4 critical infrastructure sectors to get new cyber rules, per White House official

Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger speaks during a briefing in the James S. Brady Press Briefing Room of the White House in Washington, DC, on March 21, 2022.

Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger speaks during a briefing in the James S. Brady Press Briefing Room of the White House in Washington, DC, on March 21, 2022. NICHOLAS KAMM/AFP via Getty Images

Mariam Baksh By Mariam Baksh,
Senior Correspondent

By Mariam Baksh

|

The deputy national security advisor for cyber and emerging tech said it should be up to sector-specific agencies to decide who should  implement appropriate cybersecurity defenses.

Outlining a sequence of critical infrastructure sectors that have been designated for cybersecurity risk management, Deputy National Security Advisor Anne Neuberger said the administration is preparing to activate its regulatory authorities at four agencies.

Neuberger listed the critical infrastructure sectors for which the administration will be coming out with new cybersecurity requirements, starting with transportation—which is already in progress—and followed by communications, water and healthcare.

Neuberger was participating in an event the Washington Post livestreamed Thursday on the federal government’s efforts to secure cyberspace.

“From the outset, [President Joe Biden] said that security abroad begins with security at home, confidence abroad begins with confidence at home,” Neuberger said. "And a key way to deter adversaries in cyberspace is to know we have confidence in [a] level of security, that we've locked our digital doors and put on our digital alarm system.”

That was not the case when Colonial Pipeline was hacked, Neuberger said. And a status quo where there was no expectation that the company separate the portions of its network using information technology for corporate processes from those running the operational technology in its industrial control systems—for example—is unacceptable, she said. 

Neuberger started her description of the administration’s action plan by highlighting imminent updates for security directives the Transportation Security Administration issued last year. She said the updated directives will incorporate feedback from a meeting the White House held with industry representatives this summer from transportation sub-sectors that include rail, maritime, aviation and pipelines for oil and gas. 

“TSA identified 57 rail entities, 104 air entities … airports, airlines, cargo lines, brought them in, gave them a threat briefing and issued a security directive, and then refined the security directive as well,” Neuberger said. She added updates are coming “shortly,” for a rail directive initially issued in December and an aviation directive initially issued in November. Neuberger said the meeting with industry, along with models used in Australia and other peer nations will inform the new directives, as well as more rules to come in other sectors. 

She noted a rulemaking process getting underway at the Federal Communications Commission to improve the operational readiness of emergency alert systems and reduce their vulnerability to cyberattacks. The item is scheduled for consideration during the FCC’s next open meeting on Oct.27. The FCC’s cybersecurity division also recently finalized a rule for applying its new Mandatory Disaster Response Initiative to wireless network providers.

Crediting Environmental Protection Agency Administrator Michael Reagan and Deputy Administrator Janet McCabe, Neuberger said that agency will take a “creative” approach in exercising its regulatory authority with a rule to clarify that ensuring the safety and security of water systems entails overseeing entities’ cybersecurity. 

Then, Neuberger said, the Department of Health and Human Services will be coming out with minimum cybersecurity guidelines for hospitals to be followed by broader work in the healthcare sector, including on medical devices

Neuberger’s remarks stressed the role of sector risk management agencies in identifying systemically important entities for cybersecurity regulation. The process should involve “a careful look by the sector lead agency,” she said, “who understands the sector,” and knows “who are the big players … [where] disruption of their services would impact Americans broadly, will prevent the military from being able to deploy troops in the event of a conflict.”

Her announcement of the new requirements came as—during the same live event—Rep. John Katko, R–N.Y., outgoing ranking member of the House Homeland Security Committee, continued to withhold his support for legislative efforts to regulate cybersecurity at critical infrastructure companies.

This summer, Neuberger said her office was working with lawmakers on legislation that would embolden regulators on the issue. An amendment from Rep. Jim Langevin, D-R.I.—which is attached to the House National Defense Authorization Act—would lay the groundwork for agencies to harmonize the application of their regulatory powers for cybersecurity and establish standards for companies to meet in making their operations more resilient to attacks. 

Trade associations for companies from across the critical infrastructure sectors wrote to the leaders of the Senate Armed Services Committee—and the Senate Homeland Security Committee—expressing their opposition to the amendment, and sending lawmakers back to the drawing board.

“It's rare for most of us in Homeland to have disagreements on cyber between the Republicans and Democrats, but that was one where we had disagreement, so that's why it didn't get across the finish line,” Katko said. 

He added that any legislation to establish cybersecurity responsibilities for systemically important entities should wait, so it can be informed by implementation of the Cyber Incident Reporting for Critical Infrastructure Act and rules the Cybersecurity and Infrastructure Security Agency is seeking public input to shape under the law. CISA is required to work with relevant sector risk management agencies, including HHS, the Treasury Department and other regulators, in finalizing the incident reporting rules.

“The [CIRCIA] rulemaking process, I think, will shake out a lot of the concerns that both sides have,” Katko said. “And then, if we need to do something on the back end, we can do it, but I'm not sure we're going to need to. We'll have to take a look and see.”

The administration will still look to Congress for help regulating cybersecurity in the crucial information technology sector, and others, where Neuberger says statutory authority is absent.

“For some, like critical manufacturing, or DHS emergency services or information technology, there are not authorities and we're looking carefully at this to say what is needed in this space,” she said.

NEXT STORY: White House plans cyber labeling system for IoT devices

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.