The Biden administration unveiled its highly anticipated national cyber strategy Thursday, a policy blueprint designed to combat the rising threat of malicious activity against the U.S. from foreign adversaries and criminal cyber actors.
Developed after years combating a surge in ransomware and nation-state threat activity, federal authorities will seek to reorder priorities in how the nation manages digital security.
Officials want to shift the burden for cyber resilience away from under-resourced consumers of technology and place more responsibility on multibillion-dollar technology giants that for years have sold their customers software and computer systems full of technical flaws.
“Today, across the public and private sectors, we tend to devolve responsibility for cyber risk downwards,” Kemba Walden, acting national cyber director, said during a conference call with reporters Wednesday. “We ask individuals, small businesses and local governments to shoulder a significant burden for defending us all. This isn’t just unfair, it’s ineffective.”
Authorities want to realign incentives to protect the country from immediate threats while building resilience through long-term investments.
The strategy builds on five core pillars:
- Defend critical infrastructure: Establish minimum standards to secure key industrial sectors, while boosting public-private collaboration and modernizing federal government networks.
- Disrupt and dismantle threat actors: Strategic use of all instruments of national power to disrupt adversaries, while engaging the private sector and working with global partners to combat ransomware.
- Shape market forces to drive security and resilience: Shift liability for secure software and services, support data privacy and promote investments in new infrastructure.
- Invest in a resilient future: Reduce technical vulnerabilities, build a diverse cyber workforce and prioritize next-generation cyber research and development.
- Forge international partnerships to pursue shared goals: Leverage global partnerships to combat ransomware, help nations defend themselves and work to develop secure global supply chains.
Anne Neuberger, deputy national security advisor for cyber and emerging technology, said the Biden administration has already begun working on minimum standards for critical industry sectors like pipelines and rail.
Additional minimum standards are in the works for even more sectors, she said during the call.
Cybersecurity and Infrastructure Security Agency Director Jen Easterly previewed a major component of the strategy in an address Monday at Carnegie Mellon University where she called on the technology industry to embrace a “secure by design” philosophy. The goal is to build resilience into products during the development phase instead of forcing customers to continually update software and search for vulnerabilities in existing products.
Google last month signaled it would support efforts to promote more responsible development practices, noting earlier efforts to embed protections like two-step verification by default into its online accounts.