Biden’s cybersecurity strategy calls for software liability, tighter critical-infrastructure security

The Biden-Harris administration on March 2 announced a sweeping new National Cybersecurity Strategy that, among other things, seeks to establish meaningful liability for software products and services and sets mandatory minimum cybersecurity requirements in the critical infrastructure sector.

When fully implemented, the strategy will also strengthen the ability of both federal and private sector entities to disrupt and dismantle threat actor operations and require all entities that handle data on individuals to pay closer attention to how they protect that data.

One key objective of the strategy is for federal regulators to look for opportunities to incentivize all stakeholders to adopt better security practices via tax structures and other mechanisms.

Rebalancing the Responsibility for Cybersecurity

“[The strategy] takes on the systemic challenge that too much of the responsibility for cybersecurity has fallen on individual users and small users,” President Biden wrote in the introduction to his new plan. “By working in partnership with industry, civil society, and State, local, Tribal, and territorial governments, we will rebalance the responsibility for cybersecurity to be more effective and equitable.”

Biden’s strategy seeks to build collaboration and momentum around five specific areas: critical infrastructure protection, disruption of threat actor operations and infrastructure, promoting better security among software vendors and organizations handling individual data, investments in more resilient technologies, and international cooperation on cybersecurity.

Of these, the proposed initiatives around critical infrastructure security and shifting liability to software vendors and data processors could have the most significant impact.

The critical infrastructure component of Biden’s strategy includes a proposal to expand minimum cybersecurity requirements for all operators of critical infrastructure. The regulations will be based on existing cybersecurity standards and guidance such as the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity and the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals.

A Focus on Secure by Design

The requirements will be performance based, adaptable to changing requirements, and focus on driving adoption of secure-by-design principles.

“While voluntary approaches to critical infrastructure security have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes,” the strategy document said. Regulation can also level the playing field in sectors where operators are in a competition with others to underspend on security because there really is no incentive to implement better security. The strategy provides critical infrastructure operators that might not have the financial and technical resources to meet the new requirements, with potentially new avenues for securing those resources.

Joshua Corman, former CISA chief strategist and current vice president of cyber safety at Claroty, says the Biden administration’s choice to make critical infrastructure security a priority is an important one.

“The nation has seen successful cyber disruptions in critical infrastructure that have significantly impacted numerous lifeline functions, including access to water, food, fuel, and patient care, to name just a few,” Corman says. “These are vital systems that are increasingly suffering disruptions, and many of the owners and operators of this critical infrastructure are what I call ‘target rich, cyber poor.'”

These are often among the most attractive targets for threat actors but have the least number of resources to protect themselves, he notes.

To read the complete article, visit Dark Reading.