www.washingtonpost.com
Open in
urlscan Pro
104.96.128.158
Public Scan
Submitted URL: https://info.sysdig.com/MDY3LVFaVC04ODEAAAGJjnwC-pv6vZg13SiGqxCDQ1n6SzyXkFUL_HoXAVuPKeBJG_OPxoD2zoMpDGVawtFpUZ6Fj98=
Effective URL: https://www.washingtonpost.com/national-security/2023/01/05/biden-cyber-strategy-hacking/?mkt_tok=MDY3LVFaVC04ODEAAAGJjnwC-tR_O...
Submission: On January 26 via api from US — Scanned from DE
Effective URL: https://www.washingtonpost.com/national-security/2023/01/05/biden-cyber-strategy-hacking/?mkt_tok=MDY3LVFaVC04ODEAAAGJjnwC-tR_O...
Submission: On January 26 via api from US — Scanned from DE
Form analysis
0 forms found in the DOMText Content
Accessibility statementSkip to main content Search Navigation Democracy Dies in Darkness Subscribe Sign in Advertisement Close The Washington PostDemocracy Dies in Darkness National Security Foreign Policy Intelligence Justice Immigration Military U.S. NATIONAL CYBER STRATEGY TO STRESS BIDEN PUSH ON REGULATION THE WHITE HOUSE WANTS EXPANDED REQUIREMENTS FOR PRIVATE COMPANIES THAT OPERATE IN CRITICAL INFRASTRUCTURE SECTORS By Ellen Nakashima and Tim Starks January 5, 2023 at 6:00 p.m. EST A coming national cyber strategy builds on the first-ever oil and gas pipeline regulations imposed last year by the Biden administration after a hack of one of the countries largest pipelines. (Jon Elswick/AP) Listen 8 min Comment on this story Comment 6 Gift Article Share The Biden administration is set to unveil a national strategy that for the first time calls for comprehensive cybersecurity regulation of the nation’s critical infrastructure, explicitly recognizing that years of a voluntary approach have failed to secure the nation against cyberattacks, according to senior administration officials. WpGet the full experience.Choose your planArrowRight The strategy builds on the first-ever oil and gas pipeline regulations imposed last year by the administration after a hack of one of the country’s largest pipelines led to a temporary shutdown, causing long lines at gas stations and fears of a fuel shortage. The attack on Colonial Pipeline by Russian-speaking criminals elevated ransomware to an issue of national security. DHS to issue first-ever cybersecurity regulations for pipelines after Colonial hack The strategy, drawn up by the White House Office of the National Cyber Director (ONCD), is moving through the final stages of interagency approval — involving more than 20 departments and agencies — and is expected to be signed by President Biden in the coming weeks, according to the officials, who spoke on the condition of anonymity because the document is not yet public. Advertisement Story continues below advertisement “It’s a break from the previous strategies, which focused on information sharing and public-private partnership as the solution,” said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies think tank. “This goes well beyond that. It says things that others have been afraid to say.” For instance, according to a draft copy of the strategy, one of the stated goals is: “Use Regulation to support National Security and Public Safety.” Under that, it says that regulation “can level the playing field” to meet the needs of national security, according to two individuals familiar with the draft. It also states that “while voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has too often resulted in inconsistent and, in many cases inadequate, outcomes.” Advertisement Story continues below advertisement It even calls for shifting liability “onto those entities that fail to take reasonable precautions to secure their software” while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities. “If ‘tough’ means that we have to be serious about what we want cyberspace to do for us … then it’s time for us to be tough,” National Cyber Director Chris Inglis said at a cyber conference hosted by Cipher Brief, a national security analysis site, in September. “If at the end of the day, self-enlightenment and market forces take us [only] so far … then we have to go a little bit further as we have for cars, or airplanes, or drugs and therapeutics.” The strategy calls for regulation of all critical sectors — either by executive authority, as with pipelines, or by a congressional action where executive authority is lacking, the officials said. Advertisement Story continues below advertisement Following the Colonial Pipeline incident, the White House National Security Council under the direction Anne Neuberger, deputy national security adviser for cyber and emerging technology, undertook an analysis of the state of regulation for all 16 critical infrastructure sectors. The result was instructive. Five of them — nuclear power, financial services, large energy generation, chemicals and major defense contractors — had some form of cybersecurity regulations in place, imposed over the years before the Biden administration. After the Colonial hack, regulations were imposed on several more: oil and gas pipelines, rail and aviation. Soon the Environmental Protection Agency will issue a rule for the water sector, one of the senior officials said. But the analysis also found there are five critical sectors of the U.S. economy in which oversight agencies lack authority to issue national-level cyber regulation. Those include food and agriculture, government facilities such as election infrastructure and schools, and “critical manufacturing” — including vaccine-makers, pharmaceuticals and mask manufacturers, the official said. That’s where Congress would have to step in to pass legislation granting the relevant federal agency power to regulate, the official said. Advertisement Story continues below advertisement The analysis looked at the companies in each sector for impact on Americans’ lives in the case of a disruption, because shutting down a major electric power generation company affects many more Americans than a small one. So, for instance, only 97 of the largest pipeline companies — those serving 50,000 or more customers or transporting hazardous materials — were covered by last year’s regulation, the official said. “That’s another key part of the approach, which is to say this doesn’t apply to everyone,” said Neuberger at a Washington Post Live event in October. “A careful look by the sector lead agency who understands the sector, who says who are the big players, who are the players who a disruption of their services would impact Americans broadly … those are the ones we’re focused on.” The National Security Council analysis is reflected in the strategy, and there will be a separate implementation plan that is still being worked on, officials said. Advertisement Story continues below advertisement The strategy directs that regulations need to be developed in consultation with industry — to ensure that the rules advance security without being unworkable or unduly burdensome. The officials conceded that, for instance, the first attempt at setting pipeline rules last year failed because they were done in haste and without consulting the companies, and as a result were overly prescriptive. “It wasn’t done right,” a second official said. New emergency pipeline cyber regulations draw mixed reviews The first set of rules were “massively a bust,” said Robert M. Lee, chief executive of the industrial cybersecurity firm Dragos, which helps pipeline companies harden their operational systems against hacks. “Even attempting them would have caused disruptions to systems. They were asking for things that were technically not feasible.” The second set was much improved, he said. “It took in pipeline asset and owner feedback. They moved towards more performance-based, than prescriptive standards: ‘Here’s what we want you to accomplish,’ not ‘here’s how to accomplish it.’” Advertisement Story continues below advertisement The U.S. Chamber of Commerce, which spends the most of any lobbying organization in the United States, drove a successful campaign a decade ago to kill legislation that would have mandated cybersecurity standards. Cognizant that the political winds have shifted in the wake of Colonial Pipeline and Russia’s invasion of Ukraine — which prompted fears that Moscow might hack American critical infrastructure — it has moderated its stance slightly, accepting that regulations are inevitable but seeking some incentives to encourage compliance. In a statement to The Post, the Chamber asserted that it shares “a mutual interest” with Inglis’s office — the ONCD — in “advancing regulatory harmonization, liability protections and federal preemption.” Harmonization means, for instance, avoiding multiple agencies conducting cybersecurity inspections on the same company. “Liability protections” is an apparent reference to immunity, for instance from lawsuits, if certain standards are met, and “federal preemption” means ensuring that a national-level regulation supersedes state rules so that companies are not subject to a patchwork quilt of requirements. Advertisement Story continues below advertisement “I’m glad to see the Chamber recognized that we need some federal baselines,” said Jeff Greene, who until July led the NSC cyberdefense policy and is now with the Aspen Institute think tank. “It’s a step in the right direction.” States have authority to regulate electric power distribution, and New York Gov. Kathy Hochul (D) just last month signed legislation imposing cybersecurity rules on the state’s energy distribution grid. The news release noted that the action followed a request from Biden that states set minimum cybersecurity requirements for critical infrastructure, including the energy system. “The strategy reflects the hard lessons we’ve learned from SolarWinds [the Russian hack of U.S. agencies] to Colonial Pipeline — that our supply chain and our critical infrastructures are under duress,” said Mark Montgomery, senior fellow at the Foundation for Defense of Democracies. “But the hard part comes next, translating all the good ideas into action.” 6 Comments GiftOutline Gift Article Subscribe to comment and get the full experience. Choose your plan → View more Loading... Advertisement Advertisement TOP STORIES Deep Dives Make time for stories that embrace nuance and complexity. Some will break your heart, others will enlighten you. Va. Gov. Youngkin’s first year a clash of politics and policy Larry Hogan won over Democrats in Maryland. Could he do it nationwide? Opinion|The America trap: Why our enemies often underestimate us Refresh Try a different topic Sign in or create a free account to save your preferences Advertisement Advertisement Company * About The Post * Newsroom Policies & Standards * Diversity and Inclusion * Careers * Media & Community Relations * WP Creative Group * Accessibility Statement Get The Post * * Become a Subscriber * Gift Subscriptions * Mobile & Apps * Newsletters & Alerts * Washington Post Live * Reprints & Permissions * Post Store * Books & E-Books * Newspaper in Education * Print Archives (Subscribers Only) * Today’s Paper * Public Notices Contact Us * Contact the Newsroom * Contact Customer Care * Contact the Opinions team * Advertise * Licensing & Syndication * Request a Correction * Send a News Tip * Report a Vulnerability Terms of Use * Digital Products Terms of Sale * Print Products Terms of Sale * Terms of Service * Privacy Policy * Cookie Settings * Submissions & Discussion Policy * RSS Terms of Service * Ad Choices washingtonpost.com © 1996-2023 The Washington Post * washingtonpost.com * © 1996-2023 The Washington Post * About The Post * Contact the Newsroom * Contact Customer Care * Request a Correction * Send a News Tip * Report a Vulnerability * Download the Washington Post App * Policies & Standards * Terms of Service * Privacy Policy * Cookie Settings * Print Products Terms of Sale * Digital Products Terms of Sale * Submissions & Discussion Policy * RSS Terms of Service * Ad Choices THE WASHINGTON POST CARES ABOUT YOUR PRIVACY We and our partners store and/or access information on a device, such as unique IDs in cookies to process personal data. You may accept or manage your choices by clicking below, including your right to object where legitimate interest is used, or at any time in the privacy policy page. These choices will be signaled to our partners and will not affect browsing data. WE AND OUR PARTNERS PROCESS DATA TO PROVIDE: Actively scan device characteristics for identification. Select basic ads. Store and/or access information on a device. Create a personalised ads profile. Select personalised ads. Create a personalised content profile. Select personalised content. Measure ad performance. Measure content performance. Apply market research to generate audience insights. Develop and improve products. View list of partners I accept Disable all Manage cookies