US unveils new cybersecurity strategy: tighter regulations, ransomware predominant threat

Updated on: 02 March 2023

Reuters
Contribution by Gintaras Radauskas

cyber-sec-strategy — Image by Shutterstock.

The White House on Thursday announced a new cybersecurity strategy in the latest effort by the US government to bolster its defenses amid a steady increase in hacking and digital crimes targeting the country.

The strategy, which is intended to guide future policy, urges tighter regulation of existing cybersecurity practices across industries and improved collaboration between the government and private sector.

It comes after a series of high-profile hacking incidents by domestic and foreign actors against the US, amid the military conflict between Russia and Ukraine in which cyber warfare has featured prominently.

The strategy names China and Russia as the most prominent cybersecurity threats to the US. A government official who declined to be named said part of the new strategy was aimed at reining in Russian hackers.

"Russia is serving as a de facto safe haven for cybercrime, and ransomware is a predominant issue that we're dealing with today," the official said.

Ransomware attacks, in which cyber criminal gangs seize control of a target's systems and demand ransom payments, are among the most common types of cyber attacks and have impacted a wide range of industries in recent years.

"The criminal justice system isn't going to be able to on its own address this problem – we do need to look at other elements of national power," the official added. "So we're hopeful that Russia understands the consequences of malicious activity in cyberspace, and will continue to be restrained."

The strategy calls for building coalitions with foreign partners "to create pressure on Russia and other malicious actors to change their behavior," said a second US official on the call, who also declined to be named.

"I think we've seen some success in sustaining those coalitions over the last year," the official added.

Among a range of things, the strategy calls for improving standards of patching vulnerabilities in computer systems, and implementing an executive order that would require cloud companies to verify the identity of foreign customers.

The US government has been urging companies to report intrusions voluntarily and regularly update programs to remove new vulnerabilities. However, the new strategy concludes such voluntary efforts are insufficient when Russia, China, North Korea, or Iran are constantly attempting to breach into critical networks.

“The federal government will work with cloud and other internet infrastructure providers to quickly identify malicious use of US-based infrastructure, share reports of malicious use with the government, make it easier for victims to report abuse of these systems, and more difficult for malicious actors to gain access to these resources in the first place,” the strategy says.

The document also adds that “all service providers must make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior.” Finally, the strategy calls for “fundamental changes to the underlying dynamics of the digital ecosystem.”

It’s not clear for now what “reasonable” means, how companies would be forced to enact cybersecurity measures for critical infrastructure, or whether liability might be imposed on firms that fail to secure their code.

In any case, Drew Bagley, vice president and counsel for privacy and cyber at Crowdstrike, a major cybersecurity company, said that the firm welcomed the new Strategy which, in his words, "offers a unified, high-level approach to increasing and orchestrating community efforts to strengthen the nation’s cybersecurity posture overall."

"Notably, the Strategy recognizes the significant risk to privacy posed by cyber threats and the importance of using federal privacy legislation as a vehicle to achieve stronger data protection outcomes," said Bagley.