WASHINGTON — The U.S. government plans to expand minimum cybersecurity requirements for critical sectors and to be faster and more aggressive in preventing cyberattacks before they can occur, including by using military, law enforcement and diplomatic tools, according to a Biden administration strategy document released Thursday.

The Democratic administration also intends to work with Congress on legislation that would impose legal liability on software makers whose products fail to meet basic cybersecurity safeguards, officials said.


This Strategy sets out a path to address these threats and secure the promise of our digital future. Its implementation will protect our investments in rebuilding America’s infrastructure, developing our clean energy sector, and re-shoring America’s technology and manufacturing base. Together with our allies and partners, the United States will make our digital ecosystem:

  • Defensible, where cyber defense is overwhelmingly easier, cheaper, and more effective;
  • Resilient, where cyber incidents and errors have little widespread or lasting impact; and,
  • Values-aligned, where our most cherished values shape—and are in turn reinforced by— our digital world.

Source: White House

“This strategy will position the United States and its allies and partners to build that digital ecosystem together, making it more easily and inherently defensible, resilient, and aligned with our values,” the document states.

President Joe Biden’s administration has already taken steps to impose cybersecurity regulations on certain critical industry sectors, such as electric utilities and nuclear facilities, and the strategy calls for minimum requirements to be expanded to other vital sectors.

Anne Neuberger, the administration’s deputy national security adviser for cyber and emerging technology, said on a conference call with reporters that it was “critical that the American people have confidence in the availability and resiliency of our critical infrastructure and the essential services it provides.”

The strategy document calls for more aggressive efforts to thwart cyberattacks before they can occur by drawing on a range of military, law enforcement and diplomatic tools as well as help from a private sector that “has growing visibility into the adversary sector.” Such offensive operations, the document says, need to take place with “greater speed, scale, and frequency.”

“Our goal is to make malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States,” the strategy document says.

Under the strategy, ransomware attacks — in which hackers lock up a victim’s data and demand large fees to return it — are being classified as a threat to national security rather than a criminal challenge, meaning that the government will continue using tools beyond arrests and indictments to combat the problem.