Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

The Feds Are Pushing Harder on Infrastructure Security. States and Localities Need to Pay Attention.

The White House is making it clear: Protecting our critical systems from cyber attacks must involve every level of government as well as the private sector.

The Oldsmar, Fla., water treatment facility was hit by a cyber attack on Feb. 5, 2021. The hacker briefly adjusted the levels of sodium hydroxide released into the water.
(Michael Brantley/ABC Action News)
It’s no overstatement to say that the success of our nation and the safety and security of our society depend upon our array of critical infrastructure. The reliability of our power grid, the global reach of our financial services, the purity of our water and the extraordinary strength of our manufacturing base are the envy of much of the world. Nowhere is this more important and visible than at the state and local levels where businesses produce and consumers consume.

Understandably, government organizations at all levels are increasingly alarmed by the growing number of cybersecurity-related incidents impacting elements of our critical infrastructure. In just the past few months we’ve seen everything from the high-profile Colonial Pipeline ransomware incident and JBS meatpacking plant attack to the more banal Post Rock Rural Water District breach in Kansas and the Oldsmar, Fla., water treatment facility attack.

There is real evidence that both nation-state actors and freelance cyber criminals are running rampant throughout our nation’s infrastructure providers both public and private, disrupting critical services, endangering public health and scooping up sensitive data. Of even greater concern is what kind of time bombs they may be leaving behind for further exploitation down the road.

So it’s encouraging to see a growing level of alarm and attention from the White House, particularly when it emphasizes that infrastructure cybersecurity is by no means only a federal concern. The new National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems states that “Protection of our nation’s critical infrastructure is a responsibility of the government at the federal, state, local, tribal, and territorial levels and of the owners and operators of that infrastructure.”

The memorandum, released two weeks ago and following closely on the heels of a presidential executive order on improving the nation’s cybersecurity, goes on to say that President Biden has established “a voluntary, collaborative effort between the federal government and the critical infrastructure community to significantly improve the cybersecurity” of vital systems. You can read between the lines and extrapolate that “voluntary” means that if the critical-infrastructure community doesn’t step up, the federal government will solve the problem through rule-making, legislation or both.

It’s worthwhile to take a moment to understand the history, and even the definition, of critical infrastructure, which has been an evolving target over the past two decades. When President Clinton issued his administration’s infrastructure-protection directive in 1998, the stated goal was to protect infrastructure from “intentional acts that would significantly diminish the abilities” of the federal government to provide national security and protection of public health and safety; state and local governments to deliver essential services and maintain order; and the private sector to deliver services ensuring “the orderly functioning of the economy.”

The Clinton directive outlined five broad domains of critical infrastructure: banking and finance, energy, transportation, telecommunications and government services. President Obama followed up in 2013 with his own administration’s directive to encourage cooperation between public and private organizations with the ultimate goal of reducing vulnerabilities, identifying and disrupting threats, minimizing consequences, and most importantly, expediting critical infrastructure response and recovery efforts.

The Obama directive defined 16 critical infrastructure sectors, assigning responsibility for each to relevant agencies: chemicals; commercial facilities; communications; critical manufacturing; dams; the defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials and waste; transportation systems; and water and wastewater systems.

Fast forward to 2021. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency now defines critical infrastructure as “the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.”

This federal broadening and deepening of the focus on critical infrastructure is important to state and local government for two reasons:

● What is voluntary today may not be voluntary tomorrow. The Biden memorandum is another step by the federal government to fill a security void that critical infrastructure businesses in the private sector have historically not been very responsive to. Legislative action is already brewing that would remove the word “voluntary” from initiatives aimed a safeguarding critical infrastructure. Three pieces of legislation — the Energy Emergency Leadership Act, the Enhancing Grid Security through Public-Private Partnerships Act and the Cyber Sense Act — were passed by the House barely a week before the Biden memorandum was issued.

● As the federal government raises the bar on critical infrastructure companies, there will be an urgency by businesses to recover cybersecurity investment costs, which will ultimately fall on the consumer. State public utility commissions and other government regulatory agencies will increasingly find themselves in the unenviable position of deciding how to defend critical infrastructure businesses trying to meet federal cybersecurity regulations through increased investment while at the same time limiting the costs being passed on to ratepayers.

Rod Campbell, CEO of the software intelligence for critical infrastructure company aDolus, notes that the Biden memorandum’s use of “the phrase ‘whole-of-nation effort,’ repeated three times in the press briefing, hinted at an ambitious scope, and I don’t think anyone missed the reference to seeking out ‘additional legal authorities’ if a stick is deemed necessary.” State and local governments, as well as the vendors supplying them, he added, “will need to meet the forthcoming cybersecurity performance goals” and “governing bodies like public utilities commissions should be prepared as well to work under the umbrella of these federal initiatives to get away from the current patchwork approach.”

I’ve said it many times but it bears repeating: In the absence of action by the private sector, especially where the safety and security of Americans are at stake, the federal government doesn't really have an option; it simply must take action to protect society. State and local governments must be prepared as well to leverage their authority in support of both the critical infrastructure community and the citizens those governments serve.

Governing's opinion columns reflect the views of their authors and not necessarily those of Governing's editors or management.
Mark Weatherford, Governing's cybersecurity columnist, is the chief strategy officer for the National Cybersecurity Center.
From Our Partners