After a rash of significant cybersecurity breaches and ransomware attacks affecting a wide set of industries, ranging from pipelines to technology companies,1 the Biden administration released its much-anticipated National Cybersecurity Strategy on March 2, 2023. The plan builds upon the Biden administration’s previous efforts to protect the country’s cyberspace from malicious actors and hints at new cybersecurity regulations for critical infrastructure.
New National Cybersecurity Strategy Indicates New Regulations of Critical Infrastructure, including Oil and Gas, Incoming
Biden’s National Cybersecurity Strategy structures itself around five pillars, emphasizing particular areas in which the administration seeks to “build and enhance” collaboration between the public and private sectors to strengthen cybersecurity.2 The five pillars are:
- Defend Critical Infrastructure;
- Disrupt and Dismantle Threat Actors;
- Shape Market Forces to Drive Security and Resilience;
- Invest in a Resilient Future; and
- Forge International Partnerships to Pursue Shared Goals.
As part of its plan, the administration intends to use existing federal authorities to place new cybersecurity regulations on critical infrastructure, which includes oil and gas assets and pipelines. These anticipated regulations will “define minimum expected cybersecurity practices” in their industry, and notably will leverage existing cybersecurity frameworks, such as the Cybersecurity and Infrastructure Agency (CISA)’s Cybersecurity Performance Goals3 and the National Institute of Standards and Technology (NIST)’s Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF)4. NIST CSF is in the process of being updated, with an initial draft of version 2.0 of the standard set to be published in late March 2023. Owners of critical infrastructure should consider following the updates to the NIST CSF, as they could influence future regulations.
At the center of this effort to improve critical infrastructure cybersecurity are Sector Risk Management Agencies (SRMAs)5—federal agencies tasked with improving security within their sectors. The federal government plans to invest in SRMAs, with the goal that they will “proactively respond to the needs of critical infrastructure owners and operators” in their service areas. Hand in hand with this new investment, SRMAs will likely be used to develop and implement new cybersecurity regulations. In fact, some have already done so. For example, the Transportation Security Agency (TSA) has issued directives regulating the cybersecurity of pipelines and railroads. Other SRMAs, such as the Department of Energy and the Environmental Protection Agency, which respectively have jurisdiction over the Energy Sector and the Water and Wastewater Systems Sector could issue cybersecurity regulations in the future. Any of the sixteen distinct critical infrastructure sectors could face new cybersecurity regulations.
Realignment of Incentives
Beyond adding industry-specific regulations, the administration also intends to more broadly realign incentives in the cybersecurity space. The administration envisions two ways of achieving better incentives.
First, the administration plans to collaborate with Congress and the private sector on legislation placing liability for insecure software on manufacturers and software publishers. Paired with this increased liability, this hypothetical legislation would provide a safe harbor based on existing standards (like the NIST Secure Software Development Framework)6 to shield complying software companies from liability for vulnerabilities.
Second, the administration aims to scale public-private collaboration on cybersecurity through enhanced cooperation between CISA and SRMAs and sector-specific information sharing groups for the private sector as well as through increased federal grants and research and development on cybersecurity.
What This Means for You
The Biden administration’s National Cybersecurity Strategy demonstrates the federal government’s appreciation of the serious threat that cyber attacks pose to the country’s most vital industries. Critical infrastructure owners can expect future government regulations that set minimum standards for cybersecurity and are based on existing cybersecurity frameworks. Companies should consider whether proactive adoption of an existing cyber framework or standard is appropriate for their business.
1 David E. Sanger & Nicole Perlroth, Pipeline Attack Yields Urgent Lessons About U.S. Cybersecurity, N.Y. Times (May 14, 2021), https://www.nytimes.com/2021/05/14/us/politics/pipeline-hack.html.
2 National Cybersecurity Strategy (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf.
3 Comput. Info. Sec. Agency, Cross-Sector Cybersecurity Performance Goals (2022), https://www.cisa.gov/sites/default/files/2023-01/2022_00092_cisa_cpg_report_508c.pdf.
4 Nat’l Inst. Standards & Tech., Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
5 Sector Risk Management Agencies, Comput. Info. Sec. Agency, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/sector-risk-management-agencies.
6 Nat’l Inst. Standards & Tech., Secure Software Development Framework (SSDF) Version 1.1 (2018), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf.