity plan was in 2018 under Donald Trump. In the five years since then, the US has experienced a flurry of devastating cyber attacks. In addition to the Colonial Pipeline, they include an attack on Solar Winds supply chain, which became known in December 2020. By compromising SolarWinds’ software distribution system, attackers working on behalf of the Kremlin distributed malware to approximately 18,000 customers using the product for network management. The hackers then sent the malware to about 10 US federal agencies and about 100 private organizations.

Ransomware attacks are more common now than they were five years ago. This is stated in the strategy developed by administration representatives:

“Given ransomware’s impact on key critical infrastructure services, the United States will employ all elements of national power to counter the threat along four lines of effort: (1) leveraging international cooperation to disrupt the ransomware ecosystem and isolate those countries that provide safe havens for criminals; (2) investigating ransomware crimes and using law enforcement and other authorities to disrupt ransomware infrastructure and actors; (3) bolstering critical infrastructure resilience to withstand ransomware attacks; and (4) addressing the abuse of virtual currency to launder ransom payments.”

The document also reclassifies ransomware as a threat to national security, whereas it was previously considered a criminal threat.

The plan will be coordinated by the National Security Council, the White House’s Office of Management and Budget, and the Office of the National Cyber Director. Those bodies provide annual reports to the president and the US Congress to update the plan’s implementation and effectiveness. These bodies will also give guidance each year to federal agencies. The White House provided this newsletter with a brief outline of the plan.