The U.S. government released its widely anticipated National Cybersecurity Strategy on Tuesday, pushing mandatory regulation on critical infrastructure vendors and green-lighting a more aggressive ‘hack-back’ approach to dealing with foreign adversaries and ransomware actors.
[ Analysis: Industry Experts Analyze US National Cybersecurity Strategy ]
As previously reported, the White House plans to use regulation to “level the playing field” and shift liability to organizations that fail to make reasonable precautions to secure their software.
“[While] voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has too often resulted in inconsistent and, in many cases inadequate, outcomes,” the document argues, calling for a dramatic shift of liability “onto those entities that fail to take reasonable precautions to secure their software.”
“In setting cybersecurity regulations for critical infrastructure, regulators are encouraged to drive the adoption of secure-by-design principles, prioritize the availability of essential services, and ensure that systems are designed to fail safely and recover quickly. Regulations will define minimum expected cybersecurity practices or outcomes, but the Administration encourages and will support further efforts by entities to exceed these requirements,” the strategy document argues.
The federal government plans to use existing authorities to set “necessary cybersecurity requirements in critical sectors” and where there are legal gaps around authority, the White House plans to work with Congress to close them.
The strategy, divided by five pillars, seeks to:
- Defend Critical Infrastructure
- Disrupt and Dismantle Threat Actors
- Shape Market Forces to Drive Security and Resilience
- Invest in a Resilient Future
- Forge International Partnerships to Pursue Shared Goals
The strategy also gives high-level authorization to law enforcement and intelligence agencies to “disrupt and dismantle threat actors,” including foreign APT campaigns and data-extortion ransomware groups.
“Disruption campaigns must become so sustained and targeted that criminal cyber activity is rendered unprofitable and foreign government actors engaging in malicious cyber activity no longer see it as an effective means of achieving their goals,” the White House stressed, noting that the federal government will increase the speed and scale of information sharing to proactively warn of looming threats.
“The Federal Government will work with cloud and other internet infrastructure providers to quickly identify malicious use of U.S.-based infrastructure, share reports of malicious use with the government, make it easier for victims to report abuse of these systems, and make it more difficult for malicious actors to gain access to these resources in the first place,” it added.
The aggressive strategy is meant to preemptively “disrupt and dismantle” hostile networks by authorizing U.S. defense, intelligence, and law enforcement agencies to hack into the computer networks of criminals and foreign governments.
The White House is also discouraging the payment of data-extortion ransoms to cybercriminals, arguing that “the most effective way to undermine the motivation of these criminal groups is to reduce the potential for profit.”
“Our goal is to make malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States,” the strategy says.
The strategy document (PDF) goes deeper, assigning the work to the FBI’s National Cyber Investigative Joint Task Force working in tandem with all relevant U.S. agencies. It said private companies will be “full partners” to issue early warnings and help repel cyberattacks.
The government is also exploring a federal cyber insurance backstop to provide stability to the economy during catastrophic events or major crises.
Analysis: Industry Experts Analyze US National Cybersecurity Strategy
Related: US National Cyber Strategy Pushes Regulation, Aggressive Hack-Back Operations
Related: Chris Inglis Steps Down as US National Cyber Director