White House Official: EPA to Issue Cybersecurity Rule for Water Facilities

The Environmental Protection Agency will soon include cybersecurity in sanitation reviews it conducts of the nation’s critical water facilities, under a new rule, according to a key White House official.

“EPA does sanitary reviews of those water systems,” said Deputy National Security Advisor for Cyber and Emerging Tech Anne Neuberger. “They'll be shortly issuing a rule to extend those to include cybersecurity as well.”

Neuberger was speaking Thursday with Center for New American Security fellow Daniel Silverberg who pressed her on what the administration is doing to ensure companies take measures to protect the critical infrastructure they own and operate from cyberattacks.

White House officials previously said that a voluntary approach—similar to a collaboration to secure industrial control systems with the private sector—was necessary to secure water systems because of “limited” authorities at EPA. 

They said they would work with Congress to gain more power for the agency to impose binding cybersecurity rules, such as those the Transportation Security Administration has issued for the pipeline sector. Not everyone agreed with that assessment of EPA’s current remit, but Neuberger said the White House is still pursuing legislation to underline the authority of EPA and others, “where there's hesitancy by agencies to move without real Hill backing to do so.”

“One of the things we've learned is that public-private partnerships are effective, and I mentioned the president launched one early in his administration focused on industrial control systems,” Neuberger said. But, she added, “They're never going to give us the same level of confidence as we have when there's a mandate.” 

Neuberger said the White House will continue working with lawmakers—from whom she said there was a lot of interest and excellent feedback—over the next few months to craft a measure that would embolden sector-specific risk management agencies to impose cybersecurity mandates for critical infrastructure providers. She cited legislation being enacted in Australia as a model. 

“What we need is a minimum set of mandates,” she said, using the Department of Health and Human Services’ enforcement of the Health Information Portability and Accountability Act for privacy as an example. “We have HIPAA rules. We need to have that for cybersecurity, and we need to ensure HHS has the authorities.”

Neuberger also feels strongly about Congress providing commensurate resources, according to a member of her staff on the National Security Council, who contrasted current appropriation levels for the sector-specific agencies with those enjoyed by the more central, but non-regulatory Cybersecurity and Infrastructure Security Agency.

“We are behind other countries in setting cybersecurity requirements for the critical elements of infrastructure,” she said. “Much as when we drive a car, the car comes with a seatbelt, it comes with airbags, it comes with standards for what speed you can drive on the road, and what happens if there's a major accident. We need the same for cyber.” 

Neuberger had just returned from trips to the Republic of Korea and Saudi Arabia, where she looked to collaborate on countering threats from North Korea and Iran, respectively.