CISA Releases Performance Goals for Critical InfrastructureMeasures Are Not Mandatory and Not Comprehensive, Federal Officials Stress
The Biden administration released a long-awaited baseline set of cybersecurity practices for critical infrastructure while stressing their voluntary nature and that the practices constitute a bare minimum necessary for safeguarding systems and networks.
Federal cybersecurity officials have touted the goals as a means of boosting cybersecurity at entities vital to the function of everyday society, particularly at small and medium-sized companies. President Joe Biden signed a July 2021 national security memorandum directing the creation of the goals. The vast majority of critical infrastructure in the United States is owned and operated by a private sector sensitive to the prospect of increased cybersecurity regulation.
As a result, the word "voluntary" was in heavy rotation during the Thursday rollout of the goals by the Department of Homeland Security.
"For months, we’ve been gathering input from our partners across the public and private sectors," said Cybersecurity and Infrastructure Security Agency Director Jen Easterly. Government officials also emphasized that the goals don't constitute a comprehensive cybersecurity program but rather address cybersecurity gaps most easily exploited by threat actors.
Among the newly recommended measures are implementation of multifactor authentication, making sure to revoke the login credentials of former employees, disabling Microsoft Office macros and prohibiting the connection of unauthorized devices, perhaps by disabling AutoRun (see: Public Water Systems at Cybersecurity Risk, Lawmakers Hear).
The document also recommends that the operational technology side have a single leader responsible for cybersecurity and that OT and IT staff work to improve their relationship. Organizations should "sponsor at least one 'pizza party' or equivalent social gathering per year" to be attended by the two cybersecurity teams.
DHS says it will actively solicit feedback about the goals in the coming months and has set up a GitHub discussions page.
The department's next plan is to roll out cybersecurity goals tailored to each sector of critical infrastructure in conjunction with the agencies closest to each sector, such as the Environmental Protection Agency for water systems. Some of the 16 sectors of critical infrastructure identified by the U.S. government already come under cybersecurity regulation. Some of those that aren't already covered by a cybersecurity mandate may come under one soon as the Biden administration looks to apply existing regulatory authorities to cybersecurity.
"Principle number one is: Use what you've got, because you can move fastest in that way," said Anne Neuberger, the White House deputy national security adviser, during a morning event at a Washington think tank.
Regulation isn't necessarily a bad thing, said Chris Inglis, national cyber director. "The word 'regulation,' or 'reporting requirements,' often conjures up in the mind's eye this sense of burden - someone is about to require a burden, bear some penalty, some cost. But we too seldom think about what is the more important feature, which is: What's the benefit?"
The benefit, he said, is properly functioning critical infrastructure. "All of us want to walk over to a light switch and have every confidence when we flick that switch the lights will come on."