IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Biden Sets Cyber Standards for Critical Infrastructure

A new presidential directive announced that performance standards will be released for critical infrastructure operated by the public sector and private companies to bolster national cybersecurity.

White dots on black creating world map with lines interconnecting points suggesting cybersecurity breaches.
President Biden made it clear this past week that the stakes for cybersecurity defense have never been higher. “If we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach,” the president said in a speech at the Office for the Director of National Intelligence, which oversees 18 U.S. intelligence agencies.

The Financial Times summarized the speech this way: “The Biden administration has accused the governments of Russia and China, or hackers based inside the two countries, of some of the attacks. U.S. officials have warned that the administration would respond with a 'mix of tools seen and unseen' actions, but cyber breaches have continued. Although he did not say who such a war might be fought against, Biden immediately name-checked Russia’s president Vladimir Putin, alleging that Russia was spreading misinformation ahead of the 2022 U.S. midterm elections.”

NEW PRESIDENTIAL ACTIONS TAKEN ON CYBER


The day after the speech, President Biden issued a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, with the goal of safeguarding the country’s critical infrastructure.

One of the items listed in the memorandum includes the “Industrial Control Systems Cybersecurity Initiative, a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems.”

These actions come after a long series of significant cyberattacks against a series of critical infrastructure sectors such as Colonial Pipeline and JBS Meats.

The New York Times described the new directive this way: “The order was mostly filled with voluntary measures for companies to meet a series of online security standards, like encrypting data and requiring two-factor authentication for all users on a system, to stymie hackers who possess stolen passwords. In a call with reporters Tuesday night, a senior administration official said the idea was to develop 'cybersecurity performance goals' to assess how prepared each company or utility was.

“The effort is a way to get beyond the ‘woefully insufficient’ patchwork of mandates and voluntary actions to protect electric utilities, gas pipelines, water supplies and industrial sites that keep the economy running, the official said.”

The Federal News Network wrote this: “The Biden administration will develop cross-sector performance goals for critical infrastructure cybersecurity as part of a new effort emphasizing voluntary collaboration, but current and former officials see the potential for federal mandates amid a concerning rash of cyber attacks. …

“Biden directed CISA to develop ‘preliminary goals’ for control systems used across critical infrastructure sectors by Sept. 22. Finalized cross-sector goals for control systems will come a year later, according to the memo. …

“A senior official briefing reporters on Tuesday said the ‘patchwork of sector-specific statutes does not enable us to say we have confidence that there are cybersecurity thresholds in place with regard to technology, governance, and practices.’

“The official highlighted how the financial and chemical industries have sector-specific requirements, while the cybersecurity of electric companies is largely regulated at the state and local levels.”

A Forbes article entitled “Critical Infrastructure Companies Rise To Meet Cyber Threat” added: “Russian military intelligence have been using 'brute force' cyber attacks against U.S. and global operations for the past two years, U.S. and British officials warned in a July 1 cybersecurity advisory.

“A unit of the Russian military intelligence apparatus used malicious software 'to conduct widespread, distributed, and anonymized brute-force access attempts against hundreds of government and private sector targets worldwide,' according to the advisory prepared by the U.S. National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), FBI and the UK’s National Cyber Security Centre. …

“Faced with the mounting threat of economic disruption caused by cybercriminals, operators of critical energy infrastructure, such as pipelines and the electric grid, are redoubling their efforts to strengthen their cyber defenses.”

One more — NPR wrote: “A senior administration official, speaking on condition of anonymity, told reporters that the new standards will be voluntary.

“For reference, almost 90% of the country's critical infrastructure is owned and run by the private sector, and the government has limited authority over their cybersecurity requirements.

“But the official says the Biden administration may pursue legislative options, with help from Congress, to require the kind of technological improvements that would defend against such cyberattacks.”

ARE MORE CYBER REGULATIONS COMING?


Back in May, I wrote a blog post asking “Are DHS Pipeline Breach Reporting Mandates Just the Beginning?” Here’s an excerpt: “The coming directives over the next few months and years may be gradual, or they may be more sudden, depending on how events and incidents unfold online. But pay close attention to this pipeline directive. One question: Who is next? It is also hard to say if this reporting could be mandatory for state and local governments or education, since these organizations generally have voluntary reporting now via the Multi-State Information Sharing and Analysis Center (MS-ISACs), and there are state and federal legal issues to resolve. But could mandatory reporting be tied to federal grants? Perhaps down the road?”

Even as the new critical infrastructure performance standards were declared “voluntary,” some members of Congress want more, according to one story from the Washington Times: “Democratic Sen. Sheldon Whitehouse of Rhode Island is furious with the federal government’s management of critical infrastructure cybersecurity and blasted the Biden administration’s touted accomplishments on Tuesday.

“At a Senate Judiciary Committee hearing, Mr. Whitehouse said the ransomware attack against Colonial Pipeline in May revealed that the government’s security standards for private companies aren’t tough enough.

“'A bunch of people in a basement someplace are able to take down Colonial Pipeline, a significant piece of Colonial infrastructure, with a ransomware attack,' Mr. Whitehouse said. 'That’s not a success story, that’s a failure story. That’s [indicating] something is wrong in the way we’re doing business right now.'”

“He characterized the problem this way: 'You can be critical infrastructure in this country, providing essential services to our economy and national security, and not have to meet any real standards.'”

FINAL THOUGHTS


In related cyber attack topic, a headline for the Insurance Journal that came out this week declared “Chubb CEO Greenberg Stresses Need to Address Ransomware and ‘Systemic’ Cyber Risk.”

Here’s an excerpt: “He argued that lawmakers should not passing laws prohibiting ransomware payments, but rather: “We should be removing the incentive out of the system for ransomware attacks, which are all about money for the most part, and unmask what is the intention to disrupt our country politically – unmask that part of it and show it,” Greenberg said.

"He also advocates private and public-sector partnerships to address the growing problem.

"‘There are all kinds of things that the private sector and public sector could be doing together,’ Greenberg said. ‘Sharing of information is one of them right now, and understanding where systemic risk aggregations are is another … It is more than about achieving rate in cyber today.’"

I agree, and I made several similar arguments in this Stateline article, which is worth reading, on the topic of whether paying ransoms should be made illegal.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
Special Projects
Sponsored Articles