Following several high-profile cyberattacks against operators of U.S. critical infrastructure (CI), the White House has issued a National Security Memorandum (NSM) outlining the Biden Administration's plan to encourage improvement of private-sector operators' cybersecurity defenses. The NSM sets forth two public-private efforts: the Biden Administration's Industrial Control Systems (ICS) Cybersecurity Initiative, and the development of CI Cybersecurity Performance Goals.1
Secretaries Mayorkas of the Department of Homeland Security (DHS) and Raimondo of the Department of Commerce issued a joint statement in support of the memorandum, noting that their agencies will work together and with others "to develop cybersecurity performance goals that set a clear, easy-to-understand security baseline" for essential services such as power, water, and transportation.
ICS Cybersecurity Initiative
The NSM highlights the Biden Administration's ICS Cybersecurity Initiative, which is spearheaded by DHS's Cybersecurity and Infrastructure Security Agency (CISA). According to the NSM, the initiative is a "voluntary, collaborative" partnership between the federal government and the CI community focused on expanding adoption of cybersecurity threat detection and response technologies, particularly for ICS and other operational technology (OT). The initiative was first piloted in the electric power supply sector and currently is being implemented for natural gas pipelines.
The ransomware attack against Colonial Pipeline underscores the significant threat that cyberattacks pose to operational technology ICS and other OT—particularly those in the oil and natural gas industries—and the very tangible harms of cyberattacks on essential services. According to the NSM, the ICS Cybersecurity Initiative will expand to the water and wastewater sectors as well as the chemical sector later this year.
CI Performance Goals
The NSM also directs DHS and the National Institute of Standards and Technology (NIST), housed within the U.S. Department of Commerce, to develop "baseline cybersecurity goals" for CI. These baselines are to include both goals applicable across CI sectors and sector-specific goals. The NSM builds on an Obama-era Executive Order, "Improving Critical Infrastructure Cybersecurity,"2 which created the NIST Cybersecurity Framework and set the groundwork for much of the federal government's existing framework for defending CI from cyber attacks.
DHS and NIST must issue preliminary cross-sector cybersecurity goals by September 22, 2021, and must issue final cross-sector ICS goals by July 28, 2022—one year from the issuance of the NSM. Also by July 28, 2022, DHS must consult with other federal agencies and issue sector-specific cybersecurity goals. Notably, the NSM states that DHS and NIST's effort to create these various goals may also include a review of whether "additional legal authorities" would help enhance the cybersecurity of CI.
A Voluntary Approach, But for How Long?
Outside of a few sector-specific laws, the federal government has limited ability to regulate directly the cybersecurity practices of CI operators. It therefore makes sense for the Biden Administration to focus on voluntary efforts to improve operators' defenses.3 However, the landscape may be changing.
The Transportation Security Administration (TSA) recently issued mandatory cybersecurity rules for critical pipeline and liquidized natural gas (LNG) facilities—the first such rules since TSA assumed authority over pipeline cybersecurity after 9/11. Additionally, in late July 2021, a bipartisan group of senators introduced the Cyber Incident Notification Act of 2021, which would require CI operators to notify CISA of "cybersecurity intrusions" within 24 hours.
DWT will continue to monitor this shifting landscape.
* Lauren is a Summer Associate at DWT and a rising 3rd year law student at Georgetown University Law Center.
1 The NSM identified the Administration's policy "to safeguard the critical infrastructure of the Nation, with a particular focus on the cybersecurity and resilience of systems supporting National Critical Functions." The NSM defines National Critical Functions as "functions of Government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on national security, economic security, public health or safety, or any combination thereof."
2 Executive Order 13636 (Feb. 12, 2013).
3 CISA manages various other voluntary efforts to improve CI cybersecurity, including its Critical Infrastructure Cyber Community Voluntary Program (C3VP) and National Infrastructure Coordinating Center. See https://www.cisa.gov/protecting-critical-infrastructure.