Biden's cybersecurity plan expands requirements for critical infrastructure
Software makers could also be held liable for security flaws.
The White House is relying on more than an executive order to bolster online security. The Biden administration has issued a National Cybersecurity Strategy meant to "rebalance" responsibilities toward the larger companies and organizations best-equipped to handle threats. The initiative will most notably expand the use of minimum security standards for critical infrastructure, and establish a common set of regulations to make it easier to comply with that baseline.
Accordingly, the administration also wants improved public-private alliances that can more effectively defend infrastructure. The federal government would also modernize its networks and response policies to safeguard against threats.
Companies may also be on the hook for sloppy behavior. The strategy would shift some liability for software and services to developers that ignore recommended cybersecurity practices or ship products with known vulnerabilities. The White House hopes to work with Congress and companies on legislation that bars total liability and sets tougher standards for "specific high-risk scenarios." A safe harbor provision would protect companies that make a sincere effort to develop secure products.
The plan would also invest more in cybersecurity research and workforces. The administration hopes to cut back on "systemic" vulnerabilities at the internet's core, and to adapt to emerging technologies such as postquantum encryption (that is, protection against quantum-based hacks) and digital IDs. Some policies will be largely unchanged. The government will proactively "disrupt and dismantle" threats, including international cooperation on fighting ransomware.
The implementation has already begun, the administration says. As Cyberscoop points out, though, there's no certainty the strategy will work as promised. The outline largely delegates responsibilities to individual agencies, Congress and in some cases state regulators. The result may not be as harmonious as hoped. It's also unclear if developers will welcome laws that make them liable for security holes. Still, the approach sets expectations for how federal officials will tackle digital threats going forward.