Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
United States Technology

Biden Administration Releases National Cybersecurity Strategy (axios.com) 29

The Biden administration is promising to hold software developers and critical infrastructure to tougher security standards and apply more pressure on ransomware gangs as part of its first national cybersecurity strategy, released Thursday. From a report: The nearly 40-page document provides a roadmap for new laws and regulations over the next few years aimed at helping the United States prepare for and fight emerging cyber threats. The strategy -- which was crafted by the two-year-old Office of the National Cyber Director (ONCD) -- has five "pillars": defend critical infrastructure; disrupt and dismantle threat actors; shape market forces to drive security and resilience; invest in a resilient future; and forge international partnerships.

The strategy includes a wide range of tasks, from modernizing federal systems' cybersecurity defenses to increasing offensive hacking capabilities in the intelligence community. The administration will start working with Congress and the private sector on legislation that would hold software makers liable for security flaws if they fail to follow security best practices, like those developed by the National Institute of Standards and Technology.

This discussion has been archived. No new comments can be posted.

Biden Administration Releases National Cybersecurity Strategy

Comments Filter:
  • This will end well (Score:5, Insightful)

    by Powercntrl ( 458442 ) on Thursday March 02, 2023 @04:47PM (#63337233) Homepage

    The administration will start working with Congress and the private sector on legislation that would hold software makers liable for security flaws if they fail to follow security best practices, like those developed by the National Institute of Standards and Technology.

    Tell me you don't understand the complexity of modern software without telling me you don't understand the complexity of modern software.

    This coming from the same government which failed to understand that it takes a certain amount of water to flush a turd, and they think they should be regulating software security practices? I can't wait to see what low-flush software security looks like.

    • by shanen ( 462549 )

      Nice FP, but we've already lost this battle. Wasn't it that REAL Republican Abe Lincoln who said something about the house divided against itself? But I still blame Microsoft for perfecting the EULA approach to no-liability software. Can you imagine how different the software industry would be if that stunt hadn't worked? (Me neither.)

      Still, I'll ahead and ask for an up-to-date citation. The best book I've read (of many) on this topic is still Cyber War by Richard Clarke. Surely there's something better t

    • This is a standard US government media release of the type every administration does on an almost monthly basis.
      Don't get your knickers in a twist about it because it's just a part of the song and dance where they pretend they're interested in governing responsibly and the media pretend to believe them.
      • by sd4f ( 1891894 )

        Don't get your knickers in a twist about it because it's just a part of the song and dance where they pretend they're interested in governing responsibly and the media pretend to believe them.

        Hey, I've heard that one before, in Russia they call it a "vranya".

    • by sd4f ( 1891894 )

      I'm thinking that this is probably not intended to actually force secure software, but rather start to add some compliance requirements, and create barriers of entry for imported internet connected devices. After all, following "best practices" can really be whatever the industry decides, be it good or bad.

      I suspect that the least worst scenario will be to force development to plan for security testing, and document it in an auditable manner. Meanwhile, hardware has certain security standards and devices (s

      • add some compliance requirements

        Which is a potential disaster for OSS, because companies will be afraid to run anything that isn't officially certified as compliant.

        Also, holding open source developers responsible for failed compliance? Good luck with that. This entire concept is poorly conceived and it's like it was written by someone who has no clue whatsoever how the internet actually works. They're laboring under the delusion that security works like it does in the physical world, where you can just put a lock on a door which has b

        • by nightflameauto ( 6607976 ) on Thursday March 02, 2023 @05:37PM (#63337381)

          Some of that may be by design. Guarantee if they actually implement anything it will be lobbied by the big money software companies into something that pushes smaller companies out of the market, and probably gets rid of OSS as a viable concept for anybody that's not just hobby-tinkering around on their own things.

          That's the way our government works. Announce something way before action. Allow the big industry players to pool their resources (i.e. bribe money), take "public input" on the matter to make it look like they care, implement all the things suggested by the big money movers, then laugh at the public when they ask WTF they were thinking.

          • Devils in the details, I would hope whatever law is passed allows some degree of prosecutorial discretion, that an OSS project that maybe has some holes that need plugging is not going to undergo nearly the amount of scrutiny as a major corporation.

            Would any of us object if DOJ went after LogMeIn, a $1.2B corporation for the absolute debacle that seems to be the LastPass breach, or the multiple breaches TMobile or another companies have had for their likely corner cutting and poor practices?

            We are also prob

            • by guruevi ( 827432 )

              I would rather the DOJ ceased to exist. LogMeIn has always been a polished turd, whoever decided that the people behind the GoToMeeting malware (if you ever needed to join a GoTo meeting, you required the always-on, intrusive and ad-driven annoyosoft that reminded you every hour you didn't pay for the product) were trustworthy enough with their passwords kind of deserves it.

              • I mean we can blame the consumer all we want but that doesn't really solve anything nor does it excuse a corporation for such lax security practices with peoples data, especially security info. When there is such incompetence or even malfeasance I think there should be consequences beyond a fine or some credit monitoring. Examples need to be made, that's one of the concepts of justice in the first place (and yes, we need a DOJ, if you want to call it something different go ahead but libertarians always en

                • by guruevi ( 827432 )

                  GoTo purchased some successful early players in the field and a lot of large corps didn't know or care to change the service.

                  In the end, the market has to punish them, a small fine won't do. People have to actively get involved in the security practices of their vendors, that is slowly changing, but having implemented it, it is shocking how many even infosec and other large players can't provide a self-certification of having implemented something like the standard NIST guidelines, SOC2, HITRUST or ISO.

                  • Well they cared enough to entirely switch off for video conferencing so many did care. During the pandemic Zoom basically ate their lunch.

                    In the end, the market has to punish them, a small fine won't do.

                    That's half my point, a fine won't do but the market has shown time, time, and time again that it is not fully capable of "punishing" bad actors in the space, especially entrenched large ones.

                    can't provide a self-certification of having implemented something like the standard NIST guidelines, SOC2, HITRUST or ISO.

                    Seems like agree that if implemented properly what the Biden admin is doing is good?

                    • by guruevi ( 827432 )

                      I just don't like that the government is forcing us down a path that is half-baked. I think some corporation(s) should be more vigilant towards HITRUST compliance whilst others perhaps should be more along the lines of PCI compliance.

                      If the government dictates which standard to follow, we get things like HIPAA which is half-baked, it doesn't even enforce encryption, because even though available at the time, the biggest players didn't implement it so the government made a "standard" that makes recommendati

        • They're laboring under the delusion that security works like it does in the physical world, where you can just put a lock on a door which has been certified to withstand X number of whacks from a sledgehammer and you're good.

          The IT industry is laboring under the delusion that their EULAs and ToSs will protect them from all liability. Fun fact: The same group that made "withstand X number of whacks" a legal requirement for physical security can make the equivalent legal requirement for IT security.

          Which is a potential disaster for OSS, because companies will be afraid to run anything that isn't officially certified as compliant.

          OSS isn't entitled to a market. You wanna play the game? Then you have play by the rules of the game. If the rules say "you must implement X" and you refuse to do so, then you don't get to play. That goes for Proprietary crap as well

      • It's about having someone to blame they have control over - overseas scammers are too hard a target for uncle sam.
  • I guess the Biden Administration hasn't looked at a calendar to learn that today is not April Fool's Day.
  • Usually things with "cyber" in their names are underwhelming. It's a dumb word unless you're talking cybernetics. Which software is only loosely part of...

  • Yeah right (Score:1, Flamebait)

    by geek ( 5680 )

    Biden can't even spell cybersecurity. This is being pushed by some low level hack with no understanding of the topic. Worse, they'll just appoint some czar to it and it will go nowhere but still cost 100 billion somehow. Can't wait for the nonbinary pansexual transracial paraplegic they put in charge of this one.

  • Every day, billions of people are giving away information that may be used to manipulator or harm them.
  • The first step in security is not to have your information harvested.
  • and OPM debacles? Will the decision makers go to jail?

  • 1. Outsource it to Oracle.
    2. Blame Oracle when the next Colonial Pipeline situation happens.
    3. Fine Oracle $1 Billion for the failure.
    4. Allow Oracle to raise their government contract renewals by $2 Billion to cover the fines.
    5. Profit!

  • My job is compliance, originally it was only 800-171. Then we got bought by a public company, so I'm adding in specific SOX controls into my risk assessments. We're an airline, so now the TSA just dumped a 100+ control "framework" on us too, that they said 20 years ago (yes, 20 years in the makings) was specifically NOT 171 but turned out to basically almost replicate it. We also have IOSA controls I'm trying to sort out, they luckily are still mostly generic "you need a cyber security thing". But really,
  • surely must be:

    Do not abandon a laptop full of stuff at a repair shop.

    Closely related:

    Do not entrust important data or hardware to drunks and/or drug addicts.

    After those, the really tricky stuff like "don't use 1234 or 'password' as your password" and then the super-expert stuff like "don't click on urgent links in your emails and then enter all your personal info to 'verify your account'"

    All the Einstein-level actual serious security stuff is best left to the private sector rather than the agencies created

  • Software developers are already hard to come by.

    If we're going after devs for security breeches, then expect price of devs to soar.

After all is said and done, a hell of a lot more is said than done.

Working...