1 August 2021

Improving Cybersecurity for Critical Infrastructure Control Systems Is Only a First Step

James Andrew Lewis

The central question raised by today’s National Security Memorandum (NSM) on Improving Cybersecurity for Critical Infrastructure Control Systems is what should take the place of a voluntary approach to cybersecurity. This responsibility falls on Congress. In many areas, Congress has realized that the United States is in a contest with China. The Chinese think the United States is unable to govern itself. Providing the authorities needed for better cybersecurity is an opportunity to prove China wrong.

Proposed legislation in 2012 would have given the Department of Homeland Security (DHS) the authority to regulate critical infrastructure, but it was fiercely opposed by many in the private sector. One result of this failure to pass legislation in 2012 has been more than a decade of significant economic loss (probably more than $1 trillion in aggregate) and major damage to national security.

Stymied by Congress’s unwillingness to provide new authorities, the Obama administration issued Executive Order 13636 (Improving Critical Infrastructure Cybersecurity) on February 12, 2013. This order circumvented Congressional reluctance by creating a sector-specific approach. Agencies used their existing authorities over critical infrastructure sectors to hold their charges accountable in meeting new cybersecurity standards created by the NIST Cybersecurity Framework developed in close partnership with the private sector. (When asked why it was called a framework, one of Executive Order 13636’s authors replied that calling it regulatory was too politically sensitive.)

The NIST framework laid out the best practices for cybersecurity. It has since become a global standard. Sectoral regulatory agencies can, to the extent permitted by their existing authorities, direct companies to meet the framework’s requirements. While this approach avoided the need to ask Congress for more authority, the results vary from sector to sector given disparities in their authorities. Pipelines, for example, had voluntary guidelines and no monitoring or reporting requirements. Other sectors vary in the degree of regulatory rigor, but there is a correlation between greater regulatory authority and better cybersecurity.

To be fair, neither DHS nor the United States’ understanding of cybersecurity was mature enough in 2012 to justify a regulatory approach. The publication of the NIST framework and the creation of the Cybersecurity and Infrastructure Security Agency (CISA) in 2018 changed this. While it could be strengthened, DHS now has the capacity to regulate critical infrastructure in partnership with sector-specific agencies and with NIST. There are also a patchwork of authorities in legislation like the Graham-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and a few others, but politically expedient patchworks leave too many gaps to provide effective cybersecurity (or to be effective in other areas, like privacy). The dark secret of the May 2021 cybersecurity executive order is that it relied on existing authorizes found within the Federal Acquisitions Regulation (FAR) to require better cybersecurity because using the FAR obviated the need to ask Congress for new authorities.

What DHS lacks are the key authorities needed to improve cybersecurity. While there has been much action in Congress and many bills, most dodge the fundamental problems of authority and regulation. Addressing this problem would be difficult for any Congress. Too much regulation stifles growth. Too little regulation harms public safety and national security. Finding the sweet spot requires a working political process of hearings and bill-drafting.

The White House, DHS, and the new national cyber director can lay the groundwork for a new approach that relies on notification of incidents and mandatory standards. The May 2021 cybersecurity executive order began this work. Today’s NSM extends it with the Industrial Control System Cybersecurity Initiative, which will focus on “encouraging and facilitating” the deployment of technologies that provide threat visibility and that can monitor control systems to detect malicious activity. The NSM calls for baseline cybersecurity goals that are consistent across all critical infrastructure sectors to be developed by CISA and NIST. CISA will issue preliminary goals for control systems across critical infrastructure sectors, to be followed within a year by final cross-sector control system goals. New performance goals “should serve as clear guidance to owners and operators about cybersecurity practices” and create cybersecurity performance goals to help develop “a common understanding” of security practices.

All of this is good, but there are problems with some of the verbs used in the NSM. Setting goals, providing guidance, and creating common understandings are what the United States has been doing since 2012. It’s not enough. No one likes to be regulated and streamlining the growing burden of regulation is essential for economic growth, but the fact that we overregulate in too many areas does not justify underregulation for cybersecurity. Remember that when Congress passed laws mandating seatbelts, the CEOs of the largest U.S. car companies testified before the Senate that requiring seatbelts would kill the U.S. car industry. They were wrong, and those who oppose cybersecurity regulation are similarly in error.

But the politics of the 1960s or even 2012 no longer apply. Many companies would now welcome balanced government action in cybersecurity. The NSM provides the foundation for better cybersecurity, but Congress should build on it. A first step would be to pass proposed legislation that would require notification of major cyber incidents. It would be useful to strengthen the CISA by providing it with more resources. Congress can then begin the process of consultation and drafting necessary to provide the needed authorities to require better cybersecurity, not just suggest it.

No comments: