Background Press Call on Improving Cybersecurity of U.S. Critical Infrastructure
6:02 P.M. EDT
SENIOR ADMINISTRATION OFFICIAL: Thank you. Hey, everyone. Thank you for joining us on a 6:00 p.m. on a Tuesday evening. So, you’re joined by senior administration officials today to give you an embargoed preview of a step we’re announcing tomorrow to protect the cybersecurity of our critical infrastructure. This is embargoed until 9:00 a.m. Eastern tomorrow, Wednesday, July 28.
Just for your awareness and not for reporting, you’re joined by [senior administration official]. I’m going to turn it over to [senior administration official] to kick us off. Thank you.
SENIOR ADMINISTRATION OFFICIAL: Thank you. Good evening, everyone. It’s good to be here with you today.
So, I’ll walk you through an update on our efforts to protect U.S. critical infrastructure from the growing, persistent, and sophisticated threats, and talk about the specific effort we will be rolling out tomorrow.
So, first, just to kind of put in context the administration’s overall approach to cybersecurity, as I’ve talked about in the past, our approach to addressing cyber threats have three lines of effort.
First: Modernizing our defenses. Modernizing national defenses, federal government, state and local government critical infrastructure, incentives to the broader private sector, so that they’re modern enough to meet the threat.
Second: Rebuilding our presence on the international stage. The work we’re doing to build coalitions — for example, to counter ransomware. The outreach we’re doing, you saw in the G7, where we brought countries together — the recent attribution of the Hafnium incident, MSS, with a very large number of countries joining us. We’re really putting a focus on collective defense and on moving out together with other countries.
And, then, finally: Ensuring the nation is postured to compete. And that deals with ensuring we have all instruments of national power needed and the policies to enable their use as needed.
So, today, I will preview a rollout we have tomorrow that further advances our efforts in the first category to modernize the nation’s defenses, specifically by defending critical infrastructure.
So, those of you who have reported on critical infrastructure know that federal cybersecurity regulation in the U.S. is sectoral. We have a patchwork of sector-specific statutes that have been adopted piecemeal, typically in response to discrete security threats in particular sectors that gained public attention.
So, our current posture is woefully insufficient given the evolving threat we face today. We really kicked the can down the road for a long time. The administration is committed to leveraging every authority we have, though limited, and we’re also open to new approaches, both voluntary and mandatory.
Responsible critical infrastructure owners and operators should be following voluntary guidance as well as mandatory requirements in order to ensure that the critical services the American people rely on are protected from cyber threats.
So, here is the new information:
Tomorrow morning, the President will sign a National Security Memorandum on “Improving Cybersecurity for Critical Infrastructure Control Systems,” which addresses cybersecurity for critical infrastructure and implements long-overdue efforts to meet the threats we face.
So, the National Security Memorandum will direct the Department of Homeland Security’s CISA and the Department of Commerce’s NIST, in collaboration with other agencies, to develop cybersecurity performance goals for critical infrastructure.
Second, it’ll formally establish the President’s Industrial Control System Cybersecurity Initiative. As you recall, the ICS initiative is a voluntary, collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings.
You’ll recall we launched the initiative in mid-April with an Electricity Subsector pilot, and already over 150 electricity utilities representing almost 90 million residential customers are either deploying or have agreed to deploy control system cybersecurity technologies. These are the technologies that, had they been in place, would have blocked what occurred at Colonial Pipeline in that they connect the operational technology side of the network to the IT side of the network. The action plan for natural gas pipelines is underway, and additional initiatives for other sectors will follow later this year.
So this a public-private initiative effort with a focus to roll out these very specific technologies voluntarily, by the private sector, in close cooperation to really ensure we get those protections in place within the voluntary model that is in place for our cybersecurity for critical infrastructure today.
The point we want to make is: The federal government cannot do this alone. Securing our critical infrastructure requires a whole-of-nation effort, and industry has to do their part. These may be voluntary, but we hope and expect that all responsible critical infrastructure owners and operators will apply them. We can’t stress it enough that they owe that to the Americans that they serve for these critical services to have more resilience.
And as we’ve said, we’re exploring everything we can do to mandate strengthening of cybersecurity standards. You saw, last week, DHS’s Transportation Security Administration announced the second Security Directive for critical pipeline owners and operators. It will require owners and operators of pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections, including implementing specific mitigation measures to protect against ransomware attacks and other known threats, IT and OT, within prescribed timeframes; developing and implementing a cybersecurity contingency and recovery plan; conducting an annual cybersecurity architecture design review.
So, again, the federal government can’t do this alone, and securing our critical infrastructure requires a whole-of-nation effort. This National Security Memorandum, the ICS Cybersecurity Initiative, TSA’s Security Directives, and foundationally, the President’s Executive Order on Improving the Nation’s Cybersecurity that he signed back in May all are parts of our focused and aggressive continuing effort to address these significant threats to our nation within that first line of modernizing defense of our cybersecurity — of the administration’s cybersecurity strategy.
So, with that, I’ll pause, and I’m really looking forward to hearing your questions.
Q Hi. Thanks so much for doing this. So you said you’re exploring ways to mandate cyber protections for critical infrastructure. Do you think that the federal government does not have sufficient authorities right now? And do you need Congress to do something to give you those authorities to expand protections into sectors that don’t currently have it?
SENIOR ADMINISTRATION OFFICIAL: So, we have a patchwork of sector-specific statutes today that really have been adapted piecemeal. And we feel that the administration — the government’s responsibility is to feel confident that critical services that the American public rely on have the modernized defenses to ensure that they can continue to deliver the critical services they do. And the current patchwork of sector-specific statutes does not enable us to say we have confidence that there is cybersecurity thresholds in place with regard to practices and with regard to technology, governance, and practices. That is something that will likely require the Hill to partner with us to address.
But we’re just beginning, you know, the first steps, and the first step is really articulating that today’s patchwork of sector-specific approaches, state-level approaches, certainly is not enabling us to meet the threat.
And I just — I’ll expand on that for a moment because I suspect many of you have that question.
So essentially today, you know, there’s no strategic, coordinated requirement for the cybersecurity of critical infrastructure. To the extent, as I noted, there are mandatory cybersecurity requirements. They’re either sector specific — finance and chemical; they’re mandated under state or local law, like electricity ones; or they’re limited and piecemeal — water and bulk electricity are two that we’ve put a lot of work into studying in the last few weeks.
So, short of legislation, there isn’t a comprehensive way to require deployment of security technologies and practices that address, really, the threat environment that we face.
Q Hi, thank you so much for doing this. I’m curious, to the extent that these industries and sectors are aware that something might be coming from the administration, what sort of response and reaction have you gotten to the collaboration and the notion that they should be strengthening their defense along the lines of what the administration envisions? Do you anticipate any sort of pushback?
SENIOR ADMINISTRATION OFFICIAL: That’s a really good question, Eric. Thank you for it. So, a big part of our approach has been actively engaging the private sector in new and innovative ways.
So, the President’s Industrial Control System Cybersecurity Initiative is a great example where, you know, we have the Department of Energy work very closely with the electricity subsector ISAC and identify the most critical utilities — those that serve the largest number of Americans, et cetera.
And then we kicked off the pilot effort that saw, as I mentioned, over 150 electricity utilities and almost 90 million customers, you know, agreeing to deploy or having already deployed control system cybersecurity technologies.
In addition to that, we brought in a number of CEOs of utilities and pipelines to brief them on the threats so that they had the same information we had regarding the sense of urgency we feel to address the cybersecurity threat.
So, I think what we’re seeing — and I think — the final thing I would say is, in the executive order, as you saw, we really ate our own dog food in that the federal government said, “We’re going to roll out these five critical cybersecurity technologies, and we’re going to do it on a rapid timeframe.” Encryption rolled out, for example, within six months.
So I think we’re showing a willingness to do the work we need to do, and I think we’re showing a willingness to share information in new ways, come up with voluntary ways, but also making clear that given the criticality of the threat, we need to move with urgency and we need to look at all options — voluntary and mandatory — to achieve the rapid progress we need.
Q Hey. I want to ask about, kind of, how you see this specific announcement having an impact, because I (inaudible) to understand it — I might be getting this wrong: Largely, this is an announcement about a voluntary public-private initiative, but it’s also kind of a larger commentary on where things are now from a standards and regulatory standpoint.
So is the idea in making this announcement to signal to these sectors that regulation could be on the way and so it’s best to start moving now in terms of their defenses? Or like — I’m trying to understand exactly what the purpose is, as far as your message.
SENIOR ADMINISTRATION OFFICIAL: Absolutely. So, first, it’s the President. It’s the President using his position to say: Cybersecurity is a focus; we must move with urgency; the federal government cannot do this alone. You know, almost 90 percent of critical infrastructure in the U.S. is owned and operated by the private sector. And securing critical infrastructure needs a whole-of-nation effort.
So the first piece it says is: We are going to do our part by outlining performance controls that cover all critical infrastructure, that say these are the thresholds that we expect responsible owners and operators to go, and start moving there voluntarily, because that is the threshold that we as a government expect our private-sector owners and operators to meet.
And clearly, you know, we’re saying, as well, that the absence of a strategic, coordinated requirement to the cybersecurity of critical infrastructure and the absence of mandated cybersecurity requirements for critical infrastructure is what, in many ways, has brought us to the level of vulnerability we have today.
We’re committed to addressing it. We’re starting with voluntary, as much as we can, because we want to do this in full partnership. And — but we’re also pursuing all options we have in order to make the rapid progress we need.
Q Evening. Thank you for doing this. So, at the end of the Bush administration — not to, you know, date me going through briefings like this — there was a fairly similar discussion about public-private issues. And then, of course, in Congress, during the Obama administration, there was the failure of a cyber bill that was opposed, not merely on cybersecurity, obviously, but that would have sort of more mandated public-private elements. And then, in the Trump administration, there was the bulk-power order that came out, I think, just last year.
So, my broader question to you is: What makes this effort different from the last three administrations trying to grapple with it, other than its comprehensiveness?
And then, specifically, can you tell us: Does the bulk-power order that that President Trump signed still exist? Did you learn from that, that it actually made any difference? Because that sounds to me like the closest experiment in this.
SENIOR ADMINISTRATION OFFICIAL: So, thank you, David. Why is this night different from any other night? Well done.
I would say you are exactly right. You know, there have been multiple prior efforts to address — let’s — taking a step back — you know, multiple administrations have recognized that there are no mandated authorities to mandate cybersecurity requirements for critical infrastructure, and they’ve done their best within that.
You know, I know, in my own career, I’ve led multiple public-private partnership efforts — right? — to try to do the kinds of things to get the sector to move. And there are various reasons why not: Sometimes it’s costly. Sometimes these sectors are regulated. So, unless public utilities commissions approve rate increases, they feel their costs aren’t recoverable.
And I think that’s why, you know, we’ve tried a number of things here.
I mentioned the ICS Initiative because that was where we really took a very innovative approach of identifying the most critical companies; engaging key leaders in the sector to help us; using the ISAC to bring companies together — you know, having this regular rhythm of weekly check-ins to really drive that progress.
But we’re also saying — so that — so this NSM and the fact that it’s, you know, being announced by the President, in the context of TSA’s recent mandates that they occurred; in the context of our openly saying that we really are committed to addressing the limited and piecemeal regulation; in the context of the current environment where the threat is known and seen by critical infrastructure owners and private sectors.
You know, you look at Colonial Pipeline, you look at the JBS Foods, you look at Kaseya — there’s now a different threat. The threats that many people have talked about have become real. So, we believe these goals will be viewed differently, and we believe that we’re making clear that critical infrastructure should adopt these measures. The President is essentially saying, “We expect responsible owners and operators to meet these performance goals. We will look to you to implement this.”
And, you know, we’re also going to be looking at all options, including working with the Congress to ensure that we can have the confidence we need to — that these critical services are protected for the American people.
Q Hi. Hey, there. Thanks for doing this. So, like, along the lines of “all possible options,” we all know the vast majority of ransomware attacks exploit vulnerabilities that have already been published in the National Vulnerability Database, and the issue is that operators haven’t implemented a patch.
And I think in a lot of cases, certainly the cases of — not necessarily critical infrastructure providers, but some infrastructure providers, like schools and hospitals, and possibly some critical infrastructure providers, they would say the reason they can’t implement the patches is because they can’t get the new operating system; they can’t get the new operating system because they don’t have the new hardware, and they need money.
So, is there any efforts — is there any appetite to possibly award funds or grants for new IT modernization equipment to help some providers to meet these goals?
SENIOR ADMINISTRATION OFFICIAL: That’s a really good question — right? — because the goals — the cybersecurity performance goals are goals that they drive adoption — right? — of effective practices and control. And one great one could be critical patch — you know, critical vulnerabilities. Those with the higher CVE scores, you know, are patched within some set time period quickly, because of the risk there.
So, you know, some of what we’ve been looking at is, for example — and I love your question — is for some regulated sectors: you know, public utility commissions, other entities. Who sets those rates so that they can recover costs? And, you know, similarly, FERC and some of the regulators — bringing them in, sharing the information regarding the threats, helping them understand so they’re a part of the story.
So, we’ve been investing a lot of time in understanding the incentives and understanding the barriers and looking at what can be done across grants, across potential tax credits, across, potentially, you know, performance incentive mechanisms. Cyber insurance is a really interesting mechanism as well.
So, each of those things we’re looking at and exploring — no announcements yet — but to really understand, you know, how to accelerate voluntary adoption.
Q Hi. Thanks so much for doing this tonight. I apologize for asking something that’s not directly on topic, but we did hear from the President today on a number of cyber issues, and he made some pretty strong comments about Russia and how they’re already interfering in the 2020 — 2022 Midterm Elections. He called it “a clear violation of sovereignty.” So I wanted to ask you to expand on that, if you could, in what you’re seeing in terms of these Russian tactics for 2022 — what they’re doing, what response there has been, where that and what channels that response has been given.
SENIOR ADMINISTRATION OFFICIAL: Thanks, Alex. I’m not prepared to speak more to that issue this evening, but we’ll be happy to at some point. I’m not prepared to speak to that more in detail.
OPERATOR: I’m now happy to turn it back to [senior administration official] for any closing remarks.
SENIOR ADMINISTRATION OFFICIAL: Thank you. Thanks, everyone, for joining us today. Just a reminder that this call is embargoed until tomorrow, Wednesday, July 28th, until 9:00 a.m. Eastern.
If you have any other questions or follow-ups, please feel free to reach out. Thank you for your time.
6:20 P.M. EDT