March 2, 2023

The Biden administration today issued its vision for beefing up the nation’s collective cybersecurity posture, including calls for legislation establishing liability for software products and services that are sold with little regard for security. The White House’s new national cybersecurity strategy also envisions a more active role by cloud providers and the U.S. military in disrupting cybercriminal infrastructure, and it names China as the single biggest cyber threat to U.S. interests.

The strategy says the White House will work with Congress and the private sector to develop legislation that would prevent companies from disavowing responsibility for the security of their software products or services.

Coupled with this stick would be a carrot: An as-yet-undefined “safe harbor framework” that would lay out what these companies could do to demonstrate that they are making cybersecurity a central concern of their design and operations.

“Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios,” the strategy explains. “To begin to shape standards of care for secure software development, the Administration will drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.”

Brian Fox, chief technology officer and founder of the software supply chain security firm Sonatype, called the software liability push a landmark moment for the industry.

“Market forces are leading to a race to the bottom in certain industries, while contract law allows software vendors of all kinds to shield themselves from liability,” Fox said. “Regulations for other industries went through a similar transformation, and we saw a positive result — there’s now an expectation of appropriate due care, and accountability for those who fail to comply. Establishing the concept of safe harbors allows the industry to mature incrementally, leveling up security best practices in order to retain a liability shield, versus calling for sweeping reform and unrealistic outcomes as previous regulatory attempts have.”

THE MOST ACTIVE, PERSISTENT THREAT

In 2012 (approximately three national cyber strategies ago), then director of the U.S. National Security Agency (NSA) Keith Alexander made headlines when he remarked that years of successful cyber espionage campaigns from Chinese state-sponsored hackers represented “the greatest transfer of wealth in history.”

The document released today says the People’s Republic of China (PRC) “now presents the broadest, most active, and most persistent threat to both government and private sector networks,” and says China is “the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so.”

Many of the U.S. government’s efforts to restrain China’s technology prowess involve ongoing initiatives like the CHIPS Act, a new law signed by President Biden last year that sets aside more than $50 billion to expand U.S.-based semiconductor manufacturing and research and to make the U.S. less dependent on foreign suppliers; the National Artificial Intelligence Initiative; and the National Strategy to Secure 5G.

As the maker of most consumer gizmos with a computer chip inside, China is also the source of an incredible number of low-cost Internet of Things (IoT) devices that are not only poorly secured, but are probably more accurately described as insecure by design.

The Biden administration said it would continue its previously announced plans to develop a system of labeling that could be applied to various IoT products and give consumers some idea of how secure the products may be. But it remains unclear how those labels might apply to products made by companies outside of the United States.

FIGHTING BADNESS IN THE CLOUD

One could convincingly make the case that the world has witnessed yet another historic transfer of wealth and trade secrets over the past decade — in the form of ransomware and data ransom attacks by Russia-based cybercriminal syndicates, as well as Russian intelligence agency operations like the U.S. government-wide Solar Winds compromise.

On the ransomware front, the White House strategy seems to focus heavily on building the capability to disrupt the digital infrastructure used by adversaries that are threatening vital U.S. cyber interests. The document points to the 2021 takedown of the Emotet botnet — a cybercrime machine that was heavily used by multiple Russian ransomware groups — as a model for this activity, but says those disruptive operations need to happen faster and more often.

To that end, the Biden administration says it will expand the capacity of the National Cyber Investigative Joint Task Force (NCIJTF), the primary federal agency for coordinating cyber threat investigations across law enforcement agencies, the intelligence community, and the Department of Defense.

“To increase the volume and speed of these integrated disruption campaigns, the Federal Government must further develop technological and organizational platforms that enable continuous, coordinated operations,” the strategy observes. “The NCIJTF will expand its capacity to coordinate takedown and disruption campaigns with greater speed, scale, and frequency. Similarly, DoD and the Intelligence Community are committed to bringing to bear their full range of complementary authorities to disruption campaigns.”

The strategy anticipates the U.S. government working more closely with cloud and other Internet infrastructure providers to quickly identify malicious use of U.S.-based infrastructure, share reports of malicious use with the government, and make it easier for victims to report abuse of these systems.

“Given the interest of the cybersecurity community and digital infrastructure owners and operators in continuing this approach, we must sustain and expand upon this model so that collaborative disruption operations can be carried out on a continuous basis,” the strategy argues. “Threat specific collaboration should take the form of nimble, temporary cells, comprised of a small number of trusted operators, hosted and supported by a relevant hub. Using virtual collaboration platforms, members of the cell would share information bidirectionally and work rapidly to disrupt adversaries.”

But here, again, there is a carrot-and-stick approach: The administration said it is taking steps to implement Executive Order (EO) 13984 –issued by the Trump administration in January 2021 — which requires cloud providers to verify the identity of foreign persons using their services.

“All service providers must make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior,” the strategy states. “The Administration will prioritize adoption and enforcement of a risk-based approach to cybersecurity across Infrastructure-as-a-Service providers that addresses known methods and indicators of malicious activity including through implementation of EO 13984.”

Ted Schlein, founding partner of the cybersecurity venture capital firm Ballistic Ventures, said how this gets implemented will determine whether it can be effective.

“Adversaries know the NSA, which is the elite portion of the nation’s cyber defense, cannot monitor U.S.-based infrastructure, so they just use U.S.-based cloud infrastructure to perpetrate their attacks,” Schlein said. “We have to fix this. I believe some of this section is a bit pollyannaish, as it assumes a bad actor with a desire to do a bad thing will self-identify themselves, as the major recommendation here is around KYC (‘know your customer’).”

INSURING THE INSURERS

One brief but interesting section of the strategy titled “Explore a Federal Cyber Insurance Backdrop” contemplates the government’s liability and response to a too-big-to-fail scenario or “catastrophic cyber incident.”

“We will explore how the government can stabilize insurance markets against catastrophic risk to drive better cybersecurity practices and to provide market certainty when catastrophic events do occur,” the strategy reads.

When the Bush administration released the first U.S. national cybersecurity strategy 20 years ago after the 9/11 attacks, the popular term for that same scenario was a “digital Pearl Harbor,” and there was a great deal of talk then about how the cyber insurance market would soon help companies shore up their cybersecurity practices.

In the wake of countless ransomware intrusions, many companies now hold cybersecurity insurance to help cover the considerable costs of responding to such intrusions. Leaving aside the question of whether insurance coverage has helped companies improve security, what happens if every one of these companies has to make a claim at the same time?

The notion of a Digital Pearl Harbor incident struck many experts at the time as a hyperbolic justification for expanding the government’s digital surveillance capabilities, and an overstatement of the capabilities of our adversaries. But back in 2003, most of the world’s companies didn’t host their entire business in the cloud.

Today, nobody questions the capabilities, goals and outcomes of dozens of nation-state level cyber adversaries. And these days, a catastrophic cyber incident could be little more than an extended, simultaneous outage at multiple cloud providers.

The full national cybersecurity strategy is available from the White House website (PDF).


38 thoughts on “Highlights from the New U.S. Cybersecurity Strategy

  1. James Owen

    For sure, Biden had to receive permission from his Chinese controllers before taking on any US cybersecurity strategy.

    1. Frank

      I think you meant to post that comment over at zero hedge.

    2. Tommy Nocker

      10% for the “Big Guy” from CEFC. Educate yourselves

    3. Andrew J

      Sighhh. What is wrong with you people?

      It’s about time that this is looked at. What also needs to be looked at is the mad rush to AI.

    4. SeymourB

      For sure, you had to receive payment from your Russian controllers before making this post.

    5. Psychodave

      Strangely there was very little in this new Cybersecurity Strategy about defending against foreign (mis/dis)information campaigns. It looks like James could benefit from that type of strategy.

  2. Wannab tech guy

    “Adversaries know the NSA, which is the elite portion of the nation’s cyber defense, cannot monitor U.S.-based infrastructure(they can’t? someone should tell Ed Snowden).

  3. mealy

    “All service providers must make _reasonable_ attempts to secure the use of their infrastructure against abuse or other criminal behavior,” “how this gets implemented will determine whether it can be effective.”
    I love it when a “plan” comes together. I feel safer already.

  4. Kurt Seifried

    So two comments:

    1) the phrase “open, free, global, interoperable, reliable, and secure Internet” occurs 5 times, once more with the word Internet at the start, and once followed by “digital future” which I’m taking as not very subtly coded speech for “Western Values”

    2) “Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software, not on the open-source developer of a component that is integrated into a commercial product.”

    They don’t mention what happens if it’s not a commercial product. Or if the open source is from a company that provides it as a product in some way or supports it. I hope the intent is to protect open source devs, but the actual implementation will be very complicated (Red Hat hires a lot of developers to work on open source, and not just stuff Red Hat ships, e.g. Debian developers).

  5. The Sunshine State

    Remember the Cybersecurity Strategy of the Can-The-Spam-Act, a huge failure in my opinion Cyber-Security solutions should stay in the private sector not with the government bureaucrats

    1. Sean (also in florida)

      I would argue that it was quite successful when compared to doing nothing, which is always what cynics offer.

    2. STA

      Everyone hates the bureaucracies, until the private sector fails. Then they call for oversight and regulation. Only when they forget that the private sector is to blame, do they go back to blaming the government.

      1. PaulBart

        The private sector never fails. America has a private sector? I though we have public costs, private profits, as well as complexes such as medical, pharma, and military, along with tech gatekeepers. But yeah, keep that propaganda up with “private sector”.

    3. Howard

      Leaving it to the private sector has never ended well for any industry ever. We don’t need less regulations, we need more and we need to enforce them better.

      1. magosis

        I think the ESRB has been hugely successful in the games industry games.

  6. CallMeSuspicious

    “The most noteworthy aspect of this part of the strategy is the plan to strengthen the cybersecurity workforce and tackle the lack of diversity among cybersecurity professionals. Other efforts included in this pillar include accelerating the adoption of technology that secures a clean energy future and encouraging investments in robust verifiable digital identity solutions.”
    So, just like our military, they’re going to worry more about genders and green energy than actually fixing the problem. Except that pesky little problem of tracking citizens: “robust verifiable digital identity solutions”.

  7. John Doe

    “Adversaries know the NSA, which is the elite portion of the nation’s cyber defense, cannot monitor U.S.-based infrastructure”

    Imagine being so delusional you actually believe this.

  8. UnBlinking

    Nine comments, and all but one are pure snark ginned up over a dopey Q-Anon trope or politicial drivel. Krebs’ audience usuallly contains at least a couple of qualified commenters… usually.

    1. mealy

      As much as I’d disagree with your “hot take” there, your own would make 10.
      If you have something “qualified” to say, let’s hear it. ^ This can’t be it, can it?
      Avoid hypocrisy. If you think this issue demands deep technical knowledge,
      or the vague wording of the “plan” proposed and reasonably in-depth coverage
      by our esteemed Mr. Krebson gives you “qualified” thoughts to share on it,
      what might they be? A snarky drivel response to what you see as same?
      Be the change you wish to see in the world.

      1. Marco

        I was just about to leave a snark remark echoing much the same of what the person you responded to stated – until I saw your post. Thank you for that – you are absolutely correct and nothing is worse than hypocrisy.

  9. rolling ball 3d

    The DoD and the Intelligence Community are equally committed to using all of their complimentary authorities to support disruption activities.

  10. rolling ball 3d

    In a similar vein, disruption efforts will benefit from the complete set of complimentary powers that the DoD and the Intelligence Community are committed to using.

  11. .....

    I can’t believe U.S. leaders were dumb enough to outsource all of this stuff — semiconductors, 5G, general supply chains — in the first place. Complete stupidity.

    Short-term profits for our corporate overlords, sure. But long term it has been a disaster.

    1. mealy

      US business runs on market forces unless acted on by a more powerful force than $.
      Lately they’ve been looking to in-source production after decades of degradation there,
      but it’s a slow process. A 1990’s view of China as America’s benevolent manufacturer
      has been debunked yet the market still rules on many fronts, as even Tiktok shows.
      China’s planned system makes such major moves far easier for them than US’ does.
      It’s a huge restructuring. It will take a long time, a massive restructuring in all sectors.
      Meanwhile US markets are still saturated with cheap ubiquitous security-agnostic IOT
      products that consumers demand – you can still buy Dahua/Hikvision camera systems.
      They’re cheap. Until there’s some other driver for US consumers or outright restriction,
      expect to revisit that issue a lot. The Tiktok ban legislation is a significant trial balloon,
      one garnering scarce bipartisan support from those at all awake in the legislature.
      It’s much more complicated than just snapping fingers at the top, in the US.

    2. P.D.

      Yeah, this started as early as 1976 when I was working for a DOD MIL supplier. One of the main points was that our suppliers had to be based in the US, and on a QPL list.

      One day I thought my eyes had gone bad as the QPL parts supply list said “Hitachi” for one critical part. Thinking it to be a mistake, i went to The Big Purchasing Dude (PA-Purchasing Agent) and asked if it was a mistake. He said no. Nothing else, just “No.”

      I said, “Well, I sure hope they don’t get pissed at us again,” and left his office just as his coffee cup hit the wall.

      Different players, same game: “Lucrum super omnia.”

  12. Ollie Jones

    Open source software drives a huge fraction of the internet. Many vulnerabilities (Hi, Equifax!) trace their root cause to sloppy updating of open source systems by site operations people. Some more recent vulns (solar winds) are due to poisoning of open-source code repositories by bad actors.

    My own Ubuntu machines — running long-term-support OS versions — get several updates a week. I keep them up to date; I work on open-source software and I don’t want to be the guy whose repositories are poisoned.

    If Brian chose to publish a rundown of Ubuntu updates the way he publishes a rundown of Windows updates, he’d do very little else.

    My point: “Cybersecurity” initiatives need to provide funds for open-source development teams. Those teams need to be able to afford good development, test, and distribution practices. Those things are labor-intensive and require consistent vigilance. If handled only by volunteers and by people seconded to open source by the biggies (GOOG, FB, Apple, MSFT, AWS, etc) they’ll fall short.

  13. Phil

    Diversity and equity, not education and talent. Got it.
    *dodges plane on the runway* x 3

    1. an_n

      *Learn how to read so you can comment on topic.*

  14. Mahhn

    I’m so happy it’s not what I expected of the current administration. Thought I was going to be reading about how Firewalls are like boarder walls, are racist and need to be shut down everywhere. After all, it is a very crazy world.

  15. info man

    Wow, How we progressed we identified the problem !

  16. SkunkWerks

    The sort of content (most, much, not all) I see here in these chains regularly makes me question the value of comment threads on stories on Krebs’ stories. I kinda feel like it’s maybe a magnet for the crazies I suppose.

    Great job with the story, in any case.

  17. Anonymous

    Brian, and all other security enthusiasts, I encourage you to check this link: http://alexbuckland.me/

    I believe this is the skid ratter the government are trying to kill.

    Perhaps you should do a write up about it Brian.

  18. Antonio

    “the greatest transfer of wealth in history.” I’m confused. Wasn’t it the scamdemic?

  19. Anonymos

    It is absurd to think citizens are remotely capable of managing cyber threats. The authorities pass the buck this way by warning you to be careful blah blah blah. The idea that data collectors collect all your data, then create a profile for you and sell it is just sleazy. What a business plan to sell your privacy to others for a price! They don’t make anything but chaos in people’s lives. They are bloodsuckers. When exactly does invasion of privacy ever apply? Much like the NDAs these companies make you agree to complete abuse of your data if you want to pay for and use their service. Legalized holdups. EU is a bit better and push back but here we just bend over and say more please. NO wonder China thinks we can be their b++++++.

    They store these files in the cloud and they might as well stick a big bullseye on them for hackers. Easy peasy to gain all the important data on you all conveniently collated. Makes you wonder if China is calling the shots and we are all slowing being marched into the cyber ovens.

    We are much like Russia. We have allowed gangster corporations to buy politicians who have literally defunded federal and state regulations. Defunding the police is child’s play to what has already gone down. Any meaningful regulations have been gutted. Look what happened to Putin’s military. His gangster appointed directors stole so many funds they now have to use rusty stuff from decades ago for their invasion. The country is slowing imploding and now they are sending women prisoners to the front!

    Our federal directors from both parties sold us out long ago. We are **cking doomed. After the Equifax breach I woke up to the reality your money is not safe in digital form nor in banks, since as we have seen any rich bunch of idiots with no banking experience can run a bank into a wall and the feds just stood they and watched it go down. Don’t kid yourself that we are not bailing these banks out indirectly.

    If someone is dumb enough to give credit to someone with my credit file frozen that is on them. I don’t plan to ever take out any credit again and will not be put into credit servitude is what their long game is here. It is also absurd to think consumers can avoid ID theft now. No company can do that for you either. The corruption has been allowed to continue and when the music stops it will be chaos and no amount of walls or security will protect the 1% from the needs of tens of millions and that is why they have bolt holes in New Zealand and elsewhere were. Its not about nuclear threat, it is about nuclear financial melt down is where we are headed since Joe can only print up so much monopoly money and look what happened to Venezuela.

    I also lost faith in any news we hear now since there is always an agenda behind it and truth is not profitable enough now. Even this site is making out like there is any hope of having security with cyber now. Not hardly. People are now reading between the lines and are coming up with some crazy ideas. Lack of transparency and endless lying by government agencies creates a ripe environment for Qanon stuff.

    No wonder China and Russia are circling us, we sold out and imploding and they are planning to carve up the remains. The wealthy greedy have no allegiance to anything but money. That is why you see our wealthiest with one foot in China and one foot here. They are hedging their bets, like Cook, Bezons, Musk, Waltons, etc. Kind of funny to hear China b**** slap Musk in the press about not biting the Chinese hand that feeds it selling his crappy Teslas in China for tens of thousands less. If retired centerist housewife is having to strip away all the B.S. to find the reality of what is really going down then you can imagine how the extremists are thinking. Best of luck since we are headed for one hell of a ride since if past experience is the best indicator or trajectory of what is to come it is looking really bad. They always start a war to try to unite the citizens and line the pockets of the industrial military complex so that is why you are seeing in the media endless stories to incite the violence towards China not our own greedy 1% for how they made this all possible for China.

    They want to channel our anger and frustration we have here with our government and redirect it towards China. China’s Equifax attack was just a warm up and we were stupid enough to just leave the door unlocked for them by putting all the data in the clouds. We deserved that. But did China do it? Heck Equifax is one of the most sleaziest companies ever if you search to see how so many AGs have sued them over the decades for all sorts of dirty deeds and negligence. That is why banks and insurance companies love them to do the dirty work to give them excuse to raise rates unfairly while keeping their hands cleaner. It is clear all sorts of breaches have gone down with them so really we have been breached thousands of times already. Kind of like now we are being coming indignant about surveillance balloons that have been around for a long time but now it is somehow a threat where as before it wasn’t?

    Did you know that the biggest contributors to presidential campaigns are banks? That is saying a lot if you think about other big money sectors who also contribute like oil and pharma. Presidents b**** talk about a sector in the press but have their hands out for payoffs from these same sectors. You don’t need to be a rocket scientist to know how that works against the people. We have been so desperate for hope that we vote in some of the worst because they talk to our pain points is all. We have become pitiful.

Comments are closed.