White House pushes for stronger critical infrastructure security

Securing critical infrastructure requires a "whole-of-nation" effort, government official says

US President Joe Biden has signed a national security memorandum aimed at strengthening cybersecurity for the country's critical infrastructure - like power and water suppliers, public health organisations and transport systems.

The memorandum directs the Departments of Homeland Security and Commerce to develop baseline cybersecurity performance goals for all critical infrastructure sectors. It also establishes an Industrial Control Systems Cybersecurity Initiative: a collaborative effort between the federal government and firms running industrial control systems, to provide the latest tools and technologies to defend against attacks.

The recommendations for private firms are voluntary, but the administration hopes they will encourage companies to improve their cyber defence ahead of other policy efforts.

Such collaborative effort between the government and private firms began informally in April, as a pilot programme for the power sector. Since then, more than 150 power sector utilities have enrolled in the scheme, according to the government.

"The absence of mandated cybersecurity requirements for critical infrastructure is what in many ways has brought us to the level of vulnerability that we have today," a senior administration official told Reuters.

"We are pursuing all options we have in order to make the rapid progress we need."

The official described the current state of cybersecurity directives for critical infrastructure as "piecemeal" and "patchwork." They added that the federal government cannot undertake the task of protection alone.

"Almost 90 per cent of critical infrastructure is owned and operated by the private sector. Securing it requires a whole-of-nation effort."

In a joint statement, Homeland Security Secretary Alejandro Mayorkas and Secretary of Commerce Gina Raimondo stated, "The safety and security of the American people rely on the resilience of the companies that provide essential services such as power, water and transportation.

"The establishment of cybersecurity performance goals marks important progress toward this goal."

The national security memorandum follows a recent spate of ransomware attacks on American entities, hampering services and logistics in the US.

In May, US fuel distributor Colonial Pipeline suffered a massive ransomware attack that crippled fuel delivery in southeastern US states. The shutdown sparked panic, with residents seen lining up at petrol pumps for several hours over fears of fuel shortages.

Last month, Brazil-based JBS, the world's largest meat-packer by sales, also paid $11 million in ransom after a massive attack targeting its computer systems in the US and Australia.

Florida-based IT firm Kaseya also suffered a ransomware attack on 2nd July, suspected to be the work of the Russia-based REvil.

Following the attack, White House press secretary Jen Psaki said that President Biden was considering all options for how to respond to ransomware attacks targeting US organisations.

This month, the US State Department announced a reward of up to $10 million for information that could help identify or locate cyber actors working at the direction of a foreign government and targeting critical infrastructure in the US.

During a Senate Judiciary Committee hearing on Tuesday, members of Congress called for tighter standards for industrial control security. Senator Ted Cruz, a Texas Republican, criticised President Biden for responding to "an extreme threat with extreme weakness" (though this is likely a partisan statement, considering former President Trump's lack of response to any cyber issues during his time in office).

Senator Sheldon Whitehouse said that companies running critical infrastructure had failed to meet "basic standards of cyber hygiene".