Biden just issued a directive addressing the problem. Unfortunately, compliance is voluntary, not mandatory.
Biden Directs Agencies to Develop Cybersecurity Standards for Critical Infrastructure
Though voluntary, officials said the new step could be a prelude to a push for cybersecurity mandates
By Dustin Volz
Wall Street Journal
July 28, 2021 9:00 am ET
WASHINGTON—President Biden on Wednesday issued a new directive instructing federal agencies to develop voluntary cybersecurity goals for companies that operate U.S. critical infrastructure, a move that came as senior officials said the administration was exploring the possibility of pursuing mandatory standards.
The effort is the latest by the Biden administration attempting to shore up the nation’s defenses against disruptive cyberattacks, an area the president and his senior aides repeatedly have said is a top national security threat especially after several recent high-profile ransomware attacks disrupted cornerstones of American life and business.
The new national security memorandum directs the Department of Homeland Security’s cyber wing and the National Institute of Standards and Technology at the Commerce Department to work with other federal agencies to develop cybersecurity performance goals for critical infrastructure operators and owners, a senior administration official said. Text of the memorandum wasn’t immediately available.
Last week, the Transportation Security Administration handed down new cybersecurity requirements for U.S. pipeline operators intended to help guard against ransomware and other forms of disruptive hacking. The requirements were announced months after a Russia-based criminal hacking group forced a major fuel conduit on the East Coast, operated by Colonial Pipeline, to shut down for nearly a week. And In May, Mr. Biden issued an executive order that established baseline cybersecurity requirements for U.S. agencies and their software contractors, including mandates to use multifactor authentication and data encryption, and that requires federal information technology vendors to disclose certain data about hacks.
“We’ve seen how cyber threats, including ransomware attacks, increasingly are able to cause damage and destruction in the real world,” Mr. Biden said Tuesday during a visit to the Office of the Director of National Intelligence. “If we end up in a war, a real shooting war, with a major power, it’s going to be as a consequence of a cyber breach of great consequence.”
Wednesday’s directive doesn’t impose requirements, however, but instead seeks to create further voluntary cybersecurity standards that companies that manage critical infrastructure—a categorization that includes energy operators, hospitals, and banks, among others—can proactively adhere to. It is a strategy that at least four successive presidential administrations have pursued across decades, amid resistance to mandates from business groups, though officials more recently have said the approach has limitations.
“Our current posture is woefully insufficient given the evolving threat we face today. We really kicked the can down the road for a long time,” the senior administration official said during a press briefing about the new directive. “The administration is committed to leveraging every authority we have, though limited, and we’re also open to new approaches, both voluntary and mandatory.”
The official said those new approaches could include working with Congress on new legislation to address the lack of mandates that could create uniform cybersecurity requirements across critical infrastructure sectors. Currently there are a patchwork of piecemeal federal cybersecurity requirements on critical infrastructure that are either narrowly specific to individual sectors, like finance and chemical, or mandated under state or local law, like electricity.
”We’re starting with voluntary, as much as we can, because we want to do this in full partnership,” the official said. “But we’re also pursuing all options we have in order to make the rapid progress we need.”
Biden Directs Agencies to Develop Cybersecurity Standards for Critical Infrastructure - WSJ |
