On Thursday, the White House released an ambitious and wide-ranging cyber security plan that calls for stronger security protections on behalf of critical sectors and that calls for making software firms legally accountable for product security.
According to the strategy document, “all instruments of national power” will be used in order to pre-empt cyber attacks.
Foreign state-sponsored cyber attacks spiked between 2019 and 2022, increasing by nearly 100 percent. In addition, the nature of the attacks evolved, appearing more politically motivated, destructive and damaging than ever before.
The new strategic plan
Officials also stated that they are working to “impose robust and clear limits” on private sector data collection, including geolocation and private health information.
“We still have a long way to go before every American feels confident that cyberspace is safe for them,” stated acting national cyber director, Kemba Walden.
“We expect school districts to go toe-to-toe with transnational criminal organizations,” largely on their own. “This isn’t just unfair. It’s ineffective.”
More strategy insights
The strategy primarily codifies initiatives that emerged within the last few years and that began after a series of high-profile ransomware attacks on critical infrastructure. In 2021, an attack on Colonial Pipeline led to panic at the pump, and upset small businesses. Subsequently, an attack on an IT service provider resulted in ransomware and system outages around the world.
In recent weeks, a series of disturbing situations have reinforced the need to advance cyber security at a national level. The U.S. Marshals Service experienced a data breach, as did a major American television provider.
The corresponding 35-page document provides a foundation for developing more effective means of countering threats to government agencies, private industry, schools, hospitals and other critical infrastructure groups that are now regularly attacked.
“The defense is hardly winning. Every few weeks someone gets hacked terribly,” said Edward Amoroso, CEO of TAG Cyber.
Says Amoroso, the White House’s initiatives are largely aspirational. The most stringent of the rules are liable to meet resistance from congressional members.
Other reviewers of the document point out that, while there is much to applaud, the document lacks specifics.
What Biden says
U.S. President Joe Biden says that his administration is focused on the “systemic challenge that too much of the responsibility for cyber security has fallen on individual users and small organizations.”
In turn, the country will need to shift legal liability onto software providers, holding companies accountable, rather than vulnerable end-users.
The administration says that vendors habitually disregard best practices for secure hardware and software development, ship products with insecure default configurations, and integrate unvetted software into products. The White House insists that this must change.
The director of the Cybersecurity and Infrastructure Security Agency, Jen Easterly, recently pointed out that, at one point, the automotive industry was forced to include seat belts and airbags in vehicles. The burden of safety should never fall upon the customer alone, she said. Rather, industry must take ownership over security outcomes.