In the wake of high-visibility cybersecurity incidents over the past few years, including SolarWinds, Log4j, and the 2021 Colonial Pipeline ransomware attack, the U.S. government has issued directives and guidance to address cybersecurity across the digital ecosystem and lifecycle. The White House and federal agencies have leaned forward to advance the cybersecurity posture of government and industry alike, while keeping our most critical infrastructure secure, resilient, and operational.
Across multiple administrations, Congress has passed legislation and funding for key cybersecurity programs and capabilities. Industry continues to invest in and advance cybersecurity tools and mitigation measures. These steps signal a maturing collective national cyber defense and underscore the need for continued industry-government collaboration.
A focus on infrastructure security and resilience
In April 2021, the Department of Energy (DOE) launched a public-private initiative to enhance the cybersecurity of electric utilities’ industrial control systems, and the White House has followed up with a series of additional sector-specific programs, including one for the water sector, as well as the recently announced chemical sector public-private cybersecurity initiative.
The Transportation Security Administration (TSA) has also adopted the sector-specific approach. Following the Colonial Pipeline ransomware attack, the agency coordinated with industry stakeholders and interagency partners to develop a series of security directives to support critical cybersecurity outcomes for pipeline operators. The TSA also issued a pair of directives to passenger and freight railroad carriers which included requirements to employ defensive measures to mitigate cybersecurity threats early.
This fall, the Federal Energy Regulatory Commission announced its intent to develop rules for incentive-based rate treatments for voluntary cybersecurity investments by utilities, including cybersecurity performance metrics. Similarly, the DOE released its National Cyber-Informed Engineering Strategy, which calls for strengthened visibility of cyber threats in energy systems.
Cyber risk as a business risk and national security imperative
The U.S. Securities and Exchange Commission addressed cyber incident reporting and corporate board cybersecurity expertise in proposed rules earlier this year. As the National Institute of Standards and Technology embarked on a planned update to its cornerstone Cybersecurity Framework (CSF), Commerce Deputy Secretary Don Graves identified managing cybersecurity risk as a part of doing business, describing it as critical to our nation’s economic security.
The federal government is also using the power of the purse to drive down cyber risk and move the needle on security across the digital ecosystem. In September, the Office of Management and Budget issued guidance to federal agencies requiring them to use software built through secure software practices. And last month, the Cybersecurity and Infrastructure Security Agency (CISA) issued the latest in a series of Binding Operational Directives. It requires agencies to improve asset visibility and vulnerability detection, and report that information via CISA’s Continuous Diagnostics and Mitigation Federal Dashboard.
Information sharing and industry-bovernment collaboration
In March, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law. The legislation will provide government, infrastructure owners and operators, and other stakeholders with a better picture of the ever-evolving cyber threat landscape. Notably, CIRCIA’s language underscores the role of both government and industry. It requires organizations to provide CISA with visibility into certain types of cybersecurity incidents and ransomware payments and requires CISA to return actionable insights.
Last month, CISA also issued Cybersecurity Performance Goals (CPGs). The voluntary, cross-sector goals establish a common set of fundamental cybersecurity practices for critical infrastructure, aligned with existing frameworks, including the NIST CSF.
The CPGs are the beginning of sector-by-sector conversations between industry and government on how to best manage cyber risk factors unique to each sector and to understand and communicate the security and economic costs of making security investments. The CPGs and other recent guidance emphasize the critical need to build trust and transparency across government and the private sectors, including both infrastructure owner-operators and the vendor community.
A cohesive national investment approach
Previous directives, dating back to the early days of the Department of Homeland Security, established national policy to maintain resilient critical infrastructure and laid the foundation for current industry-government collaboration. These current actions reaffirm infrastructure security as national security.
Recent incidents, affecting stakeholders far beyond the target organizations, underscore the imperative for government infrastructure owners and operators (including federal, state, local, tribal, and territorial), and the technology provider and vendor communities to collaborate to secure the digital ecosystem.
Anne Neuberger, White House Deputy National Security Adviser for Cyber and Emerging Technology, recently described a “relentless focus” on securing critical infrastructure sectors to help them improve their cybersecurity posture. In previewing the upcoming national cybersecurity strategy, National Cyber Director Chris Inglis has indicated that his office will leverage both market forces and regulatory and policy levers in driving cybersecurity investment, reinforcing that cyber risk is a business risk and national security risk.
The U.S. Cyberspace Solarium Commission further emphasized the importance of cyber-resilient infrastructure to both nationaland economic security, calling for formal planning, in consultation with the private sector, to ensure continuity of the economy and continuous operation of critical functions in the event of a major cyber incident.
Ultimately, investment decisions are made at the organizational level, but carry implications far more broadly. This is especially true in an interdependent system of industries with vital functions underpinned by shared infrastructure. When government uses policy to encourage and enable the right cyber risk investment decisions, those investments carry cascading benefits for our collective security.
To get measurable results on cybersecurity at scale, a national approach must inform action and investment.
It’s imperative to provide the government with the information needed to shape effective policy; ensure that industry can make risk-informed investment decisions, and encourage the strongest public and private sector collaboration. The policy groundwork established over the last several years — and the years to come — will pave the way for strengthened action and investment aligned to national and organizational cybersecurity priorities.
Katherine D. Ledesma is senior director for government affairs at SecurityScorecard. Previously, she served as a senior advisor at the Cybersecurity and Infrastructure Security Agency (CISA) and as a senior policy analyst in the U.S. Department of Homeland Security.