On Thursday Biden administration officials rolled out a long-awaited implementation plan for the White House’s national cybersecurity strategy against the backdrop of two events that illustrate the major obstacles facing the administration in improving the security of U.S. computing infrastructure.
First, Microsoft revealed that Chinese-linked hackers pilfered the emails of top U.S. officials by exploiting flaws in cloud computing systems that the Biden administration has promoted for their security benefits. Next, a court halted a controversial regulation mandating U.S. water systems improve their cybersecurity posture.
These two events highlight the hurdles that must be cleared to achieve the bold goals outlined in the strategy and its implementation plan released this week.
The Biden administration’s strategy seeks to create stricter minimum cybersecurity standards for critical infrastructure and to shift the responsibility for securing systems to better resourced players — including by adopting cloud computing solutions. But if courts rule against those standards and Chinese hackers are nonetheless able to penetrate cloud services, Biden administration officials face a tall task in trying to protect the nation’s most sensitive infrastructure.
Earlier this year, the EPA issued a major new rule establishing mandates for the water sector that required states to evaluate the industry’s digital defenses through sanitation surveys. While experts and the water industry all agreed on the need for cybersecurity mandates, relying on sanitation surveys to evaluate cybersecurity sparked intense criticism. Surveyors, experts and industry representatives argued, are simply ill equipped to evaluate cybersecurity.
The American Water Works Association, other water trade groups and Republican-led states filed suit, calling into question the legality of the rule. And this week a court temporarily paused the rule while that legal challenge makes its way through the courts.
“AWWA strongly supports efforts to strengthen cybersecurity in the water sector, but the Sanitary Survey Program is not the right tool for the job,” AWWA CEO David LaFrance said in a statement. “We are grateful our viewpoint will be heard by the court and look forward to working together with EPA and others on a smart path forward.”
That suit may create a roadblock for other potential moves by the administration to use existing authorities to create cybersecurity mandates for other critical infrastructure sectors.
The implementation plan released this week does not call for any specific new regulations, and instead asks sector risk management agencies to analyze potential risks in the industries they oversee and figure out how to use current authorities to mitigate those risks.
But if U.S. courts rule against efforts to mandate improved cybersecurity using existing statutes, sector risk management agencies may have to develop proposals for new authorities — which may require an act of Congress and a slower process to create stricter security standards.
And the suit may also create obstacles to the White House’s plans to harmonize different rules for various critical infrastructure sectors.
Owners and operators of critical infrastructure have long complained about overlapping regulations they must adhere to, particularly if the owner works in more than one sector. The Biden administration’s implementation plan for its cybersecurity strategy calls for harmonizing critical infrastructure regulations by exploring a “framework for reciprocity for baseline requirements.”
Speaking at an event in Washington on Thursday, Nick Leiserson, the White House’s assistant national cyber director for cyber policy and programs, said the administration aims to find areas of overlapping regulations and use that as a roadmap to determine which cybersecurity standards in one sector might be recognized by another.
“What we’re really after to the greatest extent possible is reciprocity,” Leiserson said.
But some experts are concerned how standards will be harmonized in practice.
“As a concept, I generally like the idea of pushing to try and harmonize regulations. There are so many different regulations for different sectors out there that it can be a little bit confusing for owner operators,” said Will Loomis, associate director of the Atlantic Council’s Cyber Statecraft Initiative.
“In pushing for one big set of regulation for all critical infrastructure you kind of risk missing a lot of the nuance that exists in the differentiation and the realities of different critical infrastructure sectors,” Loomis said.
And as the U.S. government works to assess the scope of the Chinese hacking campaign that utilized a flaw in Microsoft’s cloud computing systems, Loomis said he was disappointed that the implementation plan did not look more closely at cloud security.
The Biden administration’s cybersecurity strategy called out the vulnerabilities of a cloud computing industry consolidated among a handful of players, but this week’s implementation document focused only on so-called know your customer laws for infrastructure-as-a-service providers like Amazon, Google, and Microsoft.
“The lack of cloud almost entirely in this aside from the know your customer piece really stands out and in a lot of ways it is kind of alarming,” said Loomis. “It’s pretty clear that this is a huge area of concentrated risk for the entire ecosystem.”
That said, Biden administration officials emphasize that the implementation plan is a living document and is set to be updated next year to potentially address missing aspects.