The Biden administration will develop cross-sector performance goals for critical infrastructure cybersecurity as part of a new effort emphasizing voluntary collaboration, but current and former officials see the potential for federal mandates amid a concerning rash of cyber attacks.
In a national security memorandum released Wednesday, President Joe Biden directed the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology to “develop and issue cybersecurity performance goals for critical infrastructure to further a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety.”
Biden directed CISA to develop “preliminary goals” for control systems used across critical infrastructure sectors by Sept. 22. Finalized cross-sector goals for control systems will come a year later, according to the memo.
Insight by Verizon: Learn about the progress that the Pentagon is making in finding real value out of 5G and its future across DoD.
A senior official briefing reporters on Tuesday said the “patchwork of sector-specific statutes does not enable us to say we have confidence that there are cybersecurity thresholds in place with regard to technology, governance, and practices.”
The official highlighted how the financial and chemical industries have sector-specific requirements, while the cybersecurity of electric companies is largely regulated at the state and local levels.
The memo also formally establishes the Industrial Control Systems Cybersecurity Initiative. The Biden administration first launched the initiative as a pilot program with the electricity sector in April. The official said more plan 150 electricity utilities representing almost 90 million residential customers are in the process of deploying control system cybersecurity technologies as part of the pilot program.
“These are the technologies that, had they been in place, would have blocked what occurred at Colonial Pipeline in that they connect the operational technology side of the network to the IT side of the network,” the official said. “The action plan for natural gas pipelines is underway, and additional initiatives for other sectors will follow later this year.”
Suzanne Spaulding, who led CISA’s precursor organization at the Department of Homeland Security, and now works at the Center for Strategic and International Studies, lauded the memo and its emphasis on national critical functions as “a more accurate prioritization than just looking at critical infrastructure sectors.”
“What we care about is the ability of that infrastructure to perform the critical functions upon which we depend, such as providing electricity and clean water,” Spaulding told Federal News Network. “These functions are often interdependent. For example, water facilities need electricity and electric generation often needs water. A focus on national critical functions captures this interdependence and reminds us that it’s the functionality that we care about, not just the computers.”
While the goals and initiatives are voluntary, Spaulding also noted a reference toward potential mandates. The Transportation Security Administration has already issued new requirements for pipeline operators in the wake of the Colonial Pipeline ransomware attack.
“The emphasis is on voluntary collaboration, but it hints at the possibility of mandates, such as those promulgated by TSA for pipelines, in its reference to the possible need for ‘new legal authorities’,” she said.
The White House and Congress are also under pressure to show progress on critical infrastructure cybersecurity in the wake of hacks like those against Colonial Pipelines, JBS Foods, and other key sectors, according to Chris Cummiskey, a former senior DHS official who now runs a cybersecurity consulting firm.
“You’re seeing this migration away from voluntary — although they’re still trying to get there with some of the voluntary steps — but a recognition that for reporting incidents and the adoption of basic standards across the industrial complex of companies that make up the supply chain, that it may have to be mandated,” Cummiskey told Federal News Network.
The White House likely wants to strike a balance between voluntary and mandatory requirements, as mandates often turn into “compliance drills that don’t necessarily buy down risk,” according to Rick Driggers, a former CISA and White House official. He currently works as the critical infrastructure cyber lead at Accenture Federal Services.
“Government wants industry to have a cybersecurity baseline in place across all sectors, but they also understand that businesses have unique needs and challenges with implementing new enhancements to their security posture,” Driggers said. “That said, this is an important step for the government to take.”
The senior administration official alluded to the potential for mandates, arguing the administration “ate its own dog food” with the May cybersecurity executive order that directed federal agencies to increase their cyber defenses.
“I think we’re showing a willingness to do the work we need to do, and I think we’re showing a willingness to share information in new ways, come up with voluntary ways, but also making clear that given the criticality of the threat, we need to move with urgency and we need to look at all options, voluntary and mandatory, to achieve the rapid progress we need,” the official said.
But the official admitted the administration needs congressional action to move toward mandatory performance requirements.
“Short of legislation, there isn’t a comprehensive way to require deployment of security technologies and practices that address the threat environment that we face,” the official said.
Congress is already debating new cyber requirements for industry in the wake of attacks like last year’s SolarWinds hack and May’s Colonial Pipeline shutdown.
Last week, Sen. Mark Warner (D-Va.) and 14 co-sponsors introduced mandatory cyber incident reporting legislation. It would apply to federal agencies, contractors and critical infrastructure companies.
In a statement Wednesday, Warner connected Biden’s memorandum to his reporting legislation.
“Unfortunately, for too long we’ve relied heavily on voluntary reporting of these cyber intrusions, which has limited our ability to effectively respond,” Warner said. “In order to better anticipate and respond to future cyber incidents, Congress must swiftly pass the Cyber Incident Notification Act of 2021, which will work in concert with the steps the administration has put forth today to safeguard our critical infrastructure.”
During a Senate Judiciary Committee hearing on Tuesday, administration officials also backed incident reporting legislation.
“We need a federal cyber incident reporting standard for breaches that pose significant risks because inconsistent voluntary reporting is simply not enough,” Bryan Vorndran, assistant director of the FBI’s cyber division, told the committee.
Eric Goldstein, CISA’s executive assistant director for cybersecurity, also backed a higher level of incident reporting.
“Our view is that any efforts to increase the volume of incident reporting to CISA and to be shared with our partners in federal law enforcement is absolutely essential,” he said. “Absent this reporting, we are unable to offer assistance. We are unable to address many of the questions that you and your colleagues have raised today to understand the breadth and scope of the problem. And we’re unable to develop information that we can share effectively to prevent other intrusions.”
Goldstein responded to senators frustrated by the Colonial Pipeline ransomware incident. Sen. Sheldon Whitehouse (D-R.I.) called it a “case study of failure” on the largely voluntary approach to critical infrastructure cybersecurity.
“We look forward to working with Congress and our partners across the interagency to ensure that we are rapidly raising the bar for cybersecurity across entities that provide national critical functions wherever they may be,” Goldstein said.
Driggers said increased cyber incident reporting is a key goal for government officials.
“It’s important for the government, specifically CISA, to know that an incident has occurred so that they can learn from that incident, take fast action to disseminate appropriate information to other parts of industry and all levels of government, and to help network defenders protect their networks and systems while protecting the identify of the victim,” Driggers said.
But CISA is also in a difficult spot amid the discussions around mandatory requirements, according to Cummiskey. Envisioned as a “white hat” friendly agency that industry would willingly collaborate with, the agency is increasingly seeing calls for it to become more of a regulatory entity.
“It’s fine to have the standards, but if you’re not going to enforce them, then it’s going to be pretty uneven, potentially if something goes wrong,” Cummiskey said. “Somebody’s going to have to get tagged with that. My guess is CISA doesn’t want to be the assignee for that responsibility.”