Amid persistent concerns about cyber attacks on critical infrastructure, a relatively new White House office is reviewing whether agencies charged with securing specific sectors are putting their cybersecurity resources and authorities to good use.
National Cyber Director Chris Inglis said his office is evaluating the resources, roles and responsibilities of sector risk management agencies. He said the performance assessments are being done in partnership with the Cybersecurity and Infrastructure Security Agency.
“We’ll walk across each of the SRMA’s, I think we’ll discover that they have uneven performance,” Inglis said during a March 30 meeting of CISA’s Cybersecurity Advisory Committee. “Some of them are operational, some of them are not. And then at the end of that, determine not simply an academic assessment, but recommendations about what we do to get them all up to a level set in terms of their performance.”
A policy directive issued during the Obama administration designated sector-specific agencies to oversee the cybersecurity of each of the 16 critical infrastructure sectors. Most of those efforts are voluntary, as agencies have little authority to regulate the cybersecurity of private companies.
The Biden administration has encouraged critical infrastructure companies to adopt minimum cybersecurity standards, but officials have said they will look at the potential for mandates if necessary. The Transportation Security Administration issued new cyber requirements in the wake of the Colonial Pipeline ransomware shutdown, but TSA’s rules for the pipeline sector have been controversial.
Inglis’ review comes as the White House warns Russia may be planning cyber attacks on U.S. critical infrastructure in response to sanctions levied on Moscow for invading Ukraine. Congress also recently passed legislation that will require critical infrastructure companies to report cyber attacks to CISA.
Fanning said a key challenge is connecting the work of CISA’s National Risk Management Center with the agency’s Joint Cyber Defense Collaborative. The risk center leads efforts to examine and respond to risks to critical infrastructure, especially the interdependencies between what it calls “national critical functions.”
Meanwhile, CISA established the JCDC last summer as a place where federal agencies and companies can come together to share information and respond to cyber threats. More than 20 companies are currently involved in the collaborative.
Fanning said his subcommittee is taking a particularly close look at water systems, which the Cyberspace Solarium Commission has identified as a key weakness in the cybersecurity of U.S. critical infrastructure. The Environmental Protection Agency is the sector-risk management agency for water and wastewater systems.
The advisory committee is developing scenarios where water systems are affected by a cyber attack, Fanning said, which will then feed tabletop exercises this summer. The results of the exercises will help inform a “playbook” for such scenarios.
“I think this is going to be an evergreen exercise, because we know that there will be kind of evaluative models as to how to think about an industry, but I think so many private sector issues are different from one another,” Fanning said.
Inglis said his office’s study will also inform those types of table-top exercises. But he said CISA should lead such exercises, invoking a now familiar refrain that Easterly is the “quarterback” and Inglis is the “coach” when it comes to federal cybersecurity efforts.
“Candidly, I think that what we’ve seen in the past, is that the White House not knowing that that is, in fact, the responsibility of CISA and that the ONCD should stand in and assist that execution,” he said. “The White House has stood in and micromanaged that, I think in a way that is well intentioned but not helpful. We can’t do this episodically, we need to do this continuously and delegate this to the appropriate party.”
Cyber Director office takes shape
Inglis was just confirmed last summer, and the bipartisan infrastructure bill provided the office with an initial $21 million in funding. The Biden administration is requesting another $22 million for the cyber office in fiscal year 2023.
During a separate event hosted by the U.S. Chamber of Commerce on March 29, Inglis said the office currently has a staff of 30, with a goal to reach 90 people.
The sector performance assessments are among the office’s first major undertakings, he said, while noting that much of the office’s work is done in conjunction with partners like CISA, as well as White House organizations like the Office of Management and Budget and the Office of Science and Technology policy.
“I’m pleased to say that now about eight months into my tenure, and probably two and a half months into the funding, we’re in a place where we have very significant lines of effort underway,” Inglis said.