The White House has long urged IT makers to voluntarily bake cyber protections into their products but is becoming more aggressive by mandating that system makers at large companies build in security by design.
A new, muscular government regulation awaits President Biden’s approval of a two-part strategy that not only aims to regulate built-in security by private industry but also endorses a policy to aggressively counter-hack cyber adversaries should the nation’s networks or businesses be attacked.
U.S. Goes on the Offensive
That part of the strategy first surfaced more than three years ago when Gen. Paul Nakasone, who heads the National Security Agency and the U.S Cyber Command, announced the U.S. under certain circumstances would go on the offensive to preempt cyberattacks by foreign governments and operatives.
The impetus for the first part of Washington’s security strategy appears to be the SolarWinds supply chain hack in which dozens of managed security providers (MSPs) were compromised to get to larger targets. These targets included government agencies and large businesses, the Kaseya ransomware hack that deployed similar tactics and the Colonial Pipeline critical infrastructure ransomware event.
Those events sparked a wave of new legislation to require critical infrastructure owners and operators to report ransomware events and payments within a 48-hour window or face fines and penalties. Similar but unpassed bills suggested the same apply to private industry.
National Cybersecurity Strategy Outlined
The 35-page document, entitled National Cybersecurity Strategy, first viewed and reported by Slate, details plans to:
- Set mandatory regulations to secure systems in the design process on a wide swath of American industries, rather than urging them to do so
- Engage U.S. defense, intelligence, law enforcement and private industry to reactively — or even proactively — hack back into the servers and networks of adversarial governments as a consequence of attacking American digital machinery
“Our goal is to make malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States,” the document states in the draft viewed by Slate. White House officials have stressed that the document is a draft and could change, Slate said.
Federal authorities appear to recognize that asking companies to voluntarily incorporate security into system builds by adhering to certain guidelines has failed to rebuff hackers. Moreover, adopting a solely defensive posture to protect the nation’s computer assets from attacks is not enough.
Camille Stewart Gloster, the deputy national cyber director for technology and ecosystem security, in remarks at a CyberScoop event on February 22, 2023, said the strategy seeks to “re-architect our digital ecosystem” so “that we are creating future resilience."
By “shifting the burden” from smaller companies to larger organizations that can “build in security by design” can boost the nation’s cyber posture, Stewart Gloster said.