Biden to hold companies responsible for poor cybersecurity
In an effort to shift the burden of defending U.S. cyberspace away from small organizations and individuals, the Biden Administration is pushing for new regulations that would hold companies accountable for any cybersecurity incidents that occur within their systems.
This proposal is part of the new National Cybersecurity Strategy, which outlines a new partnership between federal agencies and private companies to detect and respond to ransomware attacks. The plan’s goal is to deter cybercriminals from engaging in any activity within the United States.
The strategy was developed by the Office of the National Cyber Director (ONCD), and it has five pillars: defend critical infrastructure, disrupt and demolish threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships. Recent ransomware attacks have disrupted hospitals, schools, government services, pipeline operations, and other critical infrastructure and essential services, according to the report. One of the most visible such attacks occurred in 2021, with a ransomware attack on the Colonial Pipeline, which transports gasoline and jet fuel throughout the Southeastern United States. The attack halted the enormous pipeline for several days, spurring supply problems in some states.
“Our strategic environment requires modern and nimble regulatory frameworks for cybersecurity tailored for each sector’s risk profile, harmonized to reduce duplication, complementary to public-private collaboration, and cognizant of the cost of implementation,” the document stated. “New and updated cybersecurity regulations must be calibrated to meet the needs of national security and public safety, in addition to the security and safety of individuals, regulated entities, and their employees, customers, operations, and data.”
“The most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem,” administration officials wrote in a highly anticipated updated National Cybersecurity Strategy document. “Today, end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, yet these actors’ choices can have a significant impact on our national cybersecurity.”
Another crucial objective of the plan is to favor long-term investments by striking a careful balance between defending against urgent threats today and strategically planning for and investing in a resilient future. This means that businesses may face penalties or legal action if they do not take adequate precautions to protect their data and networks from cyber attacks.
The sources for this piece include an article in ARSTECHNICA.