The deputy national security advisor for cyber and emerging tech said it should be up to sector-specific agencies to decide who should implement appropriate cybersecurity defenses.
Outlining a sequence of critical infrastructure sectors that have been designated for cybersecurity risk management, Deputy National Security Advisor Anne Neuberger said the administration is preparing to activate its regulatory authorities at four agencies.
Neuberger listed the critical infrastructure sectors for which the administration will be coming out with new cybersecurity requirements, starting with transportation—which is already in progress—and followed by communications, water and healthcare.
Neuberger was participating in an event the Washington Post livestreamed Thursday on the federal government’s efforts to secure cyberspace.
“From the outset, [President Joe Biden] said that security abroad begins with security at home, confidence abroad begins with confidence at home,” Neuberger said. "And a key way to deter adversaries in cyberspace is to know we have confidence in [a] level of security, that we've locked our digital doors and put on our digital alarm system.”
That was not the case when Colonial Pipeline was hacked, Neuberger said. And a status quo where there was no expectation that the company separate the portions of its network using information technology for corporate processes from those running the operational technology in its industrial control systems—for example—is unacceptable, she said.
Neuberger started her description of the administration’s action plan by highlighting imminent updates for security directives the Transportation Security Administration issued last year. She said the updated directives will incorporate feedback from a meeting the White House held with industry representatives this summer from transportation sub-sectors that include rail, maritime, aviation and pipelines for oil and gas.
“TSA identified 57 rail entities, 104 air entities … airports, airlines, cargo lines, brought them in, gave them a threat briefing and issued a security directive, and then refined the security directive as well,” Neuberger said. She added updates are coming “shortly,” for a rail directive initially issued in December and an aviation directive initially issued in November. Neuberger said the meeting with industry, along with models used in Australia and other peer nations will inform the new directives, as well as more rules to come in other sectors.
She noted a rulemaking process getting underway at the Federal Communications Commission to improve the operational readiness of emergency alert systems and reduce their vulnerability to cyberattacks. The item is scheduled for consideration during the FCC’s next open meeting on Oct.27. The FCC’s cybersecurity division also recently finalized a rule for applying its new Mandatory Disaster Response Initiative to wireless network providers.
Crediting Environmental Protection Agency Administrator Michael Reagan and Deputy Administrator Janet McCabe, Neuberger said that agency will take a “creative” approach in exercising its regulatory authority with a rule to clarify that ensuring the safety and security of water systems entails overseeing entities’ cybersecurity.
Then, Neuberger said, the Department of Health and Human Services will be coming out with minimum cybersecurity guidelines for hospitals to be followed by broader work in the healthcare sector, including on medical devices.
Neuberger’s remarks stressed the role of sector risk management agencies in identifying systemically important entities for cybersecurity regulation. The process should involve “a careful look by the sector lead agency,” she said, “who understands the sector,” and knows “who are the big players … [where] disruption of their services would impact Americans broadly, will prevent the military from being able to deploy troops in the event of a conflict.”
Her announcement of the new requirements came as—during the same live event—Rep. John Katko, R–N.Y., outgoing ranking member of the House Homeland Security Committee, continued to withhold his support for legislative efforts to regulate cybersecurity at critical infrastructure companies.
This summer, Neuberger said her office was working with lawmakers on legislation that would embolden regulators on the issue. An amendment from Rep. Jim Langevin, D-R.I.—which is attached to the House National Defense Authorization Act—would lay the groundwork for agencies to harmonize the application of their regulatory powers for cybersecurity and establish standards for companies to meet in making their operations more resilient to attacks.
Trade associations for companies from across the critical infrastructure sectors wrote to the leaders of the Senate Armed Services Committee—and the Senate Homeland Security Committee—expressing their opposition to the amendment, and sending lawmakers back to the drawing board.
“It's rare for most of us in Homeland to have disagreements on cyber between the Republicans and Democrats, but that was one where we had disagreement, so that's why it didn't get across the finish line,” Katko said.
He added that any legislation to establish cybersecurity responsibilities for systemically important entities should wait, so it can be informed by implementation of the Cyber Incident Reporting for Critical Infrastructure Act and rules the Cybersecurity and Infrastructure Security Agency is seeking public input to shape under the law. CISA is required to work with relevant sector risk management agencies, including HHS, the Treasury Department and other regulators, in finalizing the incident reporting rules.
“The [CIRCIA] rulemaking process, I think, will shake out a lot of the concerns that both sides have,” Katko said. “And then, if we need to do something on the back end, we can do it, but I'm not sure we're going to need to. We'll have to take a look and see.”
The administration will still look to Congress for help regulating cybersecurity in the crucial information technology sector, and others, where Neuberger says statutory authority is absent.
“For some, like critical manufacturing, or DHS emergency services or information technology, there are not authorities and we're looking carefully at this to say what is needed in this space,” she said.