This blog was co-authored by summer associate Saraphin Dhanani.
The Biden Administration has recently announced several new initiatives relating to the cybersecurity of critical infrastructure. The announcements add to a host of efforts ordered by the President in May and intended to bring greater focus on the nation’s cyber vulnerabilities and public-private cooperation to address them. The bevy of efforts, however, also proliferate a diffusion of responsibilities across the federal enterprise and raise the burden on private entities to track the implications of these expanding federal efforts on their own cybersecurity and information management practices.
On July 28, President Biden issued a National Security Memorandum (NSM) reaffirming his commitment to safeguarding America’s critical infrastructures by improving industries’ voluntary cybersecurity controls. Accordingly, the Administration established two principal objectives to achieve these ends, including establishing an Industrial Control Systems Cybersecurity Initiative to promote Government and industry collaboration on cyber issues, and charging the Department of Homeland Security and the Department of Commerce to create baseline cybersecurity goals for all infrastructure sectors.
Separately, at the Black Hat cybersecurity conference on August 5, Jen Easterly, the newly confirmed Director of the Cybersecurity and Infrastructure Security Agency (CISA), announced the formation of a Joint Cyber Defense Collaborative that gathers federal, state, local, tribal and territorial entities, as well as information sharing and analysis centers, and specific private companies in an effort to increase (initially) the cloud security of critical infrastructure providers.
July 28 National Security Memorandum: Industrial Control Systems Cybersecurity Initiative (Initiative)
President Biden’s Industrial Control Systems Cybersecurity Initiative can most succinctly be described as a partnership between the Federal Government and the critical infrastructure community serving on a voluntary basis to “defend the United States’ critical infrastructure by encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks.” Though little is publicly known, this partnership was apparently first piloted for the electricity sector in April, is now being pursued with the natural gas pipeline effort, and will follow with an effort in the Water and Wastewater Sector Systems and Chemical Sector later this year. The NSM mentions the focus on “deploying systems and technologies that can monitor control systems,” but does not clarify whether that will be a government deployment or a private deployment in some way assisted by the government.
July 28 National Security Memorandum: Critical Infrastructure Cybersecurity Performance Goals
President Biden also stressed the importance of establishing and harmonizing baseline cybersecurity goals across the varied infrastructure sectors. The NSM articulates an intent to provide “clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services.” To that end, President Biden has charged the Secretary of Homeland Security and the Secretary of Commerce (through the Director of the National Institute of Standards and Technology) to develop and issue cybersecurity performance goals for critical infrastructure industries no later than September 22, 2021, with final cross-sector control system goals slated to be issued by July 29, 2022, following the Secretary of Homeland Security’s consultations with relevant agencies.
August 5 Announcement: Joint Cyber Defense Collaborative
The announcement by Director Easterly on August 5 implements an authority granted to DHS in Section 2215 of the National Defense Authorization Act of 2021. The Act established an office for “joint cyber planning,” and the Collaborative will invite critical infrastructure owners and operators to share information “related to threat activity, vulnerabilities, and incidents affecting critical infrastructure.” For now, the Collaborative appears to be focused on a select group of entities. Notwithstanding the public fanfare, it is not yet clear what vehicles CISA contemplates for such sharing. The NDAA 2021 does not create any new mechanisms for private sector sharing or managing the liability risks that disclosing information outside of a corporate enterprise can entail. Thus, the only current vehicle that provides some level of protection for private interest is the Cybersecurity Information Sharing Act of 2015, a statute that has not necessarily yielded a high level of information sharing between federal and private enterprise. Though the initiative was just announced, the private sector will benefit from more definitive information about the government’s expectations and the management of a company’s own interest - such as the exact data sought, potential liability protections, and privilege implications - to be empowered to fully participate in this initiative.
Keys for Private Companies
It remains to be seen whether and how these various initiatives will be linked to one another, or others established through prior Administration announcements. While the goal of heightened cybersecurity is laudable, companies should prepare in several ways for these new initiatives.
- As NIST works to develop the guidelines ordered in the July 28 NSM, there will be a brief window in which it solicits public feedback; impacted companies should maintain vigilance and proactively engage with NIST and/or be prepared to provide comments on any draft issued for public comment. NIST guidelines can sometimes form the basis for assertions that they capture industry standard practices, and industry practitioners should be aware of the possibility of being held to similar standards in the future, whether justifiably or not;
- Companies must be aware of the general desire for federal entities to acquire more detailed information about cyber threats and be prepared to provide candid feedback to entities with which they are engaging about the various demands being placed on their resources and optimal ways to efficiently execute the relationships;
- Companies should engage counsel to assist in any information sharing with federal entities to ensure proper rules are applied to clearly govern who within an organization is permitted to share which categories of information; and
- Companies should continue to urge the Administration to provide a consolidated roadmap for the various federal initiatives being pursued, the responsibilities and authorities granted to specific entities, and more refined instructions on how private firms are expected to engage with those entities.
While internal discussions within the Executive Branch may be resolving around clear lines of effort and addressing the sensitivities of the private sector, such distinctions and efforts are not yet readily apparent to the general public. Companies should tread carefully while seeking effective ways to engage.