The spate of recent ransomware attacks and other cyber-attacks show that the private sector generally isn’t doing enough to protect their networks and that its time for the government to consider imposing security standards or regulations on the nation’s organizations that operate critical infrastructures, two top Biden administration nominees told a Senate Panel on Thursday.
Jen Easterly, President Joe Biden’s nominee to lead the Cybersecurity and Infrastructure Security Agency (CISA) with the Department of Homeland Security said that she doesn’t have a comprehensive view of how the private sector is implementing cybersecurity standards, whether through regulation or voluntarily.
During her confirmation hearing before the Senate Homeland Security and Governmental Affairs Committee, Easterly was asked by Sen. Josh Hawley (R-Mo.) about industry accountability in investing in their cyber defenses and whether the government needs to require companies in critical infrastructures to meet certain standards. Hawley singled out Colonial Pipeline, the victim of a recent high-profile ransomware attack, whose CEO Joseph Blount testified before the committee on Tuesday.
“I don’t have a sense across the board in terms of accountability,” Easterly answered. “I currently work in the financial services sector and I think there is strong accountability there because of our regulatory framework but I do think accountability is incredibly important for cybersecurity standards across the board.”
Easterly, an Army intelligence and cyber operations veteran and the top cyber defender at Morgan Stanley [MS], replied to the second question from Hawley about standards that “I don’t have a sense across the board but it seems to me that voluntary standards are probably not getting the job done and that there probably is some sort of role for making some of these standards mandatory to include notification.”
Regarding incident notification, Easterly said that if a company in a critical infrastructure sector of the economy is the victim of “a significant cyber incident,” the company should “have to notify the to notify the federal government, in particular CISA,” so that the agency can warn other companies.
CISA’s current work with the private sector is voluntary. The agency has responsibilities to protect and defense against cyber threats to federal civilian agencies but when it comes to companies, CISA can only offer its help and resources. On Wednesday, Colonial Pipeline’s Blount said his company is working with three cybersecurity firms to help with the response and recovery to the May 7 ransomware attack, which led the pipeline operator to temporarily shutdown operations, leading to fuel shortages in many areas of the Eastern U.S.
Given the hiring of three private sector cybersecurity companies, Blount told the House Homeland Security Committee that Colonial Pipeline didn’t need CISA’s help.
Chris Inglis, Biden’s nominee to the new position of National Cyber Director (NCD) within the White House, also testified alongside Easterly. He told Hawley that regulations need to be looked at because “enlightened self-interest” and market forces aren’t working.
That leaves “some imposition of standards or regulation on top of that,” Inglis said, noting that there have been some moves in that direction.
The Transportation Security Administration, which has authorities to secure pipelines, in May directed owners and operators of critical pipelines report on cybersecurity incidents and review their current plans and assess security gaps. The Biden administration also recently issued an executive order that in part will leverage the buying power of the federal government to strengthen the cybersecurity of software departments and agencies purchase.
Inglis said that if he is confirmed as the NCD, he’ll work with Congress and across the federal government to examine the issue of mandatory cybersecurity standards for critical infrastructures.
“It remains to be seen how we can achieve kind of the full flowering of the innovation that we still need in the private sector while imposing an expectation and standards that go with that to ensure that those critical services can and will be delivered even under duress,” Inglis said. “I’m a big fan of market forces as the primary way to essentially drive the economy but we have to kind of examine that.”
Inglis is a visiting professor of cyber studies at the U.S. Naval Academy and a former deputy director of the National Security Agency.
Congress a decade ago examined the issue of imposing cybersecurity regulations on industry but ultimately decided against that approach in favor of market forces. The government did work with the private sector on a cybersecurity framework for any organization to voluntarily adopt that included standards, best practices and guidelines.
Now, there is increasing interest within Congress and even among some in the private sector to begin mandating cybersecurity standards and federal breach notification laws given the continued onslaught of cyber-attacks against government and private sector entities.