WASHINGTON (AP) — The U.S. government plans to expand minimum cybersecurity requirements for critical sectors and to be faster and more aggressive in preventing cyberattacks before they can occur, including by using military, law enforcement and diplomatic tools, according to a Biden administration strategy document released Thursday.
The Democratic administration also intends to work with Congress on legislation that would impose legal liability on software makers whose products fail to meet basic cybersecurity safeguards, officials said.
The strategy largely codifies work that has already been underway during the last two years over a spate of high-profile ransomware attacks on critical infrastructure. An attack on a major fuel pipeline that caused panic at the pump and resulted in an East Coast fuel shortage as well as other attacks focused fresh attention on cybersecurity. But officials hope the new strategy lays the groundwork for countering an increasingly challenging cyber environment.
“This strategy will position the United States and its allies and partners to build that digital ecosystem together, making it more easily and inherently defensible, resilient, and aligned with our values,” the document states.
President Joe Biden's administration has already taken steps to impose cybersecurity regulations on certain critical industry sectors, such as electric utilities and nuclear facilities, and the strategy calls for minimum requirements to be expanded to other vital sectors.
Anne Neuberger, the administration's deputy national security adviser for cyber and emerging technology, said on a conference call with reporters that it was “critical that the American people have confidence in the availability and resiliency of our critical infrastructure and the essential services it provides.”
The administration also wants to shift legal liability onto software makers that fail to take basic precautions to produce secure technology, saying companies should be held accountable rather than end users.
In a statement accompanying the document, Biden says his administration is taking on the “systemic challenge that too much of the responsibility for cybersecurity has fallen on individual users and small organizations.”
“By working in partnership with industry; civil society; and state, local, tribal, and territorial governments, we will rebalance the responsibility for cybersecurity to be more effective and equitable,” Biden says.
The strategy document calls for more aggressive efforts to thwart cyberattacks before they can occur by drawing on a range of military, law enforcement and diplomatic tools as well as help from a private sector that “has growing visibility into the adversary sector.” Such offensive operations, the document says, need to take place with “greater speed, scale, and frequency.”
“Our goal is to make malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States,” the strategy document says.
Under the strategy, ransomware attacks — in which hackers lock up a victim's data and demand large fees to return it — are being classified as a threat to national security rather than a criminal challenge, meaning that the government will continue using tools beyond arrests and indictments to combat the problem.
Follow Eric Tucker on Twitter at http://www.twitter.com/etuckerAP.