White House Ramps Up Pressure On Critical Infrastructure Companies To Improve Resilience Against Cyberattacks

July 29, 2021

By a Biometrica staffer

In another sign of how seriously President Joe Biden is taking a recent swell in the number of cyberattacks on American entities, on Wednesday, July 28 the White House released a national security memorandum on “improving cybersecurity for critical infrastructure control systems.”

The mostly voluntary set of recommendations is designed to help secure the type of companies that provide services essential to the safety, wellbeing, and functioning of the country and its citizens, including energy, food, power, and water systems. The White House statement called the risk of cyberattacks on such systems “among the most significant and growing issues confronting our Nation.” 

Calling protecting critical infrastructure from cyberthreats a priority of his administration, President Biden said he was establishing an “Industrial Control Systems Cybersecurity Initiative” to encourage collaboration and cooperation between the government and the companies that own these assets. The hope is that enhanced information sharing will allow all stakeholders to identify, prevent, and respond in a better way to any cyberthreat or attack. 

The memo also calls for the Secretaries of Homeland Security and Commerce to develop a framework that establishes minimum performance goals for cybersecurity in critical infrastructure industries. The aim is to provide clear, coherent, and measurable guidance to those who own and operate these assets. 

The move was prompted by the fact that there are no uniform regulatory or minimum standards in the industry, despite the importance of these vital systems. However, President Biden is severely hamstrung by the limitations on the government’s authority over matters of cybersecurity.

Around 90% of so-called “critical infrastructure” is privately owned, meaning individual companies set their own standards and requirements when it comes to cybersecurity. This is why even the most recent memo’s guidelines are not mandatory. Many industries have their own standards, but those are patchy and inconsistent at best, making easy targets for malicious foreign actors or states to exploit.

The way President Biden is planning to handle this is two-fold. On one hand, the memo says that if it is found that “additional legal authorities” are necessary and would be beneficial to securing the infrastructure, then his administration would work to make that happen. 

The other way that the current administration is tackling their limited influence is by reframing the issue and narrative altogether. President Biden has routinely highlighted that these systems are imperative to national security, economic security, public health and safety. In the memo, he says that if there is evidence that any “disruption, corruption, or dysfunction” to these services would “debilitate” the country, then it is up to the federal, state, local, tribal, and territorial governments to act.

In recent weeks, President Biden has stepped up rhetoric about cybersecurity. In addition to bringing up the issue with Vladmir Putin, President of Russia, on a recent call, the commander-in-chief has spoken of the potential national security risks of such attacks on virtually a weekly basis, the New York Times says. He is the first president to do so on a consistent basis, though this has been a cause for concern since George W. Bush’s tenure.

On Tuesday, July 27, the day before he signed the new executive order, the president told national intelligence officials that “if we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach of great consequence.” By framing it as a national security issue and a genuine threat to American people, the president is hoping to drive home just how important it is to protect crucial systems.

Separately, also on Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the United Kingdom’s National Cyber Security Centre (NCSC), and the Australian Cyber Security Centre (ACSC) released a joint cybersecurity advisory on the top 30 vulnerabilities they found that were most commonly exploited by cybercriminals in 2020 and those that are most being used so far in 2021.

The advisory recommends that both private and public entities across the world apply the available patches for the highlighted vulnerabilities as soon as possible. It also directs interested parties to available resources that could help affected parties.