Biden memo, infrastructure deal deliver cybersecurity performance goals and money

The White House initiatives and expected passage of the US infrastructure plan will set new cybersecurity standards for critical infrastructure, provide money to state and local governments.

Both the Biden administration and the Congress continued their frenetic pace this week to beef up the country's digital infrastructure protections through two highly consequential and unprecedented initiatives. Both efforts aim to prepare the nation for the next significant cybersecurity incidents, making up for lost time due to the previous administration's relative inattention to the topic.

First, the White House issued a National Security Memorandum (NSM) on "Improving Cybersecurity for Critical Infrastructure Control Systems." The memo requires the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Commerce's National Institute of Standards and Technology (NIST), working with other agencies, to develop cybersecurity performance goals for critical infrastructure. The hope is that companies responsible for providing essential services like power, water, and transportation would follow those voluntary goals to strengthen their cybersecurity.

Preliminary cybersecurity performance goals due in September

The initial goals will be issued by the Department of Homeland Security (DHS) no later than September 22, 2021, followed by final cross-sector control cybersecurity goals within one year of the date of the memorandum. Moreover, after consulting with relevant government organizations, the DHS director will also issue sector-specific critical infrastructure cybersecurity performance goals within one year of the date of the memorandum.

In a sign that the White House intends to expand the government's authority to convert these voluntary goals into more legally binding requirements if needed, they will be developed alongside a study of whether additional legal authorities might be needed to enhance critical infrastructure cybersecurity.

Industrial control system cybersecurity initiative formally established

The memo also formally establishes the President's Industrial Control System Cybersecurity Initiative. The initiative is a voluntary collaboration between the administration and the critical infrastructure sector that technically began in mid-April with the creation of the electricity subsector pilot. The pilot has already attracted over 150 electricity utilities representing almost 90 million residential customers that are either deploying or have agreed to deploy control system cybersecurity technologies, the White House says.

During a press call to preview the memo, a White House spokesperson said that "our current posture is woefully insufficient given the evolving threat we face today. We really kicked the can down the road for a long time. The administration is committed to leveraging every authority we have, though limited, and we're also open to new approaches, both voluntary and mandatory."

During that same call, the spokesperson raised the idea of a "whole-of-nation effort" to secure critical infrastructure, stressing that government can't do it alone. The spokesperson said the White House is exploring "everything we can do to mandate strengthening of cybersecurity standards" along the lines of the Transportation Safety Administration's second directive issued last week. That directive contains detailed prescriptive measures for ensuring that pipeline companies meet minimum cybersecurity requirements.

Infrastructure deal includes new cybersecurity spending initiatives

This week's second significant cybersecurity development is what the White House calls the "historic" bipartisan infrastructure deal, a critical piece of President's Biden agenda in Congress. The deal calls for roughly $1 trillion in spending on the country's infrastructure, including $550 billion in new federal investment.

According to a still-draft version of the bill, the infrastructure deal includes the following new cybersecurity spending initiatives that relate to the energy sector:

  • Enhancing grid security through public-private partnerships: This section of the bill requires the energy secretary, in consultation with states and the industry, along with the Electric Reliability Organization to carry out a program to advance and promote the physical and cybersecurity of electric utilities, with a focus on utilities that lack resources.
  • Energy Cyber Sense Program: This section establishes a voluntary program to test the cybersecurity of products and technologies.
  • Incentives for Advanced Cybersecurity Technology Investment: This section asks the Federal Energy Regulatory Commission (FERC) to initiate a rulemaking to develop incentives to encourage investment in cybersecurity technology and participation in cybersecurity threat information sharing programs.
  • Rural and municipal utility advanced cybersecurity grant and technology assistance program: Under this section, the secretary of energy is directed to establish the "Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program”, with a starting budget of $250 million for FY22-26.
  • Enhanced Grid Security: This section creates a program to develop advanced cybersecurity applications and technologies for the energy sector, a program to test emergency response capabilities for the Department and Energy, and a program to increase the functional preservation of electric grid operations or natural gas and oil operations. Altogether, $350 million has been allocated for FY22-26 for the initiatives under this section.
  • Cybersecurity Plan: This section allows the secretary of energy to require that award recipients funded under the bill submit a plan demonstrating their cybersecurity maturity.

State and local governments get $1 billion in cyber grants

The draft version of the infrastructure plan also has several other provisions related to cybersecurity as part of a $47 billion package of "resiliency" efforts to protect infrastructure. These efforts include:

  • $100 million for the Cyber Response and Recovery Fund: Not new to the infrastructure bill, this section allows the DHS director to declare a significant Incident following a breach of a public or private network. It also creates a fund that allows CISA to provide direct support to organizations as they respond and recover from significant cyberattacks and breaches. Funding is $20 million per year for five years.
  • The State, Local, Tribal, and Territorial (SLTT) Grant Program: A new authorization with a total of $1 billion allocated over four years, this establishes a new cybersecurity assistance grant program for SLTT entities administered by FEMA with CISA as a subject matter expert.
  • DHS Science and Technology Directorate for Research and Development grants: This section includes $157.5 million in support over five years for specific research areas related to risk assessments, and cybersecurity vulnerability testing as well as positioning, navigation, and timing capabilities.
  • CISA Sector Risk Management: This section provides a one-time, $135 million investment for CISA to establish a capability to oversee and execute cross-sector government critical infrastructure to support CISA's national cross-sector coordination role.
  • Office of the National Cyber Director: This section gives $21 million in FY 22 to the newly created Office of the National Cyber Director because the office does not currently have appropriated funds.

Bill poised to pass congress before august recess

On Wednesday, the Senate approved to move the bill by a margin of 67 to 32 in a procedural vote after Republicans reached a deal with the White House and Democrats on the significant issues. A final vote in the Senate could occur any day now. Senate Majority Leader Chuck Schumer (D-NY) said that he expects the infrastructure bill and the concurrent budget resolution to pass before Congress leaves for its August recess.

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline