The White House on Thursday released its national cybersecurity strategy, detailing an effort to increase regulation of critical industries by making them adopt basic cybersecurity practices
It would also seek to hold software companies liable for failing to build security into their products.
The strategy builds on the Biden administration’s existing practice of creating cybersecurity requirements for the pipeline and rail industries, a tactic previous administrations treated as taboo.
The plan also looks to broadly coordinate the government’s many agencies to better defend the country from hackers.
Speaking with reporters on a media call Wednesday evening, a senior administration official, who asked not to be named as part of the terms for the call, said the White House would continue to use existing legal authorities to find ways to bolster cybersecurity in other infrastructure areas, including water sanitation facilities.
As NBC News has reported, water sanitation in the U.S. is managed by tens of thousands of independent plants. Many have computerized systems and are run with small staffs, leaving opportunities for hackers to gain access in several publicized incidents in recent years.
Anne Neuberger, a senior White House national security adviser who specializes in cybersecurity, said in prepared remarks about the strategy: “Americans must be able to have confidence that they can rely on critical services, hospitals, gas pipelines, air water services, even if they are being targeted by our adversaries.”
The White House strategy would also aim to persuade large software companies to bear more responsibility for building better security into their products. Cybersecurity experts have long lamented that software is often written hastily and with security as an afterthought, creating a culture in which engineers are constantly fixing problems as hackers find new ones.
Changing that is a long-term goal, the senior administration official said.
“We’d see shifting liability as a long-term process. We’re looking out a decade,” the official said. “We don’t anticipate that this is something where we’re going to see new law on the books within the next year.”
It’s not clear how well the White House will be able to navigate existing red tape that could stymie some of its goals, said Emma Schroeder, the associate director at the Cyber Statecraft Initiative at the Atlantic Council, a think tank.
“With such expansive ambitions, this strategy often falls short of clearly connecting how reality will unite with vision,” she said.
The strategy also aims to have the government take a more proactive stance against ransomware hackers who seek extortion payments by encrypting organizations’ computers and threatening to publish their sensitive data. The Treasury Department has estimated that ransomware cost Americans $866 million in 2021, the most recent year for which it has published data.
Ransomware has proved to be a particularly challenging problem for the U.S., as hackers are often in Russia, which does not extradite its citizens. The U.S. has accused some ransomware hackers of having ties to Russian intelligence services.
The Biden White House will continue its strategy of building an international coalition of countries that oppose ransomware rather than expect to persuade the Kremlin to work directly with the U.S., the official said.
While the official declined to address whether the U.S. would use its own hacking capabilities in cyberspace to go after ransomware hackers — a tactic recently adopted by Australia — he indicated that the U.S. would try to use its formidable espionage capabilities to warn U.S. organizations targeted by hackers.
“We need to be able to use additional tools — such as, for instance, intelligence tools — to … tip victims or intended victims before they’re attacked,” he said.