The United States will expand performance-based cybersecurity requirements in critical infrastructure sectors as part of an updated National Cybersecurity Strategy released today by the White House.
There are already federal cybersecurity requirements in key sectors such as oil and natural gas pipelines, aviation, rail and water systems.
Under the new strategy, the U.S. will use existing authorities to set cybersecurity requirements for others. Where there are gaps in statutory authorities to implement minimum cybersecurity requirements or mitigate related market failures, the administration will work with Congress to close them. Washington will also encourage state or independent regulators to set cybersecurity requirements in their jurisdictions.
Regulations should be performance-based and leverage existing cybersecurity frameworks and voluntary consensus standards, says the strategy.
“All service providers must make reasonable attempts to secure their infrastructure against abuse or other criminal behavior,” the document says in part.
“Too much of the responsibility for cybersecurity has fallen on individual users and small organizations,” the strategy says. “Protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.
“We must hold the stewards of our data accountable for the protection of personal data, drive the development of more secure connected devices, and reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities and other risks created by software and digital technologies. We will use federal purchasing power and grant-making to incentivize security. And we will explore how the government can stabilize insurance markets against catastrophic risk to drive better cybersecurity practices and to provide market certainty when catastrophic events do occur.”
While the document cites Russia, Iran, and North Korea that are aggressively using advanced cyber capabilities that threaten the U.S., it says China “presents the broadest, most active and most persistent threat to both government and private sector networks.”
Canada’s current strategy
Canada’s latest National Cyber Security Strategy was issued in 2018 with an action plan for implementation up to 2024.
In June, 2022 the Liberal government introduced cybersecurity legislation (C-26) toughening oversight of critical infrastructure here. It includes the Critical Cyber Systems Protection Act (CCSPA), which would establish a baseline level of cyber security through a cross-sectoral management-based regulatory scheme applicable to designated operators.
Initially, only four federally-regulated sectors — telecom, financial, interprovincial pipeline and powerline providers, and transportation — would be covered. Other sectors Ottawa has varying degrees of responsibility for — for example, agriculture and manufacturing — could be included later.
This legislation is still in its early stages before the House of Commons.
Pillars of the new U.S. strategy
The new U.S. cyber strategy is based on four pillars
— defend critical infrastructure
— disrupt and dismantle threat actors. In part that will be done with the help of the private sector through “disruption activities”, and addressing ransomware through a comprehensive federal approach and with international partners;
— shape market forces to drive security and resilience, in part by putting more responsibility on IT companies to create more secure products;
— invest in a resilient future in part by reducing systemic technical vulnerabilities in the foundation of the internet and by developing a diverse and robust national cyber workforce
— and forge international partnerships, in part by working with allies and partners to make secure, reliable, and trustworthy global supply chains for information and communications technology and operational technology products and services.
“We will place responsibility on those within our digital ecosystem that are best positioned to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable in order to make our digital ecosystem more trustworthy,” says a fact sheet accompanying the strategy. It will be done by:
- promoting privacy and the security of personal data;
- shifting liability for software products and services to promote secure development practices; and,
- ensuring that Federal grant programs promote investments in new infrastructure that are secure and resilient.
This part of the strategy (shaping market forces) “is likely to be the most controversial,” said Joshua Corman, former chief strategist for the U.S. Cyber Security and Infrastructure Security Agency (CISA) and current VP of cyber safety at Claroty.
The strategy acknowledges market failures, and that voluntary free market forces only get you so far, he said in an email. To protect the public good, the federal government intends to use its existing authorities to regulate and incentivize better cybersecurity and resilience of the nation’s critical infrastructure. Where it lacks sufficient statutory authorities, it intends to ask Congress for new authorities.
Regulations will comprise a mix of economic carrots, sticks, and instruments, Corman noted. “From the importance of software liability (with the promise of crafting safe harbor), to expanding security labels for IoT products, to the continued development of software bills of materials (SBOMs), to insurance backstops, organizations must be incentivized and supported for building secure solutions and products,” he added, “and the consequences of poor cybersecurity must not fall on those most vulnerable.”
Marcus Fowler, CEO of Darktrace Federal, which serves the U.S. critical infrastructure sector, said “it is positive to see the new strategy emphasizes the importance of mandating ‘security by design’ as well as the focus on robust technologies and the creation of a better cyber workforce.”
The real test of the strategy will come in the action that follows, said Craig Burland, CISO of Inversion6. “A strategy by itself won’t compel companies to change how they invest. This strategy is a shot across the bow that signals tougher standards are coming. How those manifest themselves will be fascinating to watch. Will the administration try to enact laws with associated fines? Will they pressure industry groups to do self-improvement? Can they become a catalyst for real change and help get cybersecurity past the tipping point where best practices are the only accepted practices? Hopefully, one way or another, they can spur real change and make all of our lives safer.”