New White House cyber strategy looks to redistribute risks, responsibilities

The Biden administration sketched out an ambitious vision for improving the nation's cybersecurity by changing the rules of the road for software and cloud vendors while rethinking how federal civilian agencies are defended in the National Cybersecurity Strategy released on Thursday morning.

The 35-page document calls on Congress to pass laws that put software vendors on the hook for the consequences of avoidable hacks while establishing a safe harbor framework for those companies whose products meet consensus standards for security development, shifting risks once assumed by users onto tech firms.

“The biggest, most capable and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe,” Kemba Walden, acting national cyber director, told reporters on Wednesday. “This strategy asks more of industry, but also commits more from the federal government.”

The Biden administration is also committing to improving federal agency cybersecurity.

The strategy includes plans for "collective operational defense" of federal civilian executive branch agencies, expanding shared cybersecurity services and ramping up efforts to control risk in the software supply chain. 

The strategy also calls out the need for the government to replace technology systems “that are not defensible against sophisticated cyber threats,” noting that zero trust implementation hinges on modern systems.

OMB will be developing a “a multi-year lifecycle plan” for modernization in these civilian, executive branch agencies with milestones laid out “to remove all legacy systems incapable of implementing our zero trust architecture strategy within a decade, or otherwise mitigate risks to those that cannot be replaced in that timeframe.”

A pivot to more regulation

The strategy also looks to manage risks to critical infrastructure through increased cybersecurity requirements across industrial sectors. Officials on the press call noted the disparate levels of security requirements across sectors. The strategy calls for the federal government to tap existing authorities to "set necessary requirements in critical sectors," and for Congress to pass legislation to close gaps in rulemaking authority.

“Information sharing and public-private partnerships are inadequate for the threats we face when we look at critical infrastructure,” Anne Neuberger, deputy national security advisor for cyber and emerging technologies, told reporters on the call.

Republicans on the House Homeland Security Committee, one of multiple congressional panels with oversight of cybersecurity, criticized what they called the "administration’s desire for more regulation, bureaucracy. and red tape."

"The key to building trust with our private sector partners is employing harmonization across government, rather than encouraging disparate and competing efforts," Reps. Mark E. Green (R-Tenn.) and Andrew Garbarino (R-N.Y.) said in a joint statement. "We must clarify federal cybersecurity roles and responsibilities, not create additional burdens, to minimize confusion and redundancies across the government." Green chairs the Homeland Security Committee; Garbarino chairs a subcommittee focused on cybersecurity.

The strategy also looks to reframe ransomware as a national security threat, which requires a coordinated response from law enforcement as well as interdiction efforts that push beyond borders to disrupt threats at their source. Additionally, the Biden administration hopes that in the long term, global standards will diminish the capability of ransomware gangs to use cryptocurrencies to launder their gains.

"We want to shrink the surface of the Earth [where] people can conduct malicious cyber activity with impunity, and put pressure on them and make their lives a little bit less pleasurable," a senior administration official told reporters.

The administration is also looking to cloud vendors to make sure their customers aren't using U.S.-based infrastructure to mount ransomware attacks or conduct other types of malicious cyber activity. 

"All service providers must make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior," the strategy states. The administration will prioritize adoption and enforcement of a risk-based approach to cybersecurity across Infrastructure-as-a-Service providers that addresses known methods and indicators of malicious activity" tapping into authorities laid out in a 2021 executive order.  

The strategy also warns that government contractors will be on the hook for cybersecurity, noting that “continuing to pilot new concepts for setting, enforcing, and testing cybersecurity requirements through procurement can lead to novel and scalable approaches.”

Additionally, the strategy calls for the federal government to support the growth and development of a trustworthy digital identity ecosystem through providing attribute validation services, updating standards and developing digital identity platforms, among other efforts.