Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The White House and agencies are moving forward with new cyber rules for critical infrastructure, as the Biden administration looks to take advantage of existing laws to address digital threats on a sector-by-sector basis in the absence of Congressional action on cybersecurity regulations.
Anne Neuberger, the deputy national security advisor for cyber and emerging technologies, described how the administration has sought to implement minimum cybersecurity standards across critical sectors.
“Over the last decade, we talked a lot in cybersecurity about increasing information sharing. We talked a lot about public-private partnership,” Neuberger said during an Oct. 13 event hosted by the Washington Post. “But we didn’t talk about the reality that, if you’re living in an unsecure neighborhood, which fundamentally cyberspace is, and you leave the door wide open and a window propped up, you’re not as secure as you need to be.”
In the wake of last May’s ransomware attack on Colonial Pipeline, the Transportation Security Administration used its existing authority to issue new cyber requirements for the pipeline sector, including rules for reporting cyber incidents and using security practices like multifactor authentication.
Last November, TSA also issued new rules for “high-risk” major passenger and freight rail operators requiring them to report cyber incidents and complete a vulnerability assessment, among other actions.
Now, Neuberger says the Environmental Protection Agency will take a “creative approach” to regulate the cybersecurity of water systems. During an event earlier this year, she had previewed how the EPA would issue a rule to include cybersecurity in its sanitary reviews of roughly 1,100 critical water systems around the country.
Meanwhile, the Federal Communications Commission will soon issue public notice about a rulemaking for cybersecurity in emergency and public warning systems, according to Neuberger.
And the Department of Health and Human Services is “beginning work with partners at hospitals to put in place minimum cybersecurity guidelines, and then further work upcoming thereafter on devices and broader health care as well,” she said.
Shift away from voluntary approach
Congress passed landmark cyber incident reporting requirements earlier this year, requiring critical infrastructure companies to report incidents to the Cybersecurity and Infrastructure Security Agency. CISA is in the early stages of collecting feedback ahead of a rulemaking period. The new requirements aren’t expected to go into effect until late next year at the earliest.
The Biden administration last year also launched a voluntary initiative with critical infrastructure companies to develop voluntary, cross-sector cybersecurity performance goals through CISA.
“Most observers were hoping that Congress would act to establish uniform cyber requirements across the various critical sectors,” Chris Cummiskey, a former DHS senior official, said in an email. “In the absence of legislation, the administration doesn’t have much choice but to push forward in a more ad hoc way. The threats are too significant to wait.”
The White House last year asked Congress to give the EPA the authority to regulate the cybersecurity of the water sector. But lawmakers have yet to act upon the request, and the administration is now moving forward with the “creative approach” outlined by Neuberger using EPA’s existing authorities.
For sectors like critical manufacturing or information technology, however, the government will need additional authorities to set cyber standards in those sectors, according to Neuberger.
“There are not authorities, and we’re looking carefully at this to say what is needed in this space and how do we approach this,” she said.
The administration’s ad hoc approach to regulating cybersecurity could face pitfalls in the absence of new laws, but Cummiskey said agencies can work closely with industry partners to smooth out any issues.
“This type of approach may make it easier for some industries to push back or slow roll the regulations, but hopefully with strong collaboration the federal government will be able to make real progress,” he said.
The United States is behind many other countries, including many European nations, in regulating the cybersecurity of critical infrastructure entities. Previous efforts to do so in the United States have faced strong industry push back.
But Neuberger said the Biden administration is indeed working closely with sector-specific agencies and private companies, referencing how TSA revised its cybersecurity directive for pipeline owners and operators after industry criticized the initial rules for being overly prescriptive.
“We’re all working to balance ensuring that we have confidence in our critical services, ensuring our citizens have confidence in our critical services,” Neuberger said. “Recognizing that these are private sector owned and operated, the private sector must be a key partner in the design, but also has a different set of incentives. Clearly [they] view cybersecurity often as a cost, and we, from a government perspective, the top priority is avoiding disruption of critical services. So working together gets us to the right balance in that way.”