The Biden administration wants to change the paradigm for how the government and private industry think about the immediate needs and long-term technology infrastructure requirements for the U.S., according to the president’s top advisor on cybersecurity.
The national cybersecurity strategy calls for two fundamental shifts in how the U.S. allocates roles, responsibilities and resources in the sector, Acting National Cybersecurity Director Kemba Walden told House members on Thursday.
The U.S. needs to rebalance the responsibility for managing cyber risk so the burden doesn’t fall on the least capable members of society, according to Walden. Currently, the responsibility for cybersecurity falls on individuals, small businesses and local governments, Walden said.
“Instead the biggest, most capable and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe,” Walden testified Thursday before the House Subcommittee on Cybersecurity, Information Technology and Government Innovation.
The U.S. economy and wider society also needs to incentivize investments that make cyberspace more resilient and defensible long term, Walden said.
Security needs to be baked into the technology Americans use every day, Walden said, and not bolted onto aging systems that are vulnerable to malicious attacks.
Among the important aspects of burden shifting is to make sure small- and medium-sized businesses do not bear the brunt of cybersecurity risk. Walden confirmed the U.S. is considering a federal backstop for cyber insurance coverage.
Walden compared the risk concerns to flood insurance, which has been a growing risk in terms of protecting U.S. businesses and individual residents across the country. Most homeowners insurance policies do not cover flood damage, however the federal government offers a flood insurance program through FEMA.
The goal with a potential cyber insurance backstop would be to protect SMBs from bearing the full cost of a breach, while making sure those systems are resilient.
Officials have already begun work to raise minimum standards for critical infrastructure providers, but the administration does not want to overburden any one particular sector with regulations.
As previously reported, the Securities and Exchange Commission and the Environmental Protection Agency have separately announced proposed changes to raise minimum cybersecurity standards for financial industry participants and drinking water providers.