By Dr. Wesley McGrew, Senior Cyber Fellow; w.mcgrew@martinfed.com
On July 28th, President Biden signed a national security memorandum (https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/) aimed at setting objectives for improving the cybersecurity of critical infrastructure control systems. National critical infrastructure encompasses sixteen sectors of services and assets, such as communications, water treatment, power distribution, and healthcare, that contribute significantly to national security and public safety. While the government recognizes these sectors as being vital to US interests, the implementation of cybersecurity in these sectors is largely the responsibility of non-governmental organizations and private companies.
There’s a disconnect here. The organizations implementing cybersecurity measures are not ultimately held responsible for national security. This memorandum establishes an Industrial Control Systems Cybersecurity Initiative that will attempt to establish a voluntary collaboration between the US government and critical infrastructure stakeholders. This initiative aims to identify technologies and approaches to cybersecurity that assist in providing threat visibility, indicators of compromise, and detection of incidents. The initiative also is intended to facilitate the deployment of these technologies and approaches into systems identified as part of national critical infrastructure. The memorandum directs the Secretary of Homeland Security, and the Secretary of Commerce, along with other agencies, to develop and issue goals for cybersecurity performance for organizations involved in national critical infrastructure.
The writing on the wall here is that if these goals are not met, requirements might be given the force of law. Essentially: “We can do this the easy way, or the hard way.” The memorandum states:
“That effort may also include an examination of whether additional legal authorities would be beneficial in enhancing the cybersecurity of critical infrastructure, which is vital to the American people and the security of our Nation.”
The implication here isn’t subtle: if private stakeholders in critical infrastructure are not able to improve security and reduce the number and severity of incidents that we are seeing through voluntary effort, they will be compelled to do so by law for the sake of national security. Unfortunately, it is my prediction that due to limited resources and a lack of concerted effort, many private stakeholders in critical infrastructure will not be able to meet a voluntary mandate for cybersecurity. There will be a breaking point—either a single catastrophic incident or the predictable increase in breaches we are already seeing—that will drive cybersecurity requirements to be enforced upon critical infrastructure stakeholders by federal agencies.
If you are a stakeholder that will be impacted by this mandate, and its eventual teeth, the wisest action would be to get ahead of the game. Work under the assumption that cybersecurity best guidelines will be audited and enforced and align yourself with trusted partners that can ensure that you will meet those requirements. Above all, the worst thing that could happen in the meantime is that a breach at your organization winds up being used as an example of negligence and the need for additional enforcement. Work with skilled offensive security professionals to test your security before the news media names your organization in the same breath as the new legal authorities that came as a result of you being breached.
