Biden’s Cybersecurity Strategy Assigns Responsibility to Tech Firms

WASHINGTON — The Biden administration issued a new cybersecurity strategy on Thursday that calls on software makers and American industry to take far greater responsibility to assure that their systems cannot be hacked, while accelerating efforts by the Federal Bureau of Investigation and the Defense Department to disrupt the activities of hackers and ransomware groups around the world.

For years, the government has pressed companies to voluntarily report intrusions in their systems and regularly patch their programs to fix newly discovered vulnerabilities, much as an iPhone does with automatic updates every few weeks.

But the new National Cybersecurity Strategy concludes that such good-faith efforts are helpful but insufficient in a world of constant attempts by sophisticated hackers, often backed by Russia, China, Iran or North Korea, to get into critical government and private networks. Instead, companies must be required to meet minimum cybersecurity standards, the new strategy contends.

The strategy is a policy document, not an executive order, although it represents a significant shift in attitude toward the “public-private partnerships” that the government has talked about for years. While some aspects of the new strategy are already in place, others would require legislative changes — potentially a major challenge in a Republican-dominated Congress. And the federal government does not have the ability to impose cybersecurity requirements on state-run facilities like hospitals, which have been targeted by hackers.

“The fundamental recognition in the strategy is that a voluntary approach to securing” critical infrastructure and networks “is inadequate,” Anne Neuberger, the deputy national security adviser for cyber and emerging technologies, said at an event at the Center for Strategic and International Studies, a Washington think tank.

Every administration since that of George W. Bush, 20 years ago, has issued a cybersecurity strategy of some kind, usually once in a presidency. But President Biden’s differs from previous versions in several respects, chiefly by urging far greater mandates on private industry, which controls the vast majority of the nation’s digital infrastructure, and by expanding the role of the government to take offensive action to pre-empt cyberattacks, especially from abroad.

The Biden administration’s strategy envisions what it calls “fundamental changes to the underlying dynamics of the digital ecosystem.” If enacted into new regulations and laws, it would force companies to implement minimum cybersecurity measures for critical infrastructure — and, perhaps, impose liability on firms that fail to secure their code, much like automakers and their suppliers are held liable for faulty airbags or defective brakes.

“It just reimagines the American cybersocial contract,” said Kemba Walden, the acting national cyber director, a White House post created by Congress two years ago. “We are expecting more from those owners and operators in our critical infrastructure,” added Ms. Walden, who took over last month after the country’s first cyber director, Chris Inglis, a former deputy director of the National Security Agency, resigned.

The government also has a heightened responsibility, she added, to shore up defenses and disrupt the major hacking groups that have locked up hospital records or frozen the operations of meatpackers around the country, along with government operations in Baltimore, Atlanta and small towns across Texas.

“We have a duty to do that,” Ms. Walden said, “because the internet is now a global commons, essentially. So we expect more from our partners in the private sector and the nonprofits and industry, but we also expect more of ourselves.”

Read alongside the cybersecurity strategies issued by the previous three presidents, the new document reflects how offense and defense in the sphere have become increasingly central to national security policy.

The Bush administration never publicly acknowledged American cyberattack capabilities, even as it mounted the most sophisticated cyberattack one state has ever directed at another: a covert effort to use code to sabotage Iran’s nuclear fuel facilities. The Obama administration was reluctant to name Russia and China as the powers behind major hacks of the U.S. government.

The Trump administration bolstered American offensive initiatives against hackers and state-backed actors abroad. It also raised the alarm about having Huawei, the Chinese telecommunications giant it accused of being an arm of the Chinese government, set up high-speed 5G networks in the United States and among allies, fearing that the company’s control of such networks would aid in Chinese surveillance or allow Beijing to shut down systems at a time of conflict.

How Times reporters cover politics. We rely on our journalists to be independent observers. So while Times staff members may vote, they are not allowed to endorse or campaign for candidates or political causes. This includes participating in marches or rallies in support of a movement or giving money to, or raising money for, any political candidate or election cause.

But the Trump administration was less active in requiring American companies to establish minimum protections on critical infrastructure, or seeking to make those firms liable for damage if vulnerabilities they had left unaddressed were exploited.

Imposing new forms of liability would require major legislative changes, and some White House officials acknowledged that Mr. Biden could face insurmountable opposition from Republicans in Congress if he sought to pass such sweeping new corporate regulations.

The Biden administration’s move to establish corporate liability for failure to meet basic security needs “will have decades-long ramifications,” said Glenn S. Gerstell, a former general counsel at the National Security Agency.

“In the cyberworld, we’re finally saying that Ford is responsible for Pintos that burst into flames, because they didn’t spend money on safety,” he added, referring to the famously combustible car that was recalled in 1978.

Many elements of the new strategy are already in place. In some ways, it is catching up with steps the Biden administration took after struggling through its first year, which began with major hacks of systems used by both private industry and the military.

After a Russian ransomware group shut down the operations of Colonial Pipeline, which handles much of the gasoline and jet fuel along the East Coast, the Biden administration used little-known legal authorities held by the Transportation Security Administration to regulate the nation’s vast network of energy pipelines. Pipeline owners and operators are now required to submit to far-reaching standards set largely by the federal government, and later this week, the Environmental Protection Agency is expected to do the same for water pipelines.

There are no parallel federal authorities for requiring minimum standards of cybersecurity at hospitals, which are largely regulated by states. Health centers have been another target of attacks, from Vermont to Florida.

“We should have been doing many of these things years ago after cyberattacks were first used to disrupt power to thousands of people in Ukraine,” Ms. Neuberger said in an interview on Wednesday. She was referring to a series of attacks on the Ukrainian power grid that began seven years ago.

Now, she said, “we are literally cobbling together an approach sector by sector that covers critical infrastructure.”

Ms. Neuberger cited Ukraine as an example of a proactive cyberdefense strategy: In the weeks after the Russian invasion, Ukraine changed its laws to allow ministries to move their databases and many government operations to the cloud, backing up computer servers and data centers around Kyiv and other cities that were later targets for Russian artillery. Within weeks, many of those server farms were destroyed, but the government kept running, communicating to servers abroad using satellite systems like Starlink, also brought in after the war broke out.

The U.S. strategy is catching up with its offensive program, which has become increasingly aggressive. Two years ago, the F.B.I. began to use search warrants to find and dismantle fragments of malicious code found on corporate networks. More recently, it hacked into the networks of a ransomware group, removed the “decryption keys” that would unlock documents and systems belonging to the group’s victims and foiled efforts to collect large ransoms.

The F.B.I. can operate in domestic networks; it is up to U.S. Cyber Command to go after Russian hacking groups like Killnet, a pro-Moscow group responsible for a series of denial-of-service attacks starting in the early days of the war in Ukraine. Cyber Command also slowed the operations of Russian intelligence agencies around the 2018 and 2020 American elections.

But none of those are permanent solutions; some groups the United States has targeted have formulated themselves anew, often under different names.

Mr. Biden’s only face-to-face meeting as president with Russia’s leader, Vladimir V. Putin, in 2021 in Geneva, was driven largely by the fear that rising ransomware attacks were affecting the lives of consumers, hospital patients and factory workers. Mr. Biden warned the Russian leader that his government would be held responsible for attacks emanating from Russian territory.

There was a lull for a number of months, and a prominent hacking group was raided by Russian authorities in Moscow. But that cooperation ended with the opening of the war in Ukraine.

In a speech this week at Carnegie Mellon University, Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, described the efforts of the administration as “shifting liability onto those entities that fail to live up to the duty of care they owe their customers.”

“Consumers and businesses alike expect that products purchased from a reputable provider will work the way they are supposed to and not introduce inordinate risk,” Ms. Easterly said. She added that the administration needed to “advance legislation to prevent technology manufacturers from disclaiming liability by contract,” a common practice that few notice in the fine print of software purchases.