White House cyber official discusses a shift toward mandatory cybersecurity standards
The Biden White House is pressing ahead on a broad effort to protect critical infrastructure from hacks by coordinating with federal agencies, collaborating with international allies and pushing mandates on industry sectors.
Those plans for additional mandatory safeguards are part of an ongoing paradigm shift in the administration toward stricter rules. That’s reflected in a forthcoming national cybersecurity strategy, work across the federal bureaucracy and the public pronouncements of leading government cyber figures.
“Voluntary efforts have been insufficient against the threat to the critical services Americans rely on,” Anne Neuberger, deputy national security adviser for cyber and emerging technology, told me in a recent interview.
U.S. officials and foreign officials gave The Cybersecurity 202 a rundown of recent and near-future cybersecurity efforts. Some of what they described included previously unreported information about the regulatory landscape and what’s next for federal cybersecurity policy.
The overall U.S. approach is to lean on a combination of agencies with responsibilities for specific industry sectors and the expertise of the Cybersecurity and Infrastructure Security Agency, Neuberger said. When security practices are common across sectors, that involves leaning on CISA, but agencies with chief responsibility know when something needs to be secured differently, she said.
The White House has organized industry sectors into several categories for advancing minimum baselines:
- The ability to continue using existing agency authorities.
- Execution of unused regulatory authorities.
- Incorporating cyber into current authorities.
- Areas where there are no clear authorities to write mandates.
- Areas where they’ll be seeking more from Congress.
Federal agencies have taken steps to impose cybersecurity requirements on some industry sectors already. For example, the Transportation Security Administration (TSA) imposed rules for critical pipeline operators to notify the agency within 24 hours when they suffer a major cyberattack. Unsurprisingly, many of the rules have been unpopular with industry.
A White House official, speaking on the condition of anonymity to more candidly discuss matters, shared some updates on several sector plans:
Dams sector: “Dams, believe it or not, is the most complicated one,” the official said. “The Interior Department oversees some, DOD [Defense Department] oversees some, DHS [Department of Homeland Security] oversees some, and the rules pretty much line up with authorities. So it’s actually been pretty complicated to figure out, ‘is there a minimum standard across?’” Hackers have taken aim at dam infrastructure before. In 2016, the Justice Department announced charges against Iranian government-linked hackers who allegedly targeted a dam in New York.
Chemical sector: DHS has powers to protect chemical facilities, but the cybersecurity standard hasn’t been updated, the official said. DHS will begin an effort to change that in the spring.
Water sector: Industry groups have long been awaiting Environmental Protection Agency plans for the water sector. The agency aims to send out an implementation memo this month. The official touted that as a “great example” of the collaboration between CISA and an agency with sector-specific responsibility.
EPA does “sanitary surveys of existing water systems. They lack cybersecurity expertise, and their sanitary service surveys never had a cyber component,” the official said. “So they’re finalizing a rule that will now include the cyber component. And now we’re looking to say ‘CISA, we need you to detail people or complement it with hiring — whatever it is to add that so when a team goes to do a sanitary survey, instead of having two surveys come.’”
Aviation sector: Next steps for the aviation sector “will be going out in the coming months,” the official said. Industry and lawmakers want to see TSA — which has responsibility in the pipeline, aviation and rail sectors — resolve questions about whether it has enough personnel and money to oversee any mandated industry efforts. “They’ve put in a resource request, and that’s something that we’re going to find because we know that the best way to kill an effort is when we ask folks to do work, they send in the work and nothing happens with it,” the official said.
- Chief responsibility for certain sectors, like information technology and government facilities, fall to DHS. “That’s, interestingly enough, where we could not find authorities to mandate minimum cybersecurity practices,” the official said.
The National Security Council has two people dedicated to coordinating with agencies and provide cybersecurity guidance on these rules.
An international initiative
The White House is also looking out for international partners, Neuberger said, as reflected in a previously unreported training session last month.
“Another Russian cyberattack on the European energy systems remains a concern,” she said. “To ensure that our key allies’ infrastructure is secure enough to combat any potential threat, we worked closely with Poland to bring together seven countries in the region for a training to shore up their cyber defenses.”
Government and energy industry officials from the United States, Czech Republic, Germany, Lithuania, Netherlands, Slovakia and Poland met in Warsaw in December, where the Idaho National Laboratory led the training. It emphasized protecting industrial control systems, hardware and software, which typically focus on safety and operations in plants.
A conversation with Neuberger at a recent ransomware summit led to the training session, said Janusz Cieszyński, secretary of state for digital affairs in the chancellery of the Polish prime minister, told me.
The need to protect the energy sector amid the Russia-Ukraine conflict was a key motivation. “We are afraid of the spillover effect because targets in Poland that were otherwise 100 percent civilian have become involved in different parts in the whole process of supporting Ukraine’s fight against Russia and therefore they have become targets,” he said. “Many of them were not prepared to upgrade their cyber posture from being just another business to becoming possible targets for Russians.”
Such collaboration also benefits the United States, said Puesh Kumar, who leads the Energy Department’s Office of Cybersecurity, Energy Security, and Emergency Response. “If they see what’s going on over there from a cyber perspective, and if they’re able to share it with us, it helps us become stronger as well, and vice versa,” he said.
Perhaps the most important part of the collaboration is foreign allies and their respective industries getting to know each other better in person, Cieszyński said.
“It’s super, super important that at the end of the day, you basically know who to talk to when there’s something going on,” he said. “And the best way to do that is beer and pizza.”
House panel to vote next month on possible TikTok ban
The House Foreign Affairs Committee on Friday said it will vote next month on a bill that would allow the White House to ban the use of TikTok in the United States over national security concerns, Reuters’s David Shepardson reports.
Committee Chairman Michael McCaul (R-Tex.) said the app, which is owned by the Chinese company ByteDance, “gives the Chinese government a back door into our phones.” If approved by the House, the measure would need 60 votes in the Senate to reach President Biden’s desk.
- In 2020, former president Donald Trump tried and failed to block the app’s use across the country. And, in 2021, the Biden administration dropped the effort completely. But last month, Biden moved to ban federal employees from using or downloading TikTok on government-owned devices. Dozens of states have approved bans of the app on state devices and networks in recent months.
- TikTok CEO Shou Zi Chew will testify before the House Energy and Commerce Committee, a committee spokesperson told the Wall Street Journal’s John D. McKinnon. It’ll be the first time a chief executive of the company has testified before Congress.
TikTok has disputed accusations that it poses a national security or privacy risk. The company told Reuters that “calls for total bans of TikTok take a piecemeal approach to national security and a piecemeal approach to broad industry issues like data security, privacy and online harms.” It also told the outlet that it has a “comprehensive package of measures with layers of government and independent oversight to ensure that there are no backdoors into TikTok that could be used to manipulate the platform.”
Garbarino to lead House Homeland Security Committee’s cyber panel
Rep. Andrew R. Garbarino (R-N.Y.) will be the chairman of the House Homeland Security Committee’s cybersecurity and infrastructure protection panel, Chairman Mark Green (R-Tenn.) announced on Friday.
“I’m thrilled and honored to have been selected to serve as Chairman of the Cybersecurity and Infrastructure Protection Subcommittee and to be able to continue the great work we started last Congress improving our nation’s cyber preparedness,” Garbarino said in a statement. “Our foreign adversaries have grown more advanced making cybersecurity the next arena in which we must build out our national defenses.”
Last year Biden signed into law a bill from Garbarino and other top lawmakers to require critical infrastructure operators to report hacks within three days. It’s aimed at boosting transparency among operators and streamlining reporting with the Cybersecurity and Infrastructure Security Agency about any cyber incidents.
Russia blocks CIA, FBI websites
Russia’s communications regulator Roskomnadzor on Friday blocked the country’s access to the CIA, FBI and State Department’s Rewards for Justice websites over concerns that they were “spreading fakes about the Russian military and discrediting them,” the Record’s Alexander Martin reports.
The move comes after the Rewards for Justice program, which gives incentives to people who relay information that is beneficial to U.S. national security, “recently celebrated the takedown against the Hive ransomware group by tweeting it was prepared to pay up to $10 million for information about it and similar organizations,” Martin writes.
That program has also previously solicited information about “several Russian nationals who are allegedly officers of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), and have been charged with conducting cyberattacks against U.S. infrastructure,” Martin added.
I was hit with $1,300 in credit card fraud. Here’s how to cut your risk. (Shira Ovide)
Your iPhone has powerful new security features. Do you need them? (Heather Kelly)
- The Post’s Drew Harwell and Tatum Hunter join Washington Post Live today at noon to talk about their reporting about ChatGPT, the viral social media AI.
- U.S. cyber ambassador Nathaniel Fick speaks at an event hosted by the German Marshall Fund on Thursday at 10:30 a.m.
Thanks for reading. See you tomorrow.