The White House on Thursday released its national cybersecurity strategy, detailing an effort to increase regulation of critical industries by forcing them to adopt basic cybersecurity practices.
It would also seek to hold software companies accountable for failing to build security into their products.
The strategy builds on the existing practice of the Biden administration of creating cybersecurity requirements for the pipeline and railway industriesa tactic that previous administrations treated as taboo.
The plan also seeks to broadly coordinate the many government agencies to better defend the country from hackers.
Speaking to reporters on a media call Wednesday night, a senior administration official, who asked not to be named as part of the terms of the call, said the White House would continue to use existing legal authorities to find ways to strengthen cybersecurity in other infrastructure. areas, including water sanitation facilities.
As NBC News has reported, water sanitation in the US is managed by tens of thousands of independent plants. Many have computerized systems and are run with small staff, providing opportunities for hackers to gain access in several publicized incidents in recent years.
Anne Neuberger, a senior White House national security adviser who specializes in cybersecurity, said in prepared remarks on the strategy: “Americans must be able to trust that they can trust critical services, hospitals, gas pipelines, air and water utilities. , even if they are being attacked by our adversaries.”
The White House strategy would also aim to persuade big software companies to take more responsibility for building better security into their products. Cybersecurity experts have long lamented that software is often written in haste and with security as an afterthought, creating a culture in which engineers are constantly fixing problems as hackers find new ones. new.
Changing that is a long-term goal, the senior administration official said.
“We would see the shift in responsibility as a long-term process. We are looking at a decade,” the official said. «We don’t anticipate that this is something where we’re going to see a new law on the books within the next year.»
It’s unclear how well the White House will be able to navigate existing bureaucracy that could hinder some of its objectives, said Emma Schroeder, associate director of the Cyber Statecraft Initiative at the Atlantic Council, a think tank.
“With such expansive ambitions, this strategy often fails to clearly connect how reality will meet vision,” he said.
The strategy is also aimed at getting the government to take a more proactive stance against ransomware hackers who seek extortion payments by encrypting organizations’ computers and threatening to publish their sensitive data. The Treasury Department has My dear that ransomware cost Americans $866 million in 2021, the most recent year for which it has released data.
Ransomware has proven to be a particularly challenging problem for the US, as the hackers are often based in Russia, which does not extradite its citizens. United States has accused some ransomware hackers for having ties to Russian intelligence services.
The Biden White House will continue its strategy of building an international coalition of countries that oppose ransomware rather than hoping to persuade the Kremlin to work directly with the US, the official said.
While the official declined to address whether the US would use its own cyberspace hacking capabilities to go after ransomware hackers, a tactic recently adopted by Australia: Indicated that the US would try to use its formidable spy capabilities to tip off US organizations targeted by hackers.
“We need to be able to use additional tools, such as intelligence tools, to…give clues to victims or potential victims before they are attacked,” he said.