Biden Calls for Critical Infrastructure Security StandardsNational Security Memo Requires NIST, CISA to Create Standards, But Compliance Is Voluntary
President Joe Biden signed an executive national security memorandum on Wednesday calling for the development of new critical infrastructure cybersecurity standards for various industries.
The U.S. Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology will develop the standards, and compliance will be voluntary - at least initially.
Having CISA and NIST create cybersecurity standards that multiple industries can adopt is long overdue, says Phil Reitinger, the president and CEO of the Global Cyber Alliance.
"We've all known for a long time that the cybersecurity defenses imposed by critical infrastructure are not sufficient, and we must do more," says Reitinger, who formerly served as the director of the National Cyber Security Center within DHS. "This order extends the pioneering work done on the Cybersecurity Framework and directs CISA to set cybersecurity performance goals for critical infrastructure. This step was also included in the executive order that established the Cybersecurity Framework, but the new requirement suggests that CISA will issue a more detailed set of requirements that are essential."
As a result of the White House initiative, Reitinger says, regulators will take new standards "into account in existing regulatory regimes, and the requirements, if clear, will help establish a de facto standard of care that infrastructure owners and operators will feel compelled to meet."
Wednesday's memorandum also builds on the executive order that Biden signed earlier this year, says Sam Curry, the chief security officer with Cybereason.
"The Biden administration isn't done with cybersecurity, which is encouraging," Curry says. "The newest frontier for the nation is overdue for attention and modernization, and the latest announcement shows that the executive order isn't an isolated incident. It’s a reminder that cyber matters as much as any border and is a matter of critical policy for the administration."
The administration's latest move comes after a series of ransomware and other attacks have targeted companies that have oversight over critical infrastructure, including Colonial Pipeline Co. and meat processor JBS.
On Tuesday, Biden, in a speech at the Office of the Director of National Intelligence in McLean, Virginia, noted that cyberthreats could have far-reaching consequences beyond what the U.S. has witnessed so far.
"We've seen how cyberthreats, including ransomware attacks, increasingly are able to cause damage and disruption to the real world," Biden said. "I can't guarantee this, and you're as informed as I am, but I think it's more likely we’re going to end up - well, if we end up in a war, a real shooting war with a major power, it's going to be as a consequence of a cyber breach of great consequence."
ICS Cybersecurity Initiative
The national security memorandum will also formally establish the president's Industrial Control System Cybersecurity Initiative - a collaborative effort involving the federal government and private firms that oversee U.S. critical infrastructure - to develop technologies and systems that can offer visibility and warnings of threats and vulnerabilities.
While officially created through the memorandum, the ICS Cybersecurity Initiative was announced in April when the administration launched its 100-day plan to improve cybersecurity and address cyberthreats across the nation's electrical grid (see: 100-Day Plan to Enhance Electrical Grid Security Unveiled).
Although complying with the standards to be developed under the administration's latest cybersecurity initiative will be voluntary, a senior administration official says that the White House is open to considering making standards compliance mandatory for the private sector by turning to Congress to codify rules and regulations into federal law if industries fail to abide by the voluntary guidelines.
"Short of legislation, there isn’t a comprehensive way to require the deployment of security technologies and practices that address, really, the threat environment that we face," a senior administration official says.
On Tuesday, the Senate Judiciary Committee heard testimony about making changes to federal law to better counter ransomware attacks as well as address threats against critical infrastructure (see: Congress Urged to Update Federal Laws to Combat Ransomware).
Goal: A Uniform Approach
The overarching goal of the security memorandum is to create uniform standards across the 16 critical infrastructure sectors over which CISA has oversight for cybersecurity. The senior administration official notes that a piecemeal approach, with different standards for each sector, has not worked well, so the federal government needs to set uniform standards for all of these industries to follow.
Existing standards are "either sector-specific - finance and chemical; they’re mandated under state or local law, like electricity ones; or they're limited and piecemeal - water and bulk electricity are two that we've put a lot of work into studying in the last few weeks," the senior official says.
By taking the lead in developing standards at the federal level, the White House is looking to build on the types of cybersecurity regulations and rules that the U.S. Department of Homeland Security began to require of oil and gas pipeline operators following the ransomware attack involving Colonial Pipeline (see: TSA Issues Cybersecurity Requirements for Pipelines).
And while the Biden administration's approach is admirable, Kenneth L. Williams, executive director of the Center for Cyber Defense at American Public University System, says that similar cybersecurity approaches taken by the Obama and Trump administrations did not produce results since private companies did not adhere to voluntary standards.
"While the U.S. government is committed to various efforts, the private sector lacks the convictions to follow through because it infrequently supports the organizations' strategic goal, which is to maximize profits," Williams says. "Organizations find it extremely difficult to commit resources to meet the expectations of the various U.S. federal initiatives unless it directly impacts their organizations, and the risks are too great. Additionally, the government can't commit, and will not provide, the resources for organizations to meet the expectations of the order."
Push for Mandates
The House and the Senate are considering bills designed to enhance protections for operational technology and industrial control systems, but the legislation is focused more on how CISA can share threat intelligence with companies to help them mitigate risks (see: Congress Focuses on Industrial Control System Security).
Some members of Congress are expressing concern about the security of critical infrastructure and calling for mandates for cybersecurity standard compliance.
At a Senate Judiciary Committee hearing Tuesday, Sen. Sheldon Whitehouse, D-R.I., took CISA to task over the ineffectiveness of earlier voluntary standards imposed on the oil and gas industry and called the attack against Colonial Pipeline, which shut down gas deliveries to large portions of the U.S. East Coast for several days in May, "a total face-plant failure."
"We don't have to regulate everybody in the world, but if you're critical infrastructure we should no longer tolerate this voluntary regime with big companies who know that their infrastructure is critical and who fail," Whitehouse said.