The White House released its long-awaited National Cyber Strategy on Thursday, providing a road map for how the Biden administration aims to defend the U.S. from a rapidly growing number of online threats.
A key element of the new framework involves shifting the burden of cybersecurity from individuals, small businesses and local governments and putting responsibility in the hands of software developers and other institutions with the requisite resources and expertise.
“The president’s strategy fundamentally reimagines America’s cyber social contract,” Acting National Cyber Director Kemba Walden said during a press briefing on Wednesday. “It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it.”
Walden added, “the biggest, most capable and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe.” She said that laying responsibility on individuals and groups who lack the resources to protect themselves is both “unfair” and “ineffective.”
The White House is proposing that legislation establish liability for software makers which fail to take reasonable precautions to secure their products and services. The administration said in its draft report that it would work with Congress and the private sector to develop the language of such a bill, which would include “an adaptable safe harbor framework” to protect companies that “securely develop and maintain their software products and services.”
A senior administration official, who wasn’t authorized to be named, said the legislation isn’t expected to pass in the next year, but is part of a longer-term plan.
The Biden administration said it will explore a national insurance backstop in the case of a catastrophic cyberattack to supplement the existing cyber insurance market. It will also focus on defending critical infrastructure by expanding minimum security requirements in certain sectors and streamlining regulations, and will treat ransomware as a national security threat, not just a criminal issue.
The strategy also includes an increased focus on incentivizing long-term investments into cybersecurity, even while dealing with urgent threats. The administration said it will prioritize cybersecurity research and development for newer technologies as well as invest in expanding the cyber workforce.
In addition, the framework calls for a focus on international partnerships to work with like-minded nations to fight threats and create secure global supply chains for communications technology and other kinds of tools and information.
The White House said the work has already started. In May 2021, for example, President Biden signed an executive order aiming to strengthen the nation’s cyber defenses. That was shortly after the cyberattack on Colonial Pipeline that led to widespread fuel shortages.
The order directed IT service providers to inform the government about cyberattacks that could effect national networks. It also created a Cybersecurity Safety Review Board consisting of officials from the public and private sector to analyze cyberattacks and make recommendations for future protections.