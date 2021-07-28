They also are meant to address the “patchwork of sector-specific statutes" that have been adopted piecemeal over time and that leave the government without a uniform or adequate cybersecurity threshold, according to a senior administration official who briefed reporters before a formal announcement.

The actions, outlined in an order from President Biden, are an acknowledgment of the cybersecurity vulnerabilities of critical industries — a reality made clear by the May hack of the nation’s largest pipeline, which delivers about 45 percent of the fuel consumed on the East Coast.

WASHINGTON — The Biden administration is taking steps to harden cybersecurity defenses for critical infrastructure, announcing on Wednesday the development of performance goals and a voluntary public-private partnership to protect core sectors.

Advertisement

The partnership was launched as a pilot program in April with electricity utilities, and another plan is underway for natural gas pipelines. Additional alliances with other sectors will be formed this year, the White House said. The move comes as federal officials have been promoting greater cybersecurity resiliency among private companies, including announcing new requirements and protections for pipeline owners and operators last week.

Since the start of the program, more than 150 power industry utilities have enrolled, according to a senior administration official, who requested anonymity to discuss the memorandum prior to its release.

The official emphasized that the US government couldn’t protect critical parts of the economy without help from the private sector.

The government is optimistic that compliance with the voluntary guidelines will help companies defend sensitive segments of their computer networks that control industrial operations, the official said.

“The safety and security of the American people rely on the resilience of the companies that provide essential services such as power, water, and transportation,” said Homeland Security Secretary Alejandro Mayorkas and Secretary of Commerce Gina Raimondo in a joint statement. “The establishment of cybersecurity performance goals marks important progress toward this goal.”

Advertisement

Attacks on industrial controls are particularly dangerous and can lead to contaminated water or food supplies, power shutdowns or even explosions. The United States has defined 16 sectors as critical, including dams, energy, critical manufacturing, food, and agriculture and water and wastewater systems.

The partnership is voluntary, though the administration has not ruled out the possibility of mandatory requirements in the future, the official said. But short of legislation, the official said, “there isn’t a comprehensive way to require deployment of security technologies and practices that address, really, the threat environment that we face.”

Democratic Representative Adam Schiff of California, chairman of the House Intelligence Committee, praised the White House action as essential and “an important step.” But, he added, “I believe Congress must look beyond voluntary standards to strengthen our defenses.”

In addition, the new order will direct the departments of Homeland Security and Commerce to collaborate with other agencies on developing cybersecurity performance goals for critical infrastructure.

The order came a day after members of Congress called for tighter security standards for industrial control security during a Senate Judiciary Committee hearing on ransomware attacks.

Senator Ted Cruz, a Texas Republican, said the president had “responded to an extreme threat with extreme weakness,” while Senator Sheldon Whitehouse, a Democrat from Rhode Island, criticized critical infrastructure companies’ inability to meet “basic standards of cyber hygiene.”

Whitehouse also called on the Biden administration to promptly work with lawmakers to move a bill aimed at creating breach reporting requirements for certain companies. The administration official said the administration remains open to other options, including legislation, that would make critical infrastructure guidelines mandatory.

Advertisement

Material from Bloomberg News was used in this report.



