The Biden administration has struggled in some cases to set cybersecurity requirements for critical infrastructure, but it now expects to have a new plan for minimum cyber standards in place by early 2025.
This was the statement of Caitlin Durkovich, Special Assistant to the President and Deputy Assistant for Homeland Security for Resilience and Response. Speaking at an event hosted by ICS Village on Thursday, Durkovich spoke about the Biden Administration's efforts to implement the recently signed National Security Memorandum on Critical Infrastructure Security.
“One of the reasons we pushed for this NSM to be signed when it was signed was to ensure we had a grace period to move forward with implementation,” Durkovich said. “The president essentially signed it 270 days before the end of his term. We wanted to be able to implement the majority of the measures while he was in office.”
“So by the end of January next year we should have a pretty good idea of where we need to go on the path of minimum standards,” she said.
The memorandum calls on sector risk management agencies to work with the Cybersecurity and Infrastructure Security Agency to develop new “sector risk management plans.”
“One of the requirements is that where there aren't minimum or baseline standards, they should provide recommendations or a path forward to get there as part of the risk management plan for that area,” Durkovich said.
In some cases, government agencies may recommend new cybersecurity regulations.
“The challenge with regulation is that rulemaking is not a quick process,” Durkovich added. “And by not quick, I don't mean it takes months to develop regulations, I mean it takes years. Or whether we can work with Congress — what's the best path forward to put some minimum standards in place in these critical areas.”
Of the 16 critical infrastructure sectors, some, such as financial services and oil and natural gas, are subject to cybersecurity regulations, but many others are not. The Biden administration's cybersecurity strategy calls for new requirements for critical infrastructure, but the effort faces challenges.
For example, the Environmental Protection Agency last year tried to impose new cybersecurity requirements on the water sector as part of an EPA-mandated sanitation review, but after strong opposition from industry and Republican states, and even a lawsuit, the EPA withdrew those requirements.
Durkovich said the new effort, based on President Biden's recent directive, is “still in its early stages.”
“We will look for those recommendations and act on them, especially in areas where there are no minimum standards on cyber hygiene,” she said.
Policymakers have placed increased emphasis on cybersecurity in key areas since U.S. officials warned earlier this year about Chinese intrusions into critical infrastructure.
Durkovich said the department is also focusing on efforts to identify “systemically important organizations.” CISA is leading the effort.
“This is something we want to get agreement on across all sectors, we need a common framework and methodology,” she said.
Durkovich also emphasized efforts to hold intelligence agencies “accountable” for the memorandum's directives. Biden has directed intelligence agencies to increase sharing of cyber threat information with owners and operators of critical infrastructure and sector risk management organizations.
“That's a big change,” Darkovich said. “And that's something we're working very closely with the intelligence community on. That's really important given the strategic environment and making sure that owners and operators have what it takes to compel them to make the investments that they should be making beyond regulation.”
White House officials also highlighted increased funding for risk management agencies across several sectors, including the EPA and the Department of Health and Human Services, in their fiscal 2025 budget request.
“There are some departments and agencies that are well-resourced and doing a great job – think of the Treasury Department. [Energy Department] – and national security [and] “Critical infrastructure is often not at the top of their priorities and is often not adequately resourced,” Darkovich said, “but the reality is that all of these areas are important for a reason, and we need to make sure we're all on the same playing field.”
Copyright © 2024 Federal News Network. All Rights Reserved. This website is not intended for users within the European Economic Area.