em360tech image

The Biden-Harris administration has released a new US national cybersecurity strategy that focuses on diverting the burden of cybercrime onto software vendors and service providers.

The long-awaited document provides fundamental changes to the way the US government “allocates roles, responsibilities, and resources in cyberspace,” shifting responsibility onto “the organisations that are most capable and best-positioned to reduce the risk for all of us.”

“We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organisations that are most capable and best-positioned to reduce risks for all of us,” the White House said. 

"All service providers must make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behaviour [to] make it more difficult for adversaries to abuse U.S.-based infrastructure while safeguarding individual privacy."

The strategy encompasses many of the weaknesses and challenges inherent in US cybersecurity, from software vulnerabilities to internet infrastructure vulnerabilities and talent shortages.

Key proposals included more aggressive campaigns seeking to make financially-motivated cybercrime activity unprofitable and ensuring that US infrastructure is no longer put at risk in attacks targeting organisations on American soil. 

​​"Disruption campaigns must become so sustained and targeted that criminal cyber activity is rendered unprofitable and foreign government actors engaging in malicious cyber activity no longer see it as an effective means of achieving their goals," the administration added.

The strategy also cites ransomware as a major threat to US security, stressing that the administration, classifies ransomware attacks as a threat to national security, public safety, and economic prosperity,”

It added that it “strongly discourages the payment of ransoms" and will continue targeting ransomware gangs operating from safe havens around the world. 

“A fine line to draw”

If enacted into new regulations and laws, the Administration’s strategy would force companies to implement minimum cybersecurity measures to avoid facing hefty penalties for failing to protect US infrastructure. 

While many cybersecurity experts have welcomed this proposal, others highlight the ambiguity related to making organisations liable for damages when cyber attacks strike. 

“A GDRP-like liability regime tied to a real, pragmatic set of baseline control expectations will be a welcome change. Liability for flaws exposed in software is more dangerous. That will be a fine line to draw, ” said Aaron Kiemele, CISO at Jamf

"All software is vulnerable in some way to future exploitation. If a new issue arises and causes widespread impact, that doesn’t mean that the software vendor was negligent. You can do everything right and still be impacted by a security incident.” 

“How to take the outcome (often a poor indicator of the underlying security capabilities of the company) and drive reform without this becoming a punitive punishment for a secure environment that cannot reasonably be predicted is going to be tricky,” he added.  

Despite the challenges of implementing this proposed legislation, other experts believe the changes will be beneficial in the fight against cybercrime. 

Dr Ilia Kolochenko, Founder of ImmuniWeb and a member of the Europol Data Protection Experts Network believes that the proposals are economically beneficial, comparing the regulations to “airbag systems and seatbelts in the motor industry. 

“Even amid the surging cybercrime, shifting the cybersecurity burden to software developers and tech solution providers may seem an unduly harsh move, however, economically speaking it makes perfect sense,”  Dr Kolochenko said. 

"Most industries – apart from software – are already comprehensively regulated in most of the developed countries: you cannot just manufacture what you want without a license or without following prescribed safety, quality and reliability standards. Software and SaaS solution shall be no exception to that.

Dr Kolochenko acknowledged that the severity of the proposed laws for vendors will be critical to its success in the fight against malicious cybercriminal activity. 

“Overregulation or bureaucracy will certainly be harmful and rather produce a counterproductive effect. The technical scope, timing of implementation and niche-specific requirements for tech vendors will be paramount for the eventual success or failure of the proposed legislation.” 

State-sponsored attacks in the spotlight

As well as making firms liable for failing to protect US infrastructure, the Administration noted that defending against state-sponsored attacks would be a critical aspect of its strategy to defend critical US infrastructure.

“Over the last ten years, [China] has expanded cyber operations beyond intellectual property theft to become our most advanced strategic competitor with the capacity to threaten U.S. interests and dominate emerging technologies critical to global development," the strategy read. 

"Russia remains a persistent cyber threat as it refines its cyber espionage, attack, influence, and disinformation capabilities to coerce sovereign countries, harbour transnational criminal actors, weaken U.S. alliances and partnerships, and subvert the rules-based international system."

To read more about state-sponsored attacks, visit our Business Continuity Page. 

State-sponsored attacks have surged since the Russian invasion of Ukraine last year. A recent report by Microsoft found that the proportion of cyber-attacks perpetrated by nation-states targeting critical infrastructure jumped from 20 per cent to 40 per cent, largely due to Russia’s aggressive espionage targeting Ukraine and its allies, including the US.

The Administration said it "seeks a world where responsible state behaviour in cyberspace is expected and reinforced and where irresponsible behaviour is isolating and costly."

The Office of National Cyber Director (ONCD) in coordination with the Office of Management and Budget (OMB) will coordinate the efforts to implement this new cybersecurity strategy.