WASHINGTON — The Biden administration’s new cyber strategy calling for minimum security standards across multiple economic sectors looks likely to face opposition from some lawmakers and businesses as U.S. officials work to implement the blueprint.
Top Republicans on the House Homeland Security Committee said in a statement that the administration should be seeking partnerships with the private sector rather than punishment. And at least one private cybersecurity expert warned of potential resistance from sectors that already work under federal regulatory requirements.
By including software makers among those that will have a role in cybersecurity, the administration could also be testing the willingness of that industry to weed out participants that don’t provide adequate security. And by speculating about the possibility of federal insurance for attacks, the strategy is raising questions about the potential for big changes in private sector behavior.
The strategy, released last week, said the current practice of allowing sectors including utilities, food and agriculture, health care and others meet voluntary cybersecurity standards had resulted “in inadequate and inconsistent outcomes,” and it prescribed regulations to “level the playing field.”
Reps. Mark E. Green, R-Tenn., the chairman of the House Homeland Security Committee, and Andrew Garbarino, R-N.Y., the chairman of its Cybersecurity and Infrastructure Protection Subcommittee, responded with a statement urging the administration to streamline existing regulations and to favor partnerships rather than punishment in the implementation of the strategy.
“The key to building trust with our private sector partners is employing harmonization across government, rather than encouraging disparate and competing efforts,” Green and Garbarino said. “We must clarify federal cybersecurity roles and responsibilities, not create additional burdens, to minimize confusion and redundancies across the government.”
The administration is making the case that mandated security standards in key sectors are needed after high-profile cyberattacks in late 2020 and 2021 showed voluntary standards aren’t working. An attack on Colonial Pipeline in 2021 shut down supplies of gasoline on the East Coast, and several federal agencies were themselves victims when software supplier SolarWinds was hacked in late 2020.
After the Colonial attack, the administration imposed minimum security standards for operators of pipelines. And similar standards were later extended to airlines and railroads.
The Cybersecurity and Infrastructure Security Agency, or CISA, oversees cybersecurity in the 16 critical sectors that may face new standards. But many of the sectors, including financial services and health care, are overseen by other regulatory bodies, some of which address cybersecurity.
Double regulation jeopardy
The financial services sector, for example, is one where several regulatory agencies already prescribe cybersecurity requirements and more regulation stemming from the new cybersecurity strategy could face resistance, said Marcus Fowler, CEO of Darktrace Federal, part of U.K.-based Darktrace, a global cybersecurity company.
“I think you’re going to run into business interests and other areas that could erode the bipartisan-ness of cybersecurity when you start to touch on a couple of different sectors,” Fowler said. “I think the one that jumps out to me, which is a critical sector but also one that already has a lot of regulation, is financial services.”
White House officials developing and implementing the strategy acknowledged the need to streamline regulations for some sectors already meeting several cyber standards even as other sectors face few rules.
“We have to raise the bar in some places, we have to harmonize in other places to create a level playing field,” Kemba Walden, acting national cyber director, said last week at an event hosted by the Center for Strategic and International Studies.
Rep. Bennie Thompson, D-Miss., ranking member of the House Homeland Security Committee, said requirements are needed.
“As cyberattacks increase in frequency and sophistication, smart, well-harmonized, performance-based security requirements for critical infrastructure could help ensure the critical infrastructure we rely on every day is sufficiently resilient to keep operating in the wake of a compromise,” he said.
Sen. Gary Peters, chairman of the Senate Homeland Security and Governmental Affairs Committee, said in a statement that he would “closely examine this strategy, quickly consider the parts of it that will require Congressional action.”
Peters, D-Mich., authored legislation that became law in the last Congress that required operators of critical infrastructure to report a cyber attack to federal agencies.
The administration’s cyber strategy also called for shifting liability for insecure software that enables cyberattacks to makers of such software.
“Poor software security greatly increases systemic risk across the digital ecosystem and leaves American citizens bearing the ultimate cost,” the strategy said. “We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security program cannot prevent all vulnerabilities.”
The strategy pointed to software developed by unvetted third parties that is embedded into commonly used programs, potentially allowing hackers to exploit flaws.
Well-established software companies that sell to commercial enterprises “do take security seriously and invest heavily in it,” said Henry Young, policy director at BSA-The Software Alliance, a trade group that represents companies including IBM, Microsoft, Salesforce and others.
“If there is a path that we think will lead to more secure software, I think we’re totally on board,” Young said.
Shifting liability to companies for making software with poor security features may help the industry overall by curbing “fly-by-night operators” who are not interested in long-term market presence, Young said.
The administration also is exploring a federal insurance backstop to aid victims of cyberattacks after “catastrophic cyber events,” the strategy said, adding that officials will consult with lawmakers, state regulators, and the insurance industry on how to design such a backstop.
Devising and implementing such an insurance program would have to work through several questions and could face hurdles, Fowler said.
The questions range from what the threshold would be to trigger a federal insurance response, whether companies would drop their insurance coverage in hopes that the federal government would step in, and whether a separate entity like the Federal Emergency Management Agency would be required, Fowler said.