US Aims to Make Companies Liable for Poor Cybersecurity

The White House released a reformed National Cyber Strategy on March 2nd to combat the rise in cyberattacks ravaging health, federal, and private infrastructure across the United States. The cyberspace defense plan aims to pin the responsibility of online protection on private companies rather than the public.

The strategy highlights the necessity to “rebalance the responsibility to defend cyberspace” by shifting it away from individuals, businesses, and small governments, and onto “the most capable and best-positioned actors in cyberspace.” Pressing on the issue of creating futureproof cybersecurity solutions, the White House plans to “realign incentives to favor long-term investments”.

The goal is to have a robust cyber defense infrastructure that combats present threats and also keeps pace with the advancement of new malicious cyberattack methods.

A primary goal of the defense plan is to “defend critical infrastructure” and avoid calamities like the Heritage Provider Network ransomware attack last year. The strategy would include defining minimum cybersecurity requirements in critical sectors and improving the Federal response to cyberattacks, by better coordination with the private sector, State, local, Tribal, and territorial partners.

The defense plan to “disrupt and dismantle threat actors” includes reclassifying ransomware attacks as a “threat to the national security, public safety, and economic prosperity of the United States and its allies and partners.” Particular attention was given to ransomware attacks carried out from “safe havens like Russia, Iran, and North Korea” with the US vowing to employ “all elements of national power” to counter these threats.

The updated US Cyber Strategy is expected to require an overhaul in cybersecurity protections across the tech industry, which is already under heavy fire for security and privacy flaws over the years. The strategy document states that while companies all have the freedom to innovate, they must “also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers.”

The National Security Council, the White House Office of Management and Budget, and the Office of the National Cyber Director will coordinate the defense strategy.