Biden's cybersecurity strategy assigns blame to tech companies

The policy document calls for more mandates from the companies that control most of the country's digital infrastructure, and an expanded government role in disrupting hackers and state-sponsored entities.

WASHINGTON — The Biden administration released a new cybersecurity strategy on Thursday that calls on software makers and U.S. industry to take far greater responsibility for ensure their systems cannot be hacked, while accelerating efforts by the Federal Bureau of Investigation and the Department of Defense to disrupt the activities of hackers and ransomware groups around the world.

For years the government has urged companies to voluntarily report intrusions into their systems and regularly patch their programs to fix newly discovered vulnerabilities, much like an iPhone does with automatic updates every few weeks.

But the new National Cyber ​​Security Strategy concludes that such good faith efforts are helpful but not enough ants in a world of constant attempts by sophisticated hackers, often backed by Russia, China, Iran or North Korea, to break into critical government and private networks. Instead, companies should be required to meet minimum cybersecurity standards, according to the new strategy.

The strategy is a policy document, not an executive order , although it represents a significant shift in attitude towards the “public-private partnerships” the government has been talking about for years. While some aspects of the new strategy are already in place, others would require legislative changes — potentially a major challenge in a Republican-dominated Congress. And the federal government lacks the ability to impose cybersecurity requirements on state-run facilities like hospitals, which have been targeted by hackers.

"The fundamental recognition in the strategy is that a voluntary approach to securing 'critical infrastructure and networks' is inadequate," said Anne Neuberger, deputy national security adviser for cyber and emerging technologies, during a event at the Center for Strategic and International Studies, a Washington think tank.

Every administration since that of George W. Bush 20 years ago has released some sort of cybersecurity strategy, usually once per presidency. But President Biden's differs from previous versions in several ways, primarily by asking for much larger mandates for private industry, which controls the vast majority of the country's digital infrastructure, and by expanding the role of government to take offensive measures to anticipate cyberattacks, especially from abroad.

The Biden administration's strategy envisions what it calls "fundamental shifts in the dynamic under underlying digital ecosystem". If enacted into new regulations and laws, it would require companies to implement minimum cybersecurity measures for critical infrastructure – and, perhaps, impose liability on companies that fail to secure their code, just as automakers and their suppliers are held liable for defective airbags or defective brakes.

"This just reinvents the American cybersocial contract," said Kemba Walden, the acting national cyber director, a White House post created by Congress two years ago. "We expect more from these owners and operators of our critical infrastructure," added Ms. Walden, who took over last month after the resignation of the nation's first cyber director, Chris Inglis, a former deputy director of the National Security Agency. / p>

The government also has an increased responsibility, she added, to bolster defenses and disrupt major hacking groups that have locked hospital records or frozen operations meat packers across the country, as well as government operations in Baltimore, Atlanta and small towns in Texas.

"We have a duty to do this" , Ms Walden said, "because the internet is now a global commons, essentially. So we expect more from our partners in the private sector, nonprofits and industry, but we also expect more from ourselves. -same es."