(Bloomberg) — The Biden administration on Wednesday will release a national security memorandum aimed at improving voluntary cybersecurity standards for companies that provide critical services.
The memorandum directs the Department of Homeland Security and the Treasury Department to create baseline cybersecurity goals for all critical infrastructure sectors. It also establishes an Industrial Control Systems Cybersecurity Initiative, a partnership between the federal government and companies that run industrial control systems.
The idea for the initiative is to provide those essential sectors with new tools and technology to defend against cyberattacks.
Such a partnership was informally started as a pilot program for the electricity sector in April, just weeks before Russian hackers executed a ransomware attack against Colonial Pipeline Co., forcing the company to temporarily shut down the nation’s largest fuel pipeline. Since then, more than 150 power industry utilities have enrolled in the voluntary program, according to a senior administration official, who requested anonymity to discuss the memorandum prior to its release.
The official emphasized that the U.S. government couldn’t protect critical parts of the economy without help from the private sector.
The government is optimistic that compliance with the voluntary guidelines will help companies defend sensitive segments of their computer networks that control industrial operations, the official said.
“The safety and security of the American people rely on the resilience of the companies that provide essential services such as power, water and transportation,” said Homeland Security Secretary Alejandro Mayorkas and Secretary of Commerce Gina Raimondo in a joint statement. “The establishment of cybersecurity performance goals marks important progress toward this goal.”
Attacks on industrial controls are particularly dangerous and can lead to contaminated water or food supplies, power shutdowns or even explosions. The U.S. has defined 16 sectors as critical, including dams, energy, critical manufacturing, food and agriculture and water and wastewater systems.
The initiative is also intended to help the U.S. streamline its current patchwork of cybersecurity guidance, standards and regulations that vary by agency and sector, the official said.
President Joe Biden’s memorandum comes a day after members of Congress called for tighter security standards for industrial control security during a Senate Judiciary Committee hearing on ransomware attacks.
Senator Ted Cruz, a Texas Republican, said the president had “responded to an extreme threat with extreme weakness,” while Senator Sheldon Whitehouse, a Democrat from Rhode Island, criticized critical infrastructure companies’ inability to meet “basic standards of cyber hygiene.”
Whitehouse also called on the Biden administration to promptly work with lawmakers to move a bill aimed at creating breach reporting requirements for certain companies. The administration official said the administration remains open to other options, including legislation, that would make critical infrastructure guidelines mandatory.
The White House and the Transportation Security Administration have already moved forward plans to tighten security for oil, fuel and natural gas pipelines, including requirements to improve their reporting and reviews of pipeline security. Additional sectors are also likely to receive similar directives before the end of the year, according to the official.
(updates with details from memorandum starting in second paragraph.)
More stories like this are available on bloomberg.com
©2021 Bloomberg L.P.