The US government, worried about the continuing growth of cybercrime, ransomware, and countries including Russia, Iran, and North Korea hacking into government and private networks, is in the middle of drastically changing its cybersecurity strategy. No longer will it rely largely on prodding businesses and tech companies to voluntarily take basic security measures such as patching vulnerable systems to keep them updated.
Instead, it now wants to establish baseline security requirements for businesses and tech companies and to fine those that don’t comply.
It’s not just companies that use the systems who might eventually need to abide by the regulations. Companies that make and sell them, such as Microsoft, Apple, and others could be held accountable as well. Early indications are that the feds already have Microsoft in their crosshairs — they’ve warned the company that, at the moment, it doesn’t appear to be up to the task.
First, let’s delve into the government’s emerging strategy.
The new National Cybersecurity Strategy
In early March, the Biden Administration released a new National Cybersecurity Strategy; it puts more responsibility on private industry and tech firms to follow best security practices such as patching systems to fight newly found vulnerabilities and using multifactor authentication whenever possible.
US regulators have long recommended that tech companies do this. The difference now, according to the New York Times, is that “the new National Cybersecurity Strategy concludes that such good-faith efforts are helpful but insufficient in a world of constant attempts by sophisticated hackers, often backed by Russia, China, Iran or North Korea, to get into critical government and private networks. Instead, companies must be required to meet minimum cybersecurity standards.”
In theory, if those standards aren’t met, fines would eventually be imposed. Glenn S. Gerstell, former general counsel of the National Security Agency, explained it this way to the Times: “In the cyberworld, we’re finally saying that Ford is responsible for Pintos that burst into flames, because they didn’t spend money on safety.” That’s a reference to the Ford Pinto frequently bursting into flames when rear-ended in the 1970s. That led to a spate of lawsuits and a ramp-up in federal auto safety regulations.
But cybersecurity requirements backed by fines aren’t here yet. Dig into the new document and you’ll find that because the new strategy is only a policy document, it doesn’t have the bite of law behind it. For it to go fully into effect, two things need to happen. President Biden has to issue an executive order to enforce some of the requirements. And Congress needs to pass laws for the rest.
It’s not clear when lawmakers might get around to moving on the issue, if ever, although Biden could issue an executive order for parts of it.
All that may sound as if the new strategy is toothless. But…
2023-03-28 00:00:04
Source from www.computerworld.com