US presents national cyber-security strategy

The US's new cyber-security strategy aims to "rebalance the responsibility to protect the cyberspace" away from individuals and placed onto large corporations. 

At the same time, the US government plans to accelerate efforts by the Federal Bureau of Investigation and the Defense Department to disrupt the activities of hackers and ransomware groups around the world. 

The Biden administration also expressed their intent to work with Congress on legislation that would impose legal liability on software makers whose products fail to meet basic cyber-security safeguards, officials said.

For years, the US government has relied on companies voluntarily reporting intrusions in their systems and regularly patching their programs to fix newly discovered vulnerabilities. 

The new National Cybersecurity Strategy concludes that this is not enough, and proposes requirements for companies to adhere to minimum cyber-security standards. 

"This strategy will position the United States and its allies and partners to build that digital ecosystem together, making it more easily and inherently defensible, resilient, and aligned with our values," the document states.

As a policy document, the strategy is not legally binding. However, it does present a change of attitudes in Washington DC regarding responsibility for preventing cyber attacks.

The document also builds on steps taken by President Joe Biden to impose cyber-security regulations on certain critical industry sectors, such as electric utilities and nuclear facilities.

"By working in partnership with industry, civil society, and state, local, tribal and territorial governments, we will rebalance the responsibility for cyber security to be more effective and equitable," Biden said in a statement.  

Anne Neuberger, the US's deputy national security adviser for cyber and emerging technology, said on a conference call with reporters that it was "critical that the American people have confidence in the availability and resiliency of our critical infrastructure and the essential services it provides".

Neuberger expressed that the current approach to securing – based on voluntary reporting – is "inadequate", and that it places too much responsibility upon individual users and small organisations. 

Instead, the proposal seeks to place legal liability onto software makers that fail to take basic precautions to produce secure technology.

"Our goal is to make malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States," the strategy document reads.

Over the last couple of years, public bodies have seen a sharp increase in cyber attacks, with a report by Atlas VPN stating that the US suffered 14 state-sponsored cyber attacks in 2022. 

Moreover, organisations across the world, from the UK’s NHS to the US’s Apple, and even the Albanian government, have suffered severe cyber attacks that have disrupted their services and put their users’ personal information at risk. 

Recently, a distributed denial-of-service attack disrupted communications between NATO officials and military aircrafts engaged in search-and-rescue operations in Turkey and Syria.