The U.S. government plans to expand minimum cybersecurity requirements for critical sectors and to be faster and more aggressive in preventing cyberattacks before they occur, including using military, diplomatic and law enforcement resources, according to a strategy document from Joe Biden’s administration released Thursday.
The White House also plans to work with Congress on legislation that would impose legal liability on software makers whose products fail to meet basic cybersecurity safeguards, officials said.
For the most part, the strategy concretizes initiatives from the past two years following a series of flashy ransomware attacks on critical infrastructure. In ransomware attacks, cybercriminals lock an organization’s computers and demand a ransom to free them.
An attack on a major fuel pipeline caused panic buying at gas stations and led to shortages on the East Coast, while other attacks highlighted the focus on cybersecurity. However, officials were confident that the new protocol would lay the groundwork for responding to an increasingly challenging digital environment.
“This strategy will position the United States and its allies and partners to build that digital ecosystem together, making it inherently easier and more defensible, resilient, and aligned with our values,” the document stated.
The Democratic administration had already taken steps to impose cybersecurity standards on some industry sectors such as electric utilities and nuclear facilities. The text calls for the minimum requirements to be extended to other essential sectors.
It is “critical that the American people have confidence in the availability and resilience of our critical infrastructure and the essential services it provides,” said Anne Neuberger, deputy national security advisor for cyber and emerging technology.
The strategy calls for more aggressive efforts to thwart cyberattacks before they occur with military, diplomatic and law enforcement resources, as well as help from the private sector that “has increasing visibility in the sector.” Such offensive operations, the paper said, must occur “with greater speed, scale and frequency.”
“Our goal is to render malicious actors incapable of undertaking ongoing cyber campaigns that would threaten U.S. national security or public safety,” the strategy document stated.
The new protocol classifies ransomware attacks as a national security threat, rather than a criminal challenge, meaning the government will continue to employ tools beyond arrests and warrants to combat the problem.