www.washingtonpost.com Open in urlscan Pro
104.96.128.158  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Accessibility statementSkip to main content
Search Navigation
Democracy Dies in Darkness

Subscribe

Sign in



Advertisement


Close
The Washington PostDemocracy Dies in Darkness
National Security
Foreign Policy
Intelligence
Justice
Immigration
Military



U.S. NATIONAL CYBER STRATEGY TO STRESS BIDEN PUSH ON REGULATION


THE WHITE HOUSE WANTS EXPANDED REQUIREMENTS FOR PRIVATE COMPANIES THAT OPERATE
IN CRITICAL INFRASTRUCTURE SECTORS

By Ellen Nakashima
and  
Tim Starks
 
January 5, 2023 at 6:00 p.m. EST

A coming national cyber strategy builds on the first-ever oil and gas pipeline
regulations imposed last year by the Biden administration after a hack of one of
the countries largest pipelines. (Jon Elswick/AP)
Listen
8 min
Comment on this story
Comment
6
Gift Article
Share

The Biden administration is set to unveil a national strategy that for the first
time calls for comprehensive cybersecurity regulation of the nation’s critical
infrastructure, explicitly recognizing that years of a voluntary approach have
failed to secure the nation against cyberattacks, according to senior
administration officials.


WpGet the full experience.Choose your planArrowRight


The strategy builds on the first-ever oil and gas pipeline regulations imposed
last year by the administration after a hack of one of the country’s largest
pipelines led to a temporary shutdown, causing long lines at gas stations and
fears of a fuel shortage. The attack on Colonial Pipeline by Russian-speaking
criminals elevated ransomware to an issue of national security.



DHS to issue first-ever cybersecurity regulations for pipelines after Colonial
hack

The strategy, drawn up by the White House Office of the National Cyber Director
(ONCD), is moving through the final stages of interagency approval — involving
more than 20 departments and agencies — and is expected to be signed by
President Biden in the coming weeks, according to the officials, who spoke on
the condition of anonymity because the document is not yet public.

Advertisement

Story continues below advertisement



“It’s a break from the previous strategies, which focused on information sharing
and public-private partnership as the solution,” said James Lewis, a
cybersecurity expert at the Center for Strategic and International Studies think
tank. “This goes well beyond that. It says things that others have been afraid
to say.”

For instance, according to a draft copy of the strategy, one of the stated goals
is: “Use Regulation to support National Security and Public Safety.” Under that,
it says that regulation “can level the playing field” to meet the needs of
national security, according to two individuals familiar with the draft.

It also states that “while voluntary approaches to critical infrastructure
cybersecurity have produced meaningful improvements, the lack of mandatory
requirements has too often resulted in inconsistent and, in many cases
inadequate, outcomes.”

Advertisement

Story continues below advertisement



It even calls for shifting liability “onto those entities that fail to take
reasonable precautions to secure their software” while recognizing that even the
most advanced software security programs cannot prevent all vulnerabilities.

“If ‘tough’ means that we have to be serious about what we want cyberspace to do
for us … then it’s time for us to be tough,” National Cyber Director Chris
Inglis said at a cyber conference hosted by Cipher Brief, a national security
analysis site, in September. “If at the end of the day, self-enlightenment and
market forces take us [only] so far … then we have to go a little bit further as
we have for cars, or airplanes, or drugs and therapeutics.”

The strategy calls for regulation of all critical sectors — either by executive
authority, as with pipelines, or by a congressional action where executive
authority is lacking, the officials said.

Advertisement

Story continues below advertisement



Following the Colonial Pipeline incident, the White House National Security
Council under the direction Anne Neuberger, deputy national security adviser for
cyber and emerging technology, undertook an analysis of the state of regulation
for all 16 critical infrastructure sectors. The result was instructive.

Five of them — nuclear power, financial services, large energy generation,
chemicals and major defense contractors — had some form of cybersecurity
regulations in place, imposed over the years before the Biden administration.
After the Colonial hack, regulations were imposed on several more: oil and gas
pipelines, rail and aviation. Soon the Environmental Protection Agency will
issue a rule for the water sector, one of the senior officials said.

But the analysis also found there are five critical sectors of the U.S. economy
in which oversight agencies lack authority to issue national-level cyber
regulation. Those include food and agriculture, government facilities such as
election infrastructure and schools, and “critical manufacturing” — including
vaccine-makers, pharmaceuticals and mask manufacturers, the official said.
That’s where Congress would have to step in to pass legislation granting the
relevant federal agency power to regulate, the official said.

Advertisement

Story continues below advertisement



The analysis looked at the companies in each sector for impact on Americans’
lives in the case of a disruption, because shutting down a major electric power
generation company affects many more Americans than a small one. So, for
instance, only 97 of the largest pipeline companies — those serving 50,000 or
more customers or transporting hazardous materials — were covered by last year’s
regulation, the official said.

“That’s another key part of the approach, which is to say this doesn’t apply to
everyone,” said Neuberger at a Washington Post Live event in October. “A careful
look by the sector lead agency who understands the sector, who says who are the
big players, who are the players who a disruption of their services would impact
Americans broadly … those are the ones we’re focused on.”

The National Security Council analysis is reflected in the strategy, and there
will be a separate implementation plan that is still being worked on, officials
said.

Advertisement

Story continues below advertisement



The strategy directs that regulations need to be developed in consultation with
industry — to ensure that the rules advance security without being unworkable or
unduly burdensome. The officials conceded that, for instance, the first attempt
at setting pipeline rules last year failed because they were done in haste and
without consulting the companies, and as a result were overly prescriptive. “It
wasn’t done right,” a second official said.

New emergency pipeline cyber regulations draw mixed reviews

The first set of rules were “massively a bust,” said Robert M. Lee, chief
executive of the industrial cybersecurity firm Dragos, which helps pipeline
companies harden their operational systems against hacks. “Even attempting them
would have caused disruptions to systems. They were asking for things that were
technically not feasible.”

The second set was much improved, he said. “It took in pipeline asset and owner
feedback. They moved towards more performance-based, than prescriptive
standards: ‘Here’s what we want you to accomplish,’ not ‘here’s how to
accomplish it.’”

Advertisement

Story continues below advertisement



The U.S. Chamber of Commerce, which spends the most of any lobbying organization
in the United States, drove a successful campaign a decade ago to kill
legislation that would have mandated cybersecurity standards. Cognizant that the
political winds have shifted in the wake of Colonial Pipeline and Russia’s
invasion of Ukraine — which prompted fears that Moscow might hack American
critical infrastructure — it has moderated its stance slightly, accepting that
regulations are inevitable but seeking some incentives to encourage compliance.

In a statement to The Post, the Chamber asserted that it shares “a mutual
interest” with Inglis’s office — the ONCD — in “advancing regulatory
harmonization, liability protections and federal preemption.”

Harmonization means, for instance, avoiding multiple agencies conducting
cybersecurity inspections on the same company. “Liability protections” is an
apparent reference to immunity, for instance from lawsuits, if certain standards
are met, and “federal preemption” means ensuring that a national-level
regulation supersedes state rules so that companies are not subject to a
patchwork quilt of requirements.

Advertisement

Story continues below advertisement



“I’m glad to see the Chamber recognized that we need some federal baselines,”
said Jeff Greene, who until July led the NSC cyberdefense policy and is now with
the Aspen Institute think tank. “It’s a step in the right direction.”

States have authority to regulate electric power distribution, and New York Gov.
Kathy Hochul (D) just last month signed legislation imposing cybersecurity rules
on the state’s energy distribution grid. The news release noted that the action
followed a request from Biden that states set minimum cybersecurity requirements
for critical infrastructure, including the energy system.

“The strategy reflects the hard lessons we’ve learned from SolarWinds [the
Russian hack of U.S. agencies] to Colonial Pipeline — that our supply chain and
our critical infrastructures are under duress,” said Mark Montgomery, senior
fellow at the Foundation for Defense of Democracies. “But the hard part comes
next, translating all the good ideas into action.”

6 Comments
GiftOutline
Gift Article




Subscribe to comment and get the full experience. Choose your plan →


View more

Loading...
Advertisement


Advertisement

TOP STORIES
Deep Dives
Make time for stories that embrace nuance and complexity. Some will break your
heart, others will enlighten you.
Va. Gov. Youngkin’s first year a clash of politics and policy


Larry Hogan won over Democrats in Maryland. Could he do it nationwide?


Opinion|The America trap: Why our enemies often underestimate us


Refresh
Try a different topic

Sign in or create a free account to save your preferences
Advertisement


Advertisement

Company
 * About The Post
 * Newsroom Policies & Standards
 * Diversity and Inclusion
 * Careers
 * Media & Community Relations
 * WP Creative Group
 * Accessibility Statement

Get The Post
 * 
 * Become a Subscriber
 * Gift Subscriptions
 * Mobile & Apps
 * Newsletters & Alerts
 * Washington Post Live
 * Reprints & Permissions
 * Post Store
 * Books & E-Books
 * Newspaper in Education
 * Print Archives (Subscribers Only)
 * Today’s Paper
 * Public Notices

Contact Us
 * Contact the Newsroom
 * Contact Customer Care
 * Contact the Opinions team
 * Advertise
 * Licensing & Syndication
 * Request a Correction
 * Send a News Tip
 * Report a Vulnerability

Terms of Use
 * Digital Products Terms of Sale
 * Print Products Terms of Sale
 * Terms of Service
 * Privacy Policy
 * Cookie Settings
 * Submissions & Discussion Policy
 * RSS Terms of Service
 * Ad Choices

washingtonpost.com © 1996-2023 The Washington Post
 * washingtonpost.com
 * © 1996-2023 The Washington Post
 * About The Post
 * Contact the Newsroom
 * Contact Customer Care
 * Request a Correction
 * Send a News Tip
 * Report a Vulnerability
 * Download the Washington Post App
 * Policies & Standards
 * Terms of Service
 * Privacy Policy
 * Cookie Settings
 * Print Products Terms of Sale
 * Digital Products Terms of Sale
 * Submissions & Discussion Policy
 * RSS Terms of Service
 * Ad Choices







THE WASHINGTON POST CARES ABOUT YOUR PRIVACY

We and our partners store and/or access information on a device, such as unique
IDs in cookies to process personal data. You may accept or manage your choices
by clicking below, including your right to object where legitimate interest is
used, or at any time in the privacy policy page. These choices will be signaled
to our partners and will not affect browsing data.


WE AND OUR PARTNERS PROCESS DATA TO PROVIDE:

Actively scan device characteristics for identification. Select basic ads. Store
and/or access information on a device. Create a personalised ads profile. Select
personalised ads. Create a personalised content profile. Select personalised
content. Measure ad performance. Measure content performance. Apply market
research to generate audience insights. Develop and improve products. View list
of partners

I accept Disable all Manage cookies