New National Cybersecurity Strategy takes aim at ransomware
The Biden-Harris administration's 39-page National Cybersecurity Strategy covers multiple areas, including disrupting ransomware operations and addressing vulnerable software.
The White House on Thursday released its long-awaited National Cybersecurity Strategy, sharing the Biden-Harris Administration's vision for securing the United States' digital ecosystem.
The 39-page document covers all aspects of cybersecurity, from the role of vendors in vulnerabilities to ransomware, the role of U.S.-based infrastructure in cybercrime, cyber insurance and more. In a statement included in the document, U.S. President Joe Biden referred to cybersecurity as "essential to the basic function of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense."
On the ransomware front, Strategic Objective 2.5 lays out the government's four-pronged plan to counter the ever-evolving threat with more direct actions from federal authorities to disrupt ransomware gangs.
According to the report, the U.S. will "employ all elements of national power" to beating ransomware, including utilizing international cooperation and isolating countries providing safe havens to criminals; investigating ransomware attacks and using authorities and law enforcement to disrupt threat actor operations; improving critical infrastructure's resilience to attacks; and "addressing the abuse of virtual currency to launder ransom payments."
This declaration follows the U.S. Department of Justice's announcement in January that the FBI led a joint operation to seize Hive ransomware servers, which included a months-long infiltration into the gang. Through this operation, the FBI obtained approximately 1,300 ransomware decryption keys and prevented $130 million in potential payments. The objective also follows the confirmation this week that the U.S. Marshals Service suffered a ransomware attack last month.
Strategic Objective 2.1, "Integrate Federation Disruption Activities," places additional emphasis on countering cybercrime efforts through its plan to further integrate law enforcement, private-sector entities and international partners in disruption campaigns. Additionally, the White House will attempt to accelerate its disruption campaigns by expanding and scaling the National Cyber Investigative Joint Task Force to accommodate.
At an event held by the Center for Strategic and International Studies (CSIS) Thursday, White House Acting National Cyber Director Kemba Walden said the government is going to build on the lessons learned taking down ransomware actors.
"We've had success with multiple departments and agencies across the government and around the world combined forces," she said. "Collaboration is at the core of the President's National Cybersecurity strategy, and it will continue to guide our approach in the months and years to come."
Anne Neuberger, deputy assistant to the President and deputy national security advisor for cyber and emerging technology, said during the CSIS event that the ransomware attack on Colonial Pipeline Co. in spring 2021 was a turning point for the administration. She said it was alarming because it wasn't a nation-state threat group with an advanced attack, but a cybercriminal gang wielding ransomware that caused massive disruption to critical infrastructure.
During an event held by the Center for Strategic and International Studies, Kemba Walden, acting national cyber director, discussed how the Biden-Harris administration's new National Cybersecurity Strategy aims to take more disruptive actions against ransomware gangs.
Shifting liability for vulnerable software
Another significant part of the new National Cybersecurity Strategy is Strategic Objective 3.3, titled, "Shifting Liability for Insecure Software Products and Services." The objective aims to hold software publishers liable when they release insecure products with significant vulnerabilities into the public.
To do this, the White House will work with Congress and the private-sector entities "to develop legislation establishing liability for software products in services" as well as a "safe harbor framework" to shield companies from liability that follow best practices such as the NIST Secure Software Development Framework.
"Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses or critical infrastructure providers," the document read. "Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end users that often bear the consequences of insecure software nor on the open source developer of a component that is integrated into a commercial product."
Walden said the United States needs to "rebalance the responsibility for managing cyber-risk."
The biggest and most capable and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber-risk and keeping us all safe.
Kemba WaldenActing national cyber director
"Today across the public and private sectors, we tend to devolve responsibility for cyber-risks downward," she said. "We ask individuals, small businesses and local governments to shoulder a significant burden for defending us all. We asked my mom and my kids to be vigilant against clicking on malicious links. We expect school districts to go toe to toe with transnational criminal organization largely by themselves. This isn't just unfair, it's ineffective."
She continued, "The biggest and most capable and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber-risk and keeping us all safe. And that includes the federal government."
It's unclear what shape the proposed legislation and regulations may take. Neuberger referenced how New York City restaurants display letter grades -- A,B,C and D – based on the city's food establishment inspections, and posited that something similar could be applied to technology to inform consumers about, for example, the wireless router they're thinking of purchasing.
Objective 2.4, "Prevent Abuse of U.S.-based Infrastructure," describes how threat actors exploit U.S.-based cloud providers, domain registrars, hosting and email services and more for criminal activity, be it a ransomware actor or a nation-state conducting espionage.
The federal government will, according to the plan, "work with cloud and other infrastructure providers to quickly identify malicious use of U.S.-based infrastructure, share reports of malicious use with the government, make it easier for victims to report abuse of these systems, and make it more difficult for malicious actors to gain access to these resources in the first place."
Strategic Objective 3.6 is dedicated to the White House's plans to explore a "federal cyber insurance backstop," which would establish a structured response to a theoretical catastrophic cyber incident that could destabilize portions of the economy.
"Structuring that response before a catastrophic event occurs -- rather than rushing to develop an aid package after the fact -- could provide certainty to markets and make the market more resilient," the objective read.
Walden emphasized during her statements at CSIS that a key aspect of improving U.S. security is to think long term. She said that when public- and private-sector entities face decisions between easy-but-temporary fixes and harder solutions that will last, "they have the incentives they need to consistently choose the latter."
"If tomorrow, we were to wake up having perfected our current means of cyberdefense, we would at best be losing more slowly," she said. "Instead, we need to change the underlying rules of the game. To get ourselves the advantage. I want cybersecurity to be an unfair fight."
Alexander Culafi is a writer, journalist and podcaster based in Boston.
Anne Neuberger, deputy national security advisor for cyber and emerging technology, talked about the plan to shift liability for vulnerable software and services to the vendor.
