Biden Ramps Up Efforts To Protect Infrastructure From Cyberattacks
The White House announced that President Joe Biden signed a new executive order to help further protect the U.S. infrastructure from cyberattacks.
New Approaches Needed
According to a fact sheet released by the White House, “As we have seen, the degradation, destruction, or malfunction of systems that control this infrastructure can have cascading physical consequences that could have a debilitating effect on national security, economic security, and the public health and safety of the American people.
“Currently, federal cybersecurity regulation in the United States is sectoral. We have a patchwork of sector-specific statutes that have been adopted piecemeal, as data security threats in particular sectors have gained public attention.
“Given the evolving threat we face today, we must consider new approaches, both voluntary and mandatory. We look to responsible critical infrastructure owners and operators to follow voluntary guidance as well as mandatory requirements in order to ensure that the critical services the American people rely on are protected from cyber threats.”
Second Pipeline Directive
The White House noted that last week the Department of Homeland Security’s Transportation Security Administration (TSA) announced a second Security Directive for critical pipeline owners and operators. The director requires owners and operators of pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections, including:
Implementing specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems within prescribed timeframes.
Developing and implementing a cybersecurity contingency and recovery plan.
Conducting an annual cybersecurity architecture design review.
‘Music To My Ears’
Neil Jones, a cybersecurity expert with Egnyte, said, “In reviewing the details of the Biden administration's new cybersecurity memorandum, the term ‘cybersecurity performance goals for critical infrastructure’ was music to my ears. For far too long, organizations have been able to view cybersecurity protection as a nice-to-have, rather than as a mission-critical imperative that's subject to associated performance metrics.
“I am also excited to see that the Industrial Control Systems (ICS) initiative will promote technological enhancements that enable organizations to view, detect and respond to threats more quickly and effectively,” he said.
Jones noted that, “The only potential downside is that the ICS is a voluntary program, so we will need to monitor future participation, or the program may not make a meaningful impact. Finally, the second TSA directive for critical pipeline owners and operators should significantly improve protection from ransomware attacks such as Colonial Pipeline, and the directive's cybersecurity contingency and recovery plan will allow affected organizations to rebound more rapidly.”
Steps In Right Direction
Jon Clemenson is the director for information security for TokenEx. He said, “It's great to see measured steps in the right direction. There are several, similar initiatives also working through Congress at the moment.
An incident reporting bill (ALB 21B95 K29), a bill to establish a civilian cyber reserve (S.1324 - Civilian Cyber Security Reserve Act), another that removes punitive damages levied against organizations with appropriate cyber controls in place, (essentially, a carrot to incentivize the positive action of organizations versus the stick of litigation or being made example of).
All good initiatives to bring cybersecurity and data protection process and technology to the forefront of actions for all organizations, not just federal.
Advice For Business Leaders
Clemenson said, “Often in the cybersecurity space, the government does something first (think: NIST controls), and then efforts trickle down to private sector organizations.
“My challenge to organizations is: why wait, when the solution is deceptively simple and right in front of you? Concerned about breaches? Then consider tokenization in addition to encryption,” he advised.
Clemenson recommended that, “Building trust with clients, showing insurance companies that your organization is taking proactive action above and beyond the basics, and enabling data flow while simultaneously protecting the data—the list of benefits goes on. When thinking about security posture management of an organization, tokenization should be a part of every data organization's portfolio of tools.”