The Biden administration is tired of asking businesses to up their defenses and is preparing to mandate new cybersecurity requirements and overhaul how the government works with the private sector to fight hackers.
The administration’s long-awaited “National Cybersecurity Strategy” unveiled on Thursday promises more regulation and blames a lack of mandatory cybersecurity requirements for the digital damage enabling real-world harm to U.S. infrastructure such as gas pipelines.
The Biden administration’s solution involves working closer than ever with businesses, as the strategy said government officials are reviewing ways to declassify critical information that expands access to sensitive material to better fight cyberattackers.
Cybersecurity officials, law enforcement agencies, and the intelligence community are being tasked with creating new processes to share warnings, threat indicators and other data with the private sector to stop digital attacks.
“The federal government will increase the speed and scale of cyber threat intelligence sharing to proactively warn cyber defenders and notify victims when the government has information that an organization is being actively targeted or may already be compromised,” the strategy said.
The White House’s new strategy indicates ongoing collaboration with businesses is not good enough to completely stop the cyberthreats emanating from China, Russia, Iran and North Korea.
China is the main culprit in cyberspace that worries the Biden administration. The cybersecurity strategy said China is the most active and persistent threat to governmental and private computer networks, and the communist regime is the only country intent on reshaping the international order that has the technical know-how to do so.
Alongside better information sharing to combat China and other attackers, the federal government intends to mandate new cybersecurity standards on businesses to bolster defenses, said Anne Neuberger, White House deputy national security adviser for cyber and emerging technology.
“We recognize that we need to move from just a public-private partnership information-sharing approach to implement minimum mandates,” Ms. Neuberger told reporters. “Information sharing and public-private partnerships are inadequate for the threats we face when we look at critical infrastructure.”
She said the federal government has already created minimum cybersecurity standards for pipelines and railways, and is preparing to roll out more regulations for additional industry sectors soon.
Precisely how widespread those regulations grow appears to have been a hotly debated topic among top cybersecurity officials in recent months.
John C. Inglis left his post as the National Cyber Director last month while his office continued its work on the new national cybersecurity strategy unveiled on Thursday.
Mr. Inglis and Ms. Neuberger clashed over federal agencies’ regulatory authority for cybersecurity before his departure, according to Slate’s Fred Kaplan in January who had reviewed a draft version of the new strategy.
The two cyber officials were reportedly at odds over which agencies may write and enforce regulations over various industries, in the absence of clarity from Congress passing new laws.
House Republicans also criticized the Biden administration’s new cyber approach.
Reps. Mark Green of Tennessee and Andrew Garbarino of New York, both members of the House Homeland Security Committee, said Thursday that the Biden team’s desire for more regulation, bureaucracy, and red tape should come as no surprise.
“We are concerned that while the administration expresses their desire to harmonize, their actions have only encouraged or forced new regulations from multiple agencies — in contradiction of Congress’ clear direction through the Cyber Incident Reporting for Critical Infrastructure Act of 2022,” the lawmakers said in a statement.
Mr. Green and Mr. Garbarino said the Biden administration should prioritize streamlining existing regulations and look for new ways to partner with businesses rather than inventive ways to punish them.
The Cybersecurity and Infrastructure Security Agency has also pursued voluntary collaboration with the private sector instead of forcing tech firms to do the government’s bidding. CISA has avoided becoming perceived as a federal regulator as it has courted close business relationships.
CISA leads the Joint Cyber Defense Collaborative established in 2021 to team national security and law enforcement agencies with companies including Amazon, Google, Microsoft and cybersecurity firms to collectively fight hackers and cyberattackers.
The new cyber strategy makes clear that the Biden administration does not want to leave America’s cyber defenses up to the private sector companies’ ability and willingness to protect their networks.
“While voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes,” the strategy said.
The strategy said “regulation can level the playing field” for those critical infrastructure owners and operators who spend money on improved defenses only to not reap a financial reward.
The Biden administration made clear it is not waiting for Congress to act but will work with lawmakers to close what it perceives as “gaps” in rules that govern cybersecurity regulations the federal government can impose on businesses.
The strategy said the Biden administration will rely on existing authorities to write new regulations and lean on states to set their cyber standards, too.
The new strategy’s five main points are imposing new requirements to improve cyber defenses, using all tools of national power to fight malicious cyberattackers, shaping the private market to accomplish governmental goals for security, spending more money to build resiliency, and forging international partnerships.
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.
Please read our comment policy before commenting.