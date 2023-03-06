The Biden administration wants tech companies to shoulder more of the burden of maintaining cybersecurity as hackers — including those sponsored by foreign nations — deploy ever more sophisticated attacks.

The idea of setting out minimum security standards for tech firms — a key pillar of the national cybersecurity strategy the White House unveiled Thursday — and calling on software companies to be responsible for vulnerable products they ship signals a major shift in the scope and ambition of the administration’s cyber priorities.

“The biggest, most capable and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe,” said a senior administration official. “This strategy asks more of the industry but also commits more from the federal government.”

Ted Schlein, a founding partner of the cybersecurity venture capital firm Ballistic Ventures, said the proposal’s potential impact cannot be understated.

“It’s basically saying that if you make software, create infrastructure to host it and store data, you are responsible for being a responsible security steward — and you will be held liable to enforce this to happen,” said Schlein, a member of the federal Cybersecurity and Infrastructure Security Agency’s advisory committee. “Why this is so revolutionary is because the entire software industry has basically been built having no liability for what they deliver, security included.”

The Biden strategy has five pillars: “Defend critical infrastructure,” “Disrupt and dismantle threat actors,” “Shape market forces to drive security and resilience,” “Invest in a resilient future” and “Forge international partnerships to pursue shared goals.”

But big questions remain — including how the White House will implement its new vision. The document it released Thursday is policy guidance rather than an executive order. And some aspects of the Biden plan might require cooperation from Congress, including shifting liability to software developers, which could be hard to come by with Republicans controlling the House and Democrats holding a slim majority in the Senate.

Yet nearly everyone agrees that U.S. cybersecurity is insufficient, and examples of successful hacking attacks abound. Media giant News Corp., whose properties include Fox News and the Wall Street Journal, recently notified at least one employee that a previously disclosed cybersecurity breach by Chinese hackers lasted for nearly two years, according to Ars Technica. And on Monday, the U.S. Marshals Service said hackers breached its systems in February, potentially risking sensitive data about agency personnel and targets of its investigations.

A warmer reception

There has long been tension between the government and private sector over who should carry the burden of preventing cyberattacks and to what extent. The private sector has lobbied against legislation that would mandate companies meet certain cybersecurity requirements or report breaches to the government.

Private and public sector cooperation on cybersecurity has increased in recent years amid regular hacks by nation states or affiliated actors, the 2021 ransomware attack that halted the Colonial Pipeline’s operations and the targeting of entire U.S. cities with ransomware. The lack of immediate pushback from the industry this week after the Biden administration proposed expanding the private sector’s liability burden represents another step forward, experts said.

“The U.S. Chamber of Commerce and the Office of the National Cyber Director share a mutual interest in advancing regulatory harmonization, strong liability protections and federal preemption,” said Christopher Roberti, the senior vice president for cyber, space and national security policy at the Chamber, which opposed a previous effort at large-scale cybersecurity reform in 2011. “The Chamber looks forward to working with the administration throughout its implementation of the strategy to ensure that good intentions do not lead to undesirable policy outcomes.”

Brian Fox, CTO and co-founder of the software security firm Sonatype, called the Biden strategy a landmark moment for the industry. The document signals a nuanced understanding at the White House of the threats and complexity of today’s cyber landscape.

“The strategy aptly starts by taking away vendors’ ability to disclaim any and all liability while recognizing that even a perfect security process can’t guarantee perfect outcomes,” said Fox. “Establishing the concept of safe harbors [for companies that securely develop and maintain their software] allows the industry to mature incrementally, leveling up security best practices in order to retain a liability shield, versus calling for sweeping reform and unrealistic outcomes as previous regulatory attempts have.”

But this is only the first step of a much bigger conversation, he added.

Schlein noted that the Biden document proposes handing out penalties if a company does not adhere to these standards. If that’s not handled correctly, it could pit technology vendors, business customers and the various regulatory bodies against one another in a counterproductive way, he added.

The opponents

Some of the fixes and efforts proposed by the administration would require legislation to address. With a split Congress, that may not happen any time soon. Even senior administration officials said they don’t anticipate seeing any new cybersecurity laws on the books in the next year. Proving the point, initial congressional reaction hewed to party lines.

Sen. Mark Warner (D-Va.), chairman of the Senate Intelligence Committee and a longtime technology executive, released a statement praising the strategy for “advocating for the kind of best practices that I’ve long called for.”

“I’m particularly pleased to see the administration prioritize the coordination of cyber incident reporting requirements, as required by the cyber reporting law I was proud to author,” Warner said. “I’m also glad to see the administration’s renewed focus on protecting the sensitive medical data and safety of Americans as cyberattacks on our healthcare systems become more frequent and aggressive.”

Across the Capitol, top House Republicans characterized the Biden plan as regulatory overreach.





“It’s no surprise that this administration’s desire for more regulation, bureaucracy and red tape is a consistent theme in the National Cybersecurity Strategy,” said Homeland Security Committee Chairman Mark Green (R-Tenn.) and Cybersecurity and Infrastructure Protection Subcommittee Chairman Andrew Garbarino (R-N.Y.). “The Biden administration’s strategy encourages agencies to regulate where they can and identify regulatory gaps where they want new authorities.” The partisan friction between the White House and the divided Congress is the biggest X factor in what parts of Biden’s strategy might become reality, said Marcus Fowler, CEO of Darktrace Federal and senior vice president of strategic engagements and threats at Darktrace, a cybersecurity firm.

The White House plan “is ambitious, but is it executable?” he asked. “That’s the most significant question. Given a divided Congress, does the administration expect that lawmakers are fully onboard with this idea of shifting the onus and liability to the private sector.” Yet, at the same time, true change won’t be possible without action from Congress, Fox said: “Organizations that have been resistant to following existing best practices in this area are often the ones most in need of a legislative shove forward — as well as potentially the biggest opponents.

Thanks to Brett Zach for copy editing this article.