Welcome to The Cybersecurity 202! Random thoughts … Are the spiders who built webs between my screen and window really profiting THAT much from the arrangement? If I’m a bug, I have to work extra hard to get into that space, let alone get caught in the web. But all year long, there are the webs.
The Biden national cyber strategy is unlike any before it
Below: The social security numbers of nearly 2,000 high-profile visitors to the Trump White House were exposed on a government website. First:
For the first time, regulation is on the menu of a national cybersecurity strategy
The Biden administration is nearing publication of a national cybersecurity blueprint that for the first time embraces a major role for regulation.
The strategy, which is a sea change from past blueprints, will arrive in the aftermath of a series of major cyberattacks — such as the 2021 Colonial Pipeline ransomware attack, which sparked a fuel panic on the East Coast — that prompted the administration to rethink voluntary measures.
In response, the Biden administration has issued or is in the process of issuing a number of cybersecurity regulations using preexisting executive branch powers, such as requirements for key pipeline operators to develop detailed plans for responding to cybersecurity incidents. Congress, too, passed legislation requiring critical infrastructure owners and operators to disclose to the federal government within 72 hours when they suffer a major cyberattack.
The forthcoming strategy, led by National Cyber Director Chris Inglis’s office in the White House, builds on that approach, according to senior administration officials who spoke on the condition of anonymity because the document is not yet public.
- President Biden is expected to sign the document, which is moving through the final stages of interagency approval involving more than 20 departments and agencies, in the coming weeks.
- My colleague Ellen Nakashima and I wrote a preview Thursday evening of the forthcoming strategy, and I’m sharing some other details and insights here.
“The thrust of it is to say both the administration will continue to use existing authorities where we have those, as well as work with Congress to fill in gaps in regulation,” one official said.
James Lewis, a cybersecurity expert at the Center for Strategic and International Studies think tank, said: “It’s a break from the previous strategies, which focused on information sharing and public-private partnership as the solution. … This goes well beyond that. It says things that others have been afraid to say.”
One of the stated goals in a draft copy of the strategy is, “Use Regulation to support National Security and Public Safety.”
- It says that regulation “can level the playing field” to meet the needs of national security, according to two individuals familiar with the draft.
- It also states that “while voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has too often resulted in inconsistent and, in many cases inadequate, outcomes.”
- It even calls for shifting liability “onto those entities that fail to take reasonable precautions to secure their software” while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities.
“If ‘tough’ means that we have to be serious about what we want cyberspace to do for us … then it’s time for us to be tough,” Inglis said at a cyber conference hosted by Cipher Brief, a national security analysis site, in September. “If at the end of the day, self-enlightenment and market forces take us [only] so far … then we have to go a little bit further as we have for cars, or airplanes, or drugs and therapeutics.”
After the Colonial Pipeline incident, the White House National Security Council under the direction of deputy national security adviser Anne Neuberger undertook an analysis of the state of regulation for all 16 critical infrastructure sectors.
- Five of them — nuclear power, financial services, large energy generation, chemicals and major defense contractors — had some form of cybersecurity regulations in place, imposed over the years before the Biden administration.
- After the Colonial hack, regulations were imposed on several more: oil and gas pipelines, as well as rail and aviation.
- Soon the Environmental Protection Agency will issue a rule for the water sector, one of the senior officials said. Banking industry regulators, the Securities and Exchange Commission and the Federal Communications Commission also have advanced rules for industries under their purview.
The Neuberger-led analysis found there are five critical sectors of the U.S. economy in which oversight agencies lack authority to issue national-level cyber regulation.
- Those include food and agriculture, government facilities such as election infrastructure and schools, and “critical manufacturing” — including vaccine-makers, pharmaceuticals and mask manufacturers, the official said. That’s where Congress would have to step in to pass legislation granting the relevant federal agency power to regulate, the official said.
- The analysis looked at the companies in each sector for impact on Americans’ lives in the case of a disruption, because shutting down a major electric power generation company affects many more Americans than a small one. So, for instance, only 97 of the largest pipeline companies — those serving 50,000 or more customers or transporting hazardous materials — were covered by last year’s regulation, the official said.
Presidential administrations have for years weighed in on cybersecurity. While the Bill Clinton administration developed some policy on cybersecurity, it didn’t produce a national strategy on the subject.
- The first national strategy was drawn up in the George W. Bush administration by cyber czar Richard Clarke.
- The Obama administration didn’t develop a cyber strategy but tried to get Congress to mandate cybersecurity standards in an effort that the U.S. Chamber of Commerce successfully lobbied against, alongside other industry groups.
- The Trump administration produced a national strategy in 2018 centered on voluntary measures and emphasizing offensive cyber missions.
Another pillar of the Biden strategy focuses on disrupting and dismantling cyberthreats. It’s an explicit continuation of some of the priorities outlined in the 2018 Trump administration cyber strategy, one senior administration official said. But it emphasizes other means of doing so beyond U.S. Cyber Command’s persistent offensive and defensive cyber operations against foreign adversaries, such as law enforcement actions, sanctions and private sector collaboration.
“The point that people have been getting wrong is that there’s some backing away from persistent engagement,” the official said. “There is not.”
The U.S. Chamber of Commerce will be watching the new strategy closely, especially to see how it addresses the subjects of disentangling overlapping regulations, protections for companies that meet baseline security standards and how federal rules interact with state rules.
“The Chamber looks forward to reviewing the strategy with our members,” said Matthew Eggers, vice president of cybersecurity policy for the cyber, space and national security policy division of the business organization. “The Office of the National Cyber Director and the Chamber share a mutual interest in advancing regulatory harmonization, liability protections and federal preemption. Achieving these objectives will help further our goal of transitioning from traditional public-private partnerships to public-private operational collaboration.”
Completion of the strategy could be one of Inglis’s last major moves as national cyber director.
“After five decades of public service, Chris intends to retire in early 2023, and Principal Deputy National Cyber Director Kemba Walden will become Acting National Cyber Director,” said Michael Morris, a spokesperson for the office.
- “The precise timing of his retirement has not yet been fully determined. While we will certainly miss Chris’s leadership, Kemba has the full confidence of the organization and will lead as Acting with deep expertise and passion, just as she has done as the Principal Deputy. ONCD will continue focusing on delivering the Biden-Harris Administration promise of a safe, secure, and equitable cyberspace.”
Lewis, the cybersecurity expert, said it will likely be up to the next administration to address organizational issues in the federal government that put cyber responsibilities in the hands of several different agencies. And Congress has a role to play, too, although with Republicans set to take over the House, any push for additional regulatory powers could face hurdles.
“That’s what you need to make this strategy work,” he said of the federal bureaucracy consolidation. “The other part is there’s bits in here that really require Congress to get its act together. Modernizing federal systems, digital identity, workforce — there’s only so much the executive branch can do. And we’ll see if Congress is up to the task. My bet is that next year, you’re not going to see a lot of progress.”
Social Security numbers of Trump allies posted in Jan. 6 committee documents
The Government Publishing Office (GPO) appeared to publish the spreadsheet with nearly 2,000 Social Security numbers sometime this week. The numbers belonged to high-profile Trump allies, Republican governors and members of Trump’s cabinet, Aaron Schaffer and Patrick Marley report. The GPO removed the spreadsheet on Wednesday, shortly after The Post notified it of the existence of the numbers. The agency has since re-uploaded the spreadsheet with the Social Security numbers redacted.
The Social Security numbers were listed in part of the White House visitor logs that listed visitors to the White House at the end of Trump’s presidency. In a Feb. 15, 2022, letter to Archivist of the United States David Ferriero, White House lawyer Dana Remus wrote that the Jan. 6 committee “agreed to accept production of these records with birth dates and social security numbers removed” to “ensure that personal privacy information is not inadvertently disclosed.”
The National Archives appeared to lay some of the blame on the committee. “While we took affirmative steps to redact personally identifiable information (PII), we did not expect that the Committee would publicly release records that still may have contained PII,” the Archives’s public and media communications office said in a statement. A spokesperson for the committee’s chairman, Rep. Bennie G. Thompson (D-Miss.), did not provide comment.
A former committee aide, speaking on the condition of anonymity because they weren’t authorized to speak publicly, said that committee “records released publicly underwent a review process to redact personal details and other sensitive information.”
- U.S. senators speak at CES in Las Vegas at 2 p.m. local time today.
Thanks for reading. See you tomorrow.
Gloss