Earlier this month, United States President-elect Joe Biden announced new additions to his White House National Security Council. The NSC is tasked with advising the president on national security and foreign policy issues including industrial cybersecurity in the U.S. Biden’s team will include cybersecurity veterans like Caitlin Durkovich who previously served in the predecessor to the Cybersecurity and Infrastructure Security Agency, and Anne Neuberger, the NSA’s director of cybersecurity.
“The National Security Council plays a critical role in keeping our nation safe and secure. These crisis-tested, deeply experienced public servants will work tirelessly to protect the American people and restore America’s leadership in the world. They will ensure that the needs of working Americans are front and center in our national security policymaking, and our country will be better for it,” Biden said in a statement.
Biden’s appointments demonstrate a renewed focus on cybersecurity issues in the United States. These efforts, combined with the recent SolarWinds attack and soon to be enacted cybersecurity legislation, spell big changes for the U.S. industrial cybersecurity sector.
“In the wake of the recent SolarWinds attack, the President-Elect Biden has released a statement emphasizing that cybersecurity will be a “top priority” of the incoming Administration,” Harley Geiger, senior director of public policy for cybersecurity company Rapid7, told Industrial Cyber. “Industry should anticipate continued focus on supply chain, critical infrastructure security, and security of federal acquisitions from both Congress and the Executive. While it is important for security regulations to be done right, industry should embrace the opportunity to raise the bar at a time when attacks on critical infrastructure are not only maturing but catastrophic under the current economic and public health backdrop.”
The United States is still reeling from the SolarWinds attack which infiltrated 250 federal agencies and businesses including the Departments of Defense, Energy, Commerce, and State. The federal government has established a group composed of the FBI, CISA, NSA, and the Office of the Director of National Intelligence, to coordinate the investigation and remediation of the attack.
“We have learned in recent days of what appears to be a massive cybersecurity breach affecting potentially thousands of victims, including U.S. companies and federal government entities,” Biden said in a statement. “There’s a lot we don’t yet know, but what we do know is a matter of great concern. I have instructed my team to learn as much as we can about this breach, and Vice President-elect Harris and I are grateful to the career public servants who have briefed our team on their findings, and who are working around-the-clock to respond to this attack.”
In the weeks since the attack, Biden has affirmed his commitment to making cybersecurity a priority. As part of that effort, he is tasked with staffing and funding CISA, which is currently struggling to adequately respond to the SolarWinds attacks. According to a report by CNN, the organization lacks the funding “to effectively handle an issue of this magnitude.” Biden has yet to announce his pick to lead CISA, however former CISA Director Chris Krebs who was ousted in November says he would give an appointment “all due consideration.”
“I want to be clear: my administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office,” Biden said in the statement. “We will elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyber attacks. But a good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place. We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners. Our adversaries should know that, as President, I will not stand idly by in the face of cyber assaults on our nation.”
While many await further evidence of how the Biden administration will impact industrial cybersecurity, others are focused on the newly enacted Internet of Things Cybersecurity Improvement Act and how it will impact the U.S. industrial cybersecurity sector. The legislation was unanimously approved by the U.S. House in September, passed by the Senate in November, and signed by President Donald Trump in December.
“The IoT Cybersecurity Improvement Act will impact industrial cybersecurity in a couple ways,” Geiger told Industrial Cyber. “The most direct impact will be on contractors providing information systems to the federal government, which the Act will require to have vulnerability disclosure policies. The Act also applies security requirements for federal acquisition of IoT (including some industrial OT machines), though these requirements will not be proposed until later this year, and may align with existing standards and regulations (such as NERC CIP or the NIST Cybersecurity Framework).”
As IoT devices continue to infiltrate industrial environments, they are expanding the attack surface for critical infrastructure because embedded devices often go unpatched. Attacks that permeate the industrial IoT can cause costly production outages, safety failures resulting in injury or loss of life, and environmental damage.
“The bipartisan Internet of Things Cybersecurity Improvement Act will ensure that the US government purchases secure devices and closes existing vulnerabilities to protect our national security and the personal information of American families,” Congresswoman Robin Kelly, co-chair of the House Tech Accountability Caucus, said in a statement.
The IoT Cybersecurity Improvement Act will require NIST to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices. It also directs the Office of Management and Budget to issue guidelines for each agency that are consistent with the NIST recommendations, including making any necessary revisions to the Federal Acquisition Regulation to implement new security standards and guidelines. The new law will also require any IoT devices purchased by the federal government to comply with those recommendations.
“I applaud the Senate for passing our bipartisan and bicameral legislation to ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from accessing government systems,” Senator Cory Gardner said in a press release. “Most experts expect tens of billions of devices operating on our networks within the next several years as the Internet of Things (IoT) landscape continues to expand. We need to make sure these devices are secure from malicious cyber-attacks as they continue to transform our society and add countless new entry points into our networks, particularly when they are integrated into the federal government’s networks.”
The act gives Congress the ability to push for robust implementation of both IOT security and vulnerability disclosure. It directs NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security to publish guidelines on vulnerability disclosure and remediation for federal information systems. It also requires contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, it can be effectively shared with a vendor for remediation.
“While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security,” Senator Mark Warner said in the release. “I’m proud that Congress was able to come together today to pass this legislation, which will harness the purchasing power of the federal government and incentivize companies to finally secure the devices they create and sell.”