I Read the Biden Administration's New Cyber Policy So You Don't Have To

Image for article titled I Read the Biden Administration's New Cyber Policy So You Don't Have To

Photo: Win McNamee (Getty Images)

Since taking office, Joe Biden has made it known that he’s going to take cybercrime seriously. It’s not the case that Biden is the world’s most tech-savvy octonarian, rather, he’s simply responding to security challenges that have developed on his watch—most notably a string of increasingly destructive cyberattacks that took place during his first year as president. The most recent iteration of the Biden administration’s efforts to make the internet a safer place is the government’s recently announced national cybersecurity strategy, which was published to the WH website on Thursday. The strategy could have major impacts on the government’s efforts to deter cybercriminals and, if effectively enacted, would have a big impact on multiple areas of the tech industry.

The full report on the government’s new strategy is 39 pages and thousands upon thousands of words but I slogged through it and attempted to distill it down to a mere 1,500-ish words. Here are some of the key takeaways.

#1: Protecting “Critical Infrastructure,” aka Making Sure Really Important Stuff Doesn’t Get Hacked

Critical infrastructure is a pretty big topic in cybersecurity, which is why it makes sense that the first pillar of the WH cybersecurity strategy involves adopting broader protections for it. “We will give the American people confidence in the availability and resilience of our critical infrastructure and the essential services it provides,” the strategy states.

Sounds good but you might find yourself wondering what, exactly, qualifies as “critical infrastructure.”

The short answer is: lots of stuff. You can think of CI as relating to industrial systems that provide services to large groups of people: this includes stuff like power grids, oil pipelines, dams, local and regional water supplies, nuclear power plants, ISPs and broadband providers, and other things of that nature. Most of these things are controlled by web-connected programs, called SCADAs, short for supervisory control and data acquisition systems. Said systems are software programs designed to allow for the remote access and control over industrial systems. Problematically, they also happen to be quite hackable. The most notorious example of a SCADA system getting hacked is the Stuxnet incident, in which cyber operators working on behalf of both the U.S. and Israeli governments used a sophisticated worm to pwn one of Iran’s reactors connected its nuclear weapons program. However, much smaller, more mundane targets are even more vulnerable to penetration, and can still cause quite a lot of damage.

To protect all this critical stuff, the government has suggested a number of different initiatives, probably the most notable of which is the development of new federal regulations to mandate minimum security requirements for particularly important sectors and CI providers. Why the government is so intent on protecting critical infrastructure seems pretty obvious. In addition to it just being a really good idea, Biden’s administration clearly doesn’t want a repeat of what happened in 2021 when the ransomware gang DarkSide attacked Colonial pipeline. That attack, which threatened vital energy flows throughout large parts of the southeast, was considered one of the worst cyberattacks on U.S. critical infrastructure to date and wasn’t exactly an easy fix for the government, nor a good look for incoming administration.

#2: The U.S. Will Keep Kicking Bad Hackers in the Ass

One thing the U.S. government is usually pretty good at is kicking people’s asses and, lately, it’s had its ass-kicking sights trained on those who dwell in the digital underworld. Well, the strategy released this week stresses that, for the foreseeable future, America is going to keep hitting threat actors where it hurts.

Indeed, the Biden administration envisions a future where it brings to bear “all instruments of national power” to “make malicious cyber actors incapable of threatening the national security or public safety of the United States.” In real-world terms what this means is leveraging its law enforcement resources (i.e., hacker-hunting cyber personnel at government projects like the FBI’s National Cyber Investigative Joint Task Force) and existing international partnerships (like the recently launched counter ransomware task force), to continue kicking the shit out of cybercriminals. At the same time, the administration also says it wants to accelerate preventative measures, like information-sharing between the tech industry and the government, as well as broader communication and coordination between the public and private spheres.

This continued war with cybercriminals makes sense—for a number of different reasons. When Biden first took office, the ransomware scourge was at its height. In particular, the 2021 attack on the Colonial pipeline was considered both a wakeup call and a national security emergency. Since then, Biden’s government has cracked down on the ransomware industry with a vengeance. This has included the development of a number of task forces and international summits to address the problem, along with the launch of new Justice Department guidelines for the investigation and prosecution of ransomware cases. At the same time, a bevy of law enforcement operations, largely led by the NCIJTF, have sought to disrupt large swaths of the ransomware ecosystem, including a recent, sophisticated stakeout inside of the gang Hive, whose activities were effectively neutralized in February.

In the new report, the government makes it known that they’re going to keep doing stuff like this and that their ultimate goal is to literally “defeat ransomware.” Indeed, the administration says it is “committed to mounting disruption campaigns and other efforts that are so sustained, coordinated, and targeted that they render ransomware no longer profitable.” In other words: look alive dark web goons, they’re coming for ya!

#3: Making Sure the Tech Industry Prioritizes Security

Another thing that the new cyber strategy wants to do is force the folks in Silicon Valley to do something they’re not very good at: prioritize security when designing their products.

Indeed, one of the reasons that companies get hacked so much is that most modern software isn’t really put together with security in mind. Instead, developers often have two other factors at the top of their priority list: time-to-market and consumer experience. Security, meanwhile, can be both time-consuming and costly. There are exceptions to this rule but, by and large, security is considered a hindrance to business priorities, which are launching a product quickly and making money.

What does the government want to do about it? Well, there are a couple different measures that the Biden administration says it would like to take to encourage the tech industry to do a better job.

  • Use federal grant programs to help drive new security products and to push federal research and development into security technologies. This is an interesting idea, but definitely more of a long-term investment than a short-term solution.
  • The document states that it also wants to work together with Congress and the private sector to establish “liability for software products and services.” This push should seek to “establish higher standards of care for software in specific high-risk scenarios.” The idea here is to create an incentive structure in which companies of a certain size and prominence are forced to create better security protections for their products or risk opening themselves up to legal risk.
  • Oddly, the strategy also notes that it wants to expand privacy protections as a way of protecting against security issues. The document states “The administration supports robust, clear limits on the ability to collect, use, transfer, and maintain personal data.” In short: the thinking here is if companies keep less personal data on web users, there’s less chances for data breaches? Sounds like an interesting idea but it’s unclear how and when such a turn of events could take place.

#4: Acknowledging That the Internet is Held Together with Bubble Gum and Baling Wire

Another major cybersecurity crisis that unfolded under the administration’s watch was the discovery of the log4j bug. A serious remote code execution vulnerability in a ubiquitous open source software library, the log4j episode helped further clarify to the government the perils of today’s open source software ecosystem and the potential threats it poses to the global economy. Since discovery of the bug, the government has been working with the open source community and other internet interest groups to enact better protections for vital software supply chains and the broader digital ecosystem. Systemic deficiencies in security are something that need to be addressed, the new cyber strategy says. The document writes:

The Internet is critical to our future but retains the fundamental structure of its past. Many of the technical foundations of the digital ecosystem are inherently vulnerable. Every time we build something new on top of this foundation, we add new vulnerabilities and increase our collective risk exposure…Such a “clean up” effort to reduce systemic risk requires identification of the most pressing of these security challenges, further development of effective security measures and close collaboration between public and private sectors to reduce our risk exposure…

In other words, the government is acknowledging that our digital world is, as the ol’ saying goes, held together “by bubble gum and baling wire.” To fix this, the White House says it plans to invest a ton of money in a number of different areas in an effort to create a more secure ecosystem. These include…

  • Using partnerships with the private sector to reduce “systemic technical vulnerabilities in the foundation of the Internet and across the digital ecosystem,” things like Border Gateway Protocol vulnerabilities, unencrypted Domain Name System requests, and other long-standing security deficiencies in basic web infrastructure.
  • “Reinvigorating” research and development geared around “next gen” cybersecurity capabilities. What kind of capabilities? The strategy names stuff like post-quantum encryption, which is said to be able to guard against the currently hypothetical threat of quantum computing.
  • Fostering broader cybersecurity workforce development. Often something of a problematic topic, companies and governments can sometimes have trouble finding the right talent to man their battle stations; recruitment and retention of security professionals can be tough, and a shocking number of companies don’t ever hire a CISO at all. The government says it wants to turbo-charge a number of existing cybersecurity workforce development programs, in an effort to spur broader recruitment.

#5: Make Sure the Rest of the World is on the Same Page About Kicking Bad Hackers in the Ass

Finally, the government wants to make sure that everybody else is on the same page when it comes to going after the bad guys. The White House says that it wants to leverage “international coalitions and partnerships among like-minded nations to counter threats to our digital ecosystem through joint preparedness, response, and cost imposition.” By and large, the government has already been doing this—and it seems to have born some good results.

An international summit on the ransomware scourge helped to bring countries together around the need to fight cyber villains and, prior to the war in Ukraine, Biden even met with Russian president Vladimir Putin to discuss expanded cooperation around disruption and prosecution of ransomware gangs—a large number of which are believed to be headquartered in Russia. Will more international summits and partnerships help? It certainly can’t hurt.

Source link