Background Press Call by Senior Administration Officials Previewing the Biden-Harris Administration’s National Cyber Strategy
5:02 P.M. EST
MODERATOR: Hi everyone. And thanks for joining. This is [Moderator] from NSC.
Before we get started, a quick housekeeping: Everyone on this call should have received the embargoed copy of the factsheet and an embargoed version of the strategy. All of that is embargoed until 5:00 a.m. tomorrow for reference. If you haven’t, please reach out to Michael Morris from ONCD, and he’ll be able to help you out. But with that, I guess we’ll get to it.
Welcome to our call previewing the national — the Biden-Harris administration’s National Cyber Strategy. We’ll start this call on record with remarks from the acting Director — Cyber National Director Kemba Walden and the
NSC’s Deputy Director [Deputy National Security Advisor] for Cyber and Emerging Technologies, Anne Neuberger.
And then we’ll move to a background, attributable to “senior administration officials” for a few questions, where you’ll also hear from [senior administration official] and the [senior administration official].
So, with that, I will turn it over to you, Kemba.
MS. WALDEN: Thank you, [Moderator]. And good evening. Thank you all for being here. So, tomorrow, President Biden will release the administration’s National Cybersecurity Strategy. This strategy sets forth a bold new vision for the future of cyberspace in the wider digital ecosystem.
I want to thank the President for recognizing the critical importance of cybersecurity issues for the American people and for making cybersecurity a policy priority from day one of this administration.
The strategy builds on two years of unprecedented attention that the President has placed on cybersecurity issues, starting with the May 2021 executive order.
I also wanted to thank Congress for their continued willingness to work with the administration on cybersecurity issues. We’re fortunate to benefit from a long history of bipartisan cooperation on cybersecurity.
And I want to thank the many departments and agencies that contributed their time and expertise to the development of this strategy and who will now be at the forefront of its implementation.
The President’s strategy fundamentally reimagines America’s social — cyber social contract. It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it. Today, across the public and private sectors, we tend to devolve responsibility for cyber risk downwards. We ask individuals, small businesses, and local governments to shoulder a significant burden for defending us all. This isn’t just unfair, it’s ineffective.
The biggest, most capable, and best positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe. This strategy asks more of industry, but also commits more from the federal government.
With respect to industry, we will identify gaps and reduce burdens in existing authorities where targeted and narrow regulations are necessary to improve public safety and cybersecurity.
But for government, we have a duty to the American people to also double down on tools that only government can wield, including the law enforcement and military authorities to disrupt malicious cyberactivity and pursue their perpetrators.
And we will continue to invest in information sharing, operational collaboration, and other forms of partnership with the private sector.
Every American should be able to benefit from cyberspace, but every American should not have the same responsibility to keep it secure.
Simply shifting the burden for security, though, won’t solve all of our problems if we don’t start thinking in terms of long-term solutions. There are very real near-term risks, legal requirements, and commercial incentives that cause us to prioritize short-term approaches over long-term solutions.
But it’s not enough just to manage the threats of today. We need to invest in a tomorrow that is more inherently defensible and resilient.
To do that, we need to make it so that when public- and private-sector entities face tradeoffs between easy but temporary fixes and durable and long-term solutions, they are incentivized to consistently choose the latter.
This strategy calls for investments in our cyber workforce, our infrastructure, and the digital ecosystems underlining the technologies to improve our national resilience and economic competitiveness. Rebalancing the responsibility to defend cyberspace and incentivizing investments in a resilient future are the fundamental shifts that guide the President’s strategy.
I want to turn now to my colleague, Anne Neuberger, who can provide her view on the strategy and some of its most important policy objectives.
Thanks so much for your time.
MS. NEUBERGER: Thank you, Kemba. Good afternoon, all. It is really great to be here with you today.
I want to first kick off by thanking the ODNC team and, as Kemba did, the many departments and agencies who led and participated in building a strong, comprehensive strategy.
Before I get to the strategy, though, I’d like to simply start off by simply saying how the strategy is really being released at a pivotal moment, at a very timely moment. Looking back at the last 24 months of the Biden-Harris administration and especially over the last year as we recently hit the one-year mark of the war in Ukraine, we’ve seen the cyber threat be at the forefront of geopolitical crises.
And as we know, the threat is not only Russia. We’ve seen destructive cyber and ransomware attacks executed by cybercriminals and other countries across the globe.
For example, last fall, we saw Iranian intelligence services attack Albania’s government networks, disrupting government services to the country’s citizens. And almost immediately, we, at the ready, mobilized ourselves and our European partners to assist in Albania’s response to the attack and to hold Iran accountable by designating sanctions on individuals responsible.
Here at home, we’re no stranger to these sort of threats, which is important, because the Biden administration’s fundamental commitment is that Americans must be able to have confidence that they can rely on critical services, hospitals, gas pipelines, air/water services even if they are being targeted by our adversaries.
And that’s why the Biden-Harris administration has worked tirelessly over the last two years to deliver on that commitment by building a more resilient cyber infrastructure to protect the services we all rely on daily, and also to strengthen our international partnerships, because cyber threats are fundamentally transnational threats. They cross borders.
So that’s exactly what the strategy captures and sets out to continue to do, drawing direction and inspiration from the National Security Strategy, and establishing an affirmative vision for a secure cyberspace that creates opportunities to achieve our collective aspirations.
It endeavors to make a stronger and more resilient cyber infrastructure for the American people and our allies and partners around the world.
So, I’ll take a moment to walk through the five core pillars that the strategy is built on.
First, the strategy will defend critical infrastructure by expanding minimum cybersecurity requirements for critical sectors, enabling public-private collaboration, and ensuring that our systems are kept to the level needed to meet the threat. It’s critical, as I said, that the American people have confidence in the availability and resiliency of our critical infrastructure and the essential services it provides.
Second, it will disrupt and dismantle threat actors by using all instruments of national power to make malicious cyber actors — to make it harder for them to threaten the national security or public safety of the United States.
Third, it will shape market forces to drive security and resilience by ensuring we place responsibilities on those who can address the risks, and we work to shift the consequences of poor cybersecurity away from the most vulnerable. We need to make our digital ecosystem more trustworthy.
Fourth, invest in a resilient future through strategic investments that the Biden administration has made over the first two years and continued investments and coordinated, collaborative action. We’ll continue to lead the world in developing secure and resilient next-generation technologies and infrastructure.
And finally, we’ll continue to forge international partnerships to pursue shared goals by promoting a cyberspace where responsible state behavior is expected and rewarded, and irresponsible behavior is isolating and costly, as in the Iran example I noted earlier.
There are three elements in particular I’d like to highlight.
First, on the critical infrastructure side. A lot of the work we’ve done on critical infrastructure is already underway. This strategy codifies the first two years of putting in place minimum cybersecurity pipe- — requirements for pipelines, for railways, and, shortly, for additional sectors we’ll be announcing.
We recognize that we need to move from just a public-private partnership, information-sharing approach to implement minimum mandates. Information sharing and public-private partnerships are inadequate for the threats we face when we look at critical infrastructure.
As I said, we’ve made major progress in executing this as a core Biden administration commitment in the first two years, and we’ll continue to carry it forward with the executive branch authorities we have in place and work with Congress to develop those limited additional authorities we may still need.
Second, as we continue our focus on disrupting and dismantling threat actors, we’re elevating our work on ransomware, declaring ransomware a threat to national security rather than just a criminal challenge.
And again, this is something we’ve already begun to tackle through domestic work targeting the most virulent ransomware actors — I’d call out the FBI’s work against Hive as an example — and with 36 partners and the European Union in the international counter ransomware initiative, which just had its first anniversary in October.
Finally, it redoubles our commitment to international partnerships and implementation of norms. Threats in cyberspace are often borderless. Cyber defense matters in the modern geopolitical climate. And we must work with our close allies and partners to deliver the security we all need and our citizens deserve.
So, with that, thank you for your time. And we’ll turn it over for questions, as [Moderator] noted, to [senior administration official] and [senior administration official]. Thank you for your questions.
MODERATOR: Thanks, Anne. And thanks, Kemba. And just to make sure I got everyone’s title right there at the top for our on-the-record speakers, it was the acting National Cyber Director, Kemba Walden, and the Deputy National Security Advisor for Cyber and Emerging Technologies, Anne Neuberger.
So, if you want to use the “hand raising” feature, we’ll give it a quick minute to let people raise their hands and then we’ll get started with a Q&A.
We’ll get started. Our first question will go to Maggie Miller from Politico. You should be able to unmute yourself.
Q Yep. Hi. Thanks so much for hosting this call. I wanted to ask a little bit more about some of these, you know, regulations that are going in place. I know Anne mentioned there’s going to be new sectors that are going to be announced soon. Can you talk more about what those sectors will be and what the feedback from industry has been about having this more mandatory approach to cybersecurity requirements that has, as you mentioned, already been ongoing? Thanks so much.
SENIOR ADMINISTRATION OFFICIAL: Hi, Maggie. [Senior administration official] here. Thanks for the question.
So, we’ve taken up a sector-by-sector approach in looking at each critical infrastructure sector and thinking about what are the ways that we can improve the cybersecurity posture within that sector. There are a number of sectors that are already regulated — for instance, electricity grid, you know, nuclear facilities, there are others — where the ability to require cybersecurity practices as part of an overall security program and safety program is already in place.
And so, we just want to make sure that those regulatory regimes take advantage of the best thought that exists across the cybersecurity industry and what we’re learning from examining cyber incidents that have occurred in recent years.
But there are sectors where the authorities aren’t as clear or we have not fully exercised the authorities that exist. One example of where we’re beginning to take the first steps is EPA for the water sector. They have made a public notice, and I’m not exactly sure where it stands, but I think it’s coming out soon. It’s an interpretation of an existing rule for sanitary surveys in which water facility owners and operators will have to incorporate some cybersecurity elements in their regularized sanitary survey program, where they’re looking at drinking water safety issues and the equipment and such.
So, it’s not a — it’s not a new authority. It’s an interpretation and adding additional elements into an existing authority. So that that will begin to come into place here in the very near term but will take time to fully see that ripple through the industry because these are on a couple-of-year cycles to be when the sanitary surveys get done on a periodic basis.
There are other sectors where we’re looking at similar things and finding ways to close gaps. There are a number of sectors where it’s purely voluntary and there’s actually not a regulatory regime around it. And so, those are things that we’re looking at. And also turning to CISA, through those cross-sector cyber performance goals that they’ve put out, to find ways to encourage the incorporation of cybersecurity best practices. These are things that everybody knows about — multi-factor authentication, network segmentation, things like that, encryption.
And so, the bar we’re setting is not a high bar. We really are just hoping that owners and operators do the basics. And over time, we’re going to be able to bring and raise all ships.
MODERATOR: Great. We’ll go to our next question. Sean from CNN. You should be able to unmute yourself.
Q Hi, can you hear me?
MODERATOR: Yes, we can hear you.
Q Great. Thanks for the call. Very interesting strategy. I wanted to ask, kind of, a question that comes up in a lot of these calls, but, you know, you have to ask it, is: in terms of the international dimension, how the administration is going to address the bear in the room and try to get — if try at all — to get Russia to cooperate on norms, on pursuing ransomware actors, et cetera.
We’re all well aware of the tools that the administration can use to rally allies and use it and coordinate with everyone else except Russia. But the government will agree that cooperating with Russia would certainly help in this space.
So, has that — has that ship sailed with the war in Ukraine and given that the war has no end in sight? Has the administration given up on engaging Moscow on cybercriminal issues and other cyber issues? Or are we going to see some sort of effort in the future? Thank you.
SENIOR ADMINISTRATION OFFICIAL: I think what we’re seeing is an approach that draws directly from the National Security Strategy into the National Cyber Strategy, which is to focus on our regional partners around the globe to build the coalitions that can create pressure on Russia and other malicious actors to change their behavior. I think we’ve seen some success in sustaining that coalition over the last year.
And so, we’re hopeful that Russia understands the consequences of malicious activity in cyberspace and will continue to be restrained.
SENIOR ADMINISTRATION OFFICIAL: So, I’ll amplify a little bit. You hit the nail on the head, Sean, that this is a significant problem, which is why Anne Neuberger had mentioned and the strategy calls out essentially a new policy that ransomware constitutes a national security threat.
Traditionally, cybercrime issues would be handled within the criminal justice system, and responsible countries would investigate crime, collect evidence on behalf of each other, share information, cooperate, have mutual legal assistance, request things fulfilled, and extradition. And these types of problems would be addressed and suppressed through normative avenues.
We do have a problem where Russia is serving as a de facto safe haven for cybercrime, and ransomware is a predominant issue that we’re dealing with today, which is why the strategy also calls out — since the criminal justice system isn’t going to be able to, on its own, address this problem, we do need to look at other elements of national power to be going after the threat.
And so, we won’t be able to — well, some of the things that we can talk about are, you know, Treasury sanctions, and State Department has done Reward for Justice offerings to try to shine a light on these issues, make it more difficult for the cybercrime actors to operate. And then, as well, you’ve seen successes by the FBI and the Secret Service in apprehending actors who go on vacation somewhere, and they find themselves, you know, arrested on behalf of a U.S. extradition request.
And so, ultimately, I think [senior administration official] hit the nail on the head, which is that the — we want to shrink the surface of the Earth that people can conduct malicious cyber activity with impunity, and put pressure on them and make their lives a little bit less pleasurable.
And if a criminal is restricted to living in Russia and can’t leave the borders, then perhaps that might create a bit of a deterrent effect.
And then, we want to rally likeminded countries to be able to take a similar approach and to be using the tools that they have, and to make sure that we’re all focused on the problem and that we’re putting pressure across all areas, including diplomatic, on countries that do not follow, you know, agreed-upon norms.
MODERATOR: Thank you. We’ll go next to Kevin with NBC. You should be able to unmute yourself.
Q Hi. Yeah, thanks, y’all, for doing the call. I wanted to ask — I’m looking through this and I’m seeing echoes of a lot of this stuff this administration has been doing already, in terms of executive orders, the international cooperation stuff.
To what degree should we view this as — the new strategy as an extension and a coalescence of what this administration has been doing versus a — kind of a genuine — like a pivot, new vision?
SENIOR ADMINISTRATION OFFICIAL: So, I think the first thing to begin with is that this strategy, we acknowledge in it, is not only continuing the work from the start of the administration, when we came in and were addressing the crisis of SolarWinds and handling the reoccurring major ransomware incidents in that first year, but it’s also continuing many of the initiatives and many of the efforts that date back to the Obama administration, and builds on many of the efforts in the Trump administration.
And so, the first thing the strategy acknowledges is that we’re building on that path while we move in a new direction. And so, the big shift here, obviously, compared to previous strategies, is the focus on saying that we do need to set targeted requirements for critical infrastructure where those don’t exist today. That’s a major departure from the past.
The other shift is to look at how we think about liability for software manufacturers, something that has not been in previous strategies.
And I think the other thing I would note is the major shift that Anne has focused on, on how we’re really bringing all instruments of national power against cybercrime in the form of ransomware.
And so, the strategy is meant to pull together all of these threads and then provide us a direction forward.
MODERATOR: Great, thank you. We’ll now go to Elias with CyberScoop.
Q Hey, thanks so much for doing this call. So, a couple questions. Two on software liability and another on offensive operations.
On software liability, can you elaborate a bit on where in the software ecosystem you want to place liability? Figuring out where to place liability is just, kind of, a tough technical problem. And I’m wondering if maybe you guys can elaborate a little bit just on how you think about it.
And then, to follow up on that, you’re going to need Congress to move legislation on software liability reform. Can you talk through, a little bit, the politics of doing that, what you think the prospects are of moving that through Congress?
And then, in terms of a third question, if I can squeeze it in here at the end, can you elaborate a little bit on what you mean by bringing all forms of national power to bear on this problem and the extent to which this strategy is embracing greater use of offensive operations in cyberspace? Thanks.
SENIOR ADMINISTRATION OFFICIAL: So, on the liability question, the first thing that we’re trying to do here is make sure that we’re placing liability where it will do the most good. So, we don’t want to place liability, say, on the developers of open-source software who don’t have any resources, whose software is used by commercial providers to build their products.
If we placed liability there, we don’t get the changes that we want in the ecosystem. So, the first principle we’ve had is to place liability where it will do the most good. And in some people’s articulations, that’s on the final goods-assembler. Right? The company that is building and selling the software, they need to be liable for what they put in it and work to reduce vulnerabilities and use best practices.
We can’t have them devolving that responsibility down to a two-person, open-source project that hasn’t received any funding in the last five years. That’s not going to get us the outcome that we want.
We see shifting liability as a long-term process. When we think about this strategy, we’re looking out a decade. And so, our anticipation is that we will need to begin this process working with industry to really establish what better software development practices look like, work to implement those, work to articulate those, and then work with industry and Congress to establish what some kind of liability shield for the adoption of those practices would look like.
But we don’t anticipate that this is something where we’re going to see a new law on the books within the next year.
SENIOR ADMINISTRATION OFFICIAL: Quickly, maybe a little bit of a departure, but on the same theme of secure-by-design, recall that Anne Neuberger hosted, in October, an IoT security labeling event where we were beginning to engage with stakeholders and get feedback on what a government labeling program would look like to make sure that IoT products, their security posture is transparent to the customers so they can make informed choices.
That will help to encourage an ecosystem of secure-by-design products where, according to Carnegie Mellon’s research, there is a preference and people are willing to pay a premium for products that protect their security and their privacy.
So, in this theme, we’re looking to make sure that software design is using best practices and that it is a — security is in mind in the development of it, and that IoT products and other things like that are also in a better posture so that the attack surface is much reduced over time.
On the topic, Elias, you were asking about — implied, you know, offensive cyber or other tools of the government that can be applied against problems like ransomware in hard to reach places — in general, we are looking at the ransomware problem as a national security threat and, therefore, we need to be able to use additional tools such as, for instance, intelligence tools to make sure that we understand the threat and understand, you know, how it is that we can protect ourselves, how we can tip victims or intended victims before they’re attacked through whatever authorities are needed to do that.
I will not speak to what all activities that we may contemplate or be undertaking. But we are certainly in a more forward-leaning position to make sure that we’re protecting the American people from these threats and that we apply the tools that are necessary to address it.
And everything from diplomacy to law enforcement to intelligence to economic and financial, these are all tools — and military tools, as necessary — these are options that the President has. And we’re — we’re certainly open to using all of them in a smart way to go after the threat.
MODERATOR: Thank you. I think we have time for one more question, so we’ll go to Tim Starks from the Washington Post.
Q Hi there. Thanks. Mine is a pretty easy, hopefully, logistical question. Is the process by which this needs to be approved by the President complete? And what is that process? Does he sign it? Does he just say, “I approve this”?
And then, the implementation strategy — sorry, the implementation plan. How far along is that? When might we expect to see it?
SENIOR ADMINISTRATION OFFICIAL: So, that’s a great question. There certainly are details about how paperwork moves through this building. And what we can say is that this strategy will be announced tomorrow.
SENIOR ADMINISTRATION OFFICIAL: And, Tim, can you repeat your question on implementation, please?
Q Yes, happily. How far along is the implementation plan? And when might we expect to see it?
SENIOR ADMINISTRATION OFFICIAL: I can answer. So, the implementation plan has been developed in parallel with the strategy. And so, the effort is ongoing to take that. We’ve already, in fact, begun to implement aspects of the strategy over the last few months. And so, we anticipate that we will have a public snapshot of the strategy of the implementation plan out in the coming months.
MODERATOR: Cool. Thank you, everyone. As a reminder, our first two speakers were on record, and then the Q&A portion was on background, attributable to “senior administration officials.” The contents of this call and all the supplemental paperwork you got in email earlier are all embargoed until 5:00 a.m. Eastern tomorrow, Thursday, March 2nd.
If you have any other questions, feel free to follow up with us. Have a great night.
5:32 P.M. EST