Biden administration wants to hold companies liable for bad cybersecurity

Aerial View of The White House at 1600 Pennsylvania Avenue and Lafayette Square, Washington DC, USA.
Getty Images

reader comments
49 with

The Biden administration on Thursday pushed for new mandatory regulations and liabilities to be imposed on software makers and service providers in an attempt to shift the burden of defending US cyberspace away from small organizations and individuals.

“The most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem,” administration officials wrote in a highly anticipated documenting an updated National Cybersecurity Strategy. “Today, end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, yet these actors’ choices can have a significant impact on our national cybersecurity.”

Increasing regulations and liabilities

The 39-page document cited recent ransomware attacks that have disrupted hospitals, schools, government services, pipeline operations, and other critical infrastructure and essential services. One of the most visible such attacks occurred in 2021 with a ransomware attack on the Colonial Pipeline, which delivers gasoline and jet fuel to much of the southeastern US. The attack shut down the vast pipeline for several days, prompting fuel shortages in some states.

In the wake of that attack, the administration imposed new regulations on energy pipelines. Thursday’s strategy document signaled that similar frameworks are likely coming to additional industries.

“Our strategic environment requires modern and nimble regulatory frameworks for cybersecurity tailored for each sector’s risk profile, harmonized to reduce duplication, complementary to public-private collaboration, and cognizant of the cost of implementation,” the document stated. “New and updated cybersecurity regulations must be calibrated to meet the needs of national security and public safety, in addition to the security and safety of individuals, regulated entities, and their employees, customers, operations, and data.”

Solar Winds supply chain attack that came to light in December 2020. By compromising SolarWinds’ software distribution system, threat actors working on behalf of the Kremlin pushed malware to roughly 18,000 customers who used the network management product. The hackers then sent follow-up payloads to about 10 US federal agencies and about 100 private organizations.

Ransomware attacks are now more common than five years ago. In the strategy, administration officials wrote:

Given ransomware’s impact on key critical infrastructure services, the United States will employ all elements of national power to counter the threat along four lines of effort: (1) leveraging international cooperation to disrupt the ransomware ecosystem and isolate those countries that provide safe havens for criminals; (2) investigating ransomware crimes and using law enforcement and other authorities to disrupt ransomware infrastructure and actors; (3) bolstering critical infrastructure resilience to withstand ransomware attacks; and (4) addressing the abuse of virtual currency to launder ransom payments.

The document also reclassifies ransomware as a national security threat, whereas previously, it was seen as a criminal threat.

The plan will be coordinated by the National Security Council, the White House’s Office of Management and Budget, and the Office of the National Cyber Director. Those bodies provide annual reports to the president and the US Congress to update the plan’s implementation and effectiveness. These bodies will also give guidance each year to federal agencies. The White House provided this factsheet summarizing the plan.

Article Tags:
Article Categories: