The memorandum is intended to address what a senior administration official described Tuesday evening as the nation’s “woefully insufficient” cybersecurity posture; it also comes less than 24 hours after Biden stated that a cyberattack could someday lead to a “real shooting war.”
“I think it’s more than likely we’re going to end up, if we end up in a war — a real shooting war with a major power — it’s going to be as a consequence of a cyber breach of great consequence, and it’s increasing exponentially,” the president said Tuesday during a visit to the Office of the Director of National Intelligence.
The national security memorandum will, among other things, attempt to provide coherence to what is currently a “patchwork of sector-specific statutes that have been adopted piecemeal, typically in response to discrete security threats in particular sectors that gained public attention,” according to the senior administration official. The executive branch is limited in its authority to mandate long-term cyber requirements on the private sector.
The memorandum specifically addresses industrial control systems (ICS), which monitor, regulate, and automate operational technologies (OT) — a group covering hardware and software that enable functionality of infrastructure physical components, such as circuit breakers, motors, and valves. OT are prevalent throughout critical infrastructure environments, from power grids and telecommunications networks to manufacturing plants, public transportation systems, and energy pipelines.
Compromised ICS/OT can allow attackers, in some cases, to cause physical damage to systems and even widespread outages. Probably the most well-known example is Stuxnet, discovered in 2010. Stuxnet targeted the ICS controlling centrifuges in Iran’s Natanz nuclear enrichment facility, ultimately destroying the centrifuges and setting Iran’s nuclear program back several years. Stuxnet is widely believed to have been a US-Israeli collaboration, but neither government has ever acknowledged its involvement.
The ransomware attack on Colonial Pipeline in May illustrates a tricky problem: The convergence of traditional information technology and ICS/OT networks. In the Colonial Pipeline incident, the company preemptively shut down the pipeline’s ICS/OT network to prevent attackers from traversing IT networks to the ICS network that control pipeline operations, which could have enabled potential physical damage to the pipeline. The ransomware did not target Colonial’s ICS/OT network directly, but the ICS network shutdown resulted in widespread fuel shortages up and down the East Coast that lasted for days.
ICS/OT cyberattacks have also become an increasing concern for the Pentagon, whose bases both domestic and abroad are supported by potentially vulnerable networks. While the memo is not targeted at DoD, the infrastructure required to support a military base, such as power and water, often come from public utilities that have proven to be easy targets for threat actors. Pentagon planners have acknowledged fears of situations where planes can’t scramble because the doors to their hangars are locked or that American troops are poisoned by hacked water supplies.
The memorandum will address ICS/OT security, in part, through “cyber performance goals” that the administration hopes critical infrastructure owners and operators will voluntarily adopt. Homeland Security’s cyber lead, the Cybersecurity and Infrastructure Security Agency, and the National Institute of Standards and Technology will develop the performance goals.
Approximately 80 percent to 90 percent of what the government deems to be critical infrastructure is owned and operated by the US private sector. This complicates the government’s attempts to secure it, because private entities have historically been reluctant to allow state authorities to monitor or proactively intervene on their networks. For this reason, the senior administration official said, securing critical infrastructure requires a “whole-of-nation” approach, noting “The federal government can’t do this alone.”
Another complicating factor is the perceived dearth of timely cyber information sharing among private sector entities and the government. Sen. Mark Warner, D-VA, and a host of others last week introduced bipartisan legislation that will, if passed, require critical infrastructure owners and operators to report to the government any breach that “poses a national threat” within 24 hours of its discovery.
Due to the executive branch’s limited authority to impose long-term cybersecurity mandates on the private sector, the memorandum is meant to spur voluntary actions. Permanent mandates would need to be passed by Congress. Still, the official said, the administration is “exploring everything we can do to mandate [cyber] standards,” pointing as an example to a new round pipeline cybersecurity rules issued by the Transportation Security Administration last week.
The memorandum is just the latest effort by the administration to shore up national cybersecurity following a slew of high-profile cyberattacks over the past two years, including Colonial Pipeline, SolarWinds, and the Microsoft Exchange server hacks, the latter which the government formally attributed to China on July 19.
The memorandum follows, among other administration actions, a May cybersecurity executive order, DHS’s March launch of a 60-day ransomware “sprint” (during which Colonial Pipeline occurred), and the Department of Energy’s April launch of an initiative aimed at cybersecurity in the power utility sector.
The memorandum also follows warnings from other government entities, such as the National Security Agency’s call in April to review OT security. The NSA issued that advisory a week before the Colonial Pipeline hack began.
The senior official said the memorandum fits within the administration’s three-pronged approach to improving national cybersecurity. That approach includes modernizing cyber defenses, developing cyber-specific policies and government resources, and building international coalitions to confront nations and criminals that carry out cyberattacks. The memorandum is meant to directly address the first prong of the administration’s strategy, modernizing cyber defenses, the senior official said.
“I think we’re showing the willingness to do the work we need to do,” the administration official said Tuesday evening, “and I think we’re showing a willingness to share information in new ways, [to] come up with voluntary ways, but we also make it clear that, given the criticality of the threat, we need to move with urgency, and we need to look at all options — voluntary and mandatory — to achieve the rapid progress we need.”