UPDATE: Adds comments by Deputy National Security Advisor Anne Neuberger.
WASHINGTON: The Department of Homeland Security today issued a directive that mandates reporting and other cybersecurity actions for pipeline companies, clearly indicating the federal government’s shift from voluntary to mandatory security actions.
UPDATE BEGINS Today’s pipeline directive is likely just the next in a series of actions to shore up national cybersecurity across the private sector, especially those deemed critical infrastructure.
“I know there are a number of issues being discussed on the Hill,” Deputy National Security Advisor Anne Neuberger said today at a Center for Strategic & International Studies event. “I’ll give an example. In the [recently released cyber] executive order, we require companies doing business with the US government to share [cyber] incidents, and we set the scale for critical incidents. …There’s certainly discussion on the Hill of a broader data breach notification that exceeds just [defense contractors].”
Neuberger added, “We worked to push the authorities to reach as far as possible with an executive order to achieve rapid progress on these urgent issues. That certainly does not replace the critical role of the legislative branch, and what they can accomplish with legislation.” UPDATE ENDS
“The cybersecurity landscape is constantly evolving, and we must adapt to address new and emerging threats,” DHS Secretary Alejandro Mayorkas said in a news release on the pipeline directive. “The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security. DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”
Today’s directive, released by TSA, which is charged with the physical and cybersecurity of pipelines, requires owners and operators to:
- Complete a cybersecurity assessment and report results to TSA and CISA within 30 days;
- Report all “confirmed and potential” cyber incidents to CISA; and
- Appoint a staff cybersecurity coordinator to be available 24/7 to work with the government on cyber incident response.
TSA is also considering “follow-on mandatory measures,” according to the release.
“It’s pretty clear that voluntary measures that companies take have not yielded a cybersecurity posture that is adequate for the needs of the nation,” Herbert Lin, a cybersecurity expert at Stanford University, told Breaking Defense. “So some mandatory measures are clearly the next step if we want to achieve a more robust cybersecurity posture for the nation. And if those prove inadequate — I suspect they will, because even mandatory measures are negotiated to a certain extent — additional mandatory measures will be needed.”
The new mandates are notable because they apply to companies that are not necessarily defense contractors. Prior to this directive, the government encouraged pipeline cybersecurity assessments, but compliance was voluntary. There were no financial penalties for missed assessments.
The Colonial Pipeline ransomware attack prompted the directive. Colonial reportedly missed a cybersecurity assessment requested by the government last year and was scheduling one when the attack occurred, according to the Wall Street Journal.
The Colonial attack coincided with one of six planned DHS “60-day sprints” focused on shoring up national cybersecurity. DHS’s first sprint, which is still ongoing, focuses on ransomware. In recent speeches, interviews, and congressional testimony, Mayorkas has been saying that, “Ransomware is a national security threat.”
The pipeline directive also follows the Biden administration’s cybersecurity executive order released earlier this month. It seeks to use the government’s purse through acquisition to encourage defense contractors to share information on cyber incidents. Non-defense contractors are largely unaffected.
UPDATE BEGINS “Certainly the next phase of what we look at is the security of critical infrastructure,” Neuberger, the architect of the cyber EO, said today. “You saw it in the pipeline security directive that TSA issued. We worked closely to ensure that that first stage was significant but also follow-on second stages as well in thinking about the security of critical infrastructure.” UPDATE ENDS
Separately, multiple senators and representatives have said they want to compel more public-private cybersecurity information sharing and see consequences imposed for cybersecurity lapses in the private sector.
This spring has seen a flurry of cybersecurity bills introduced in Congress. Just one example is the Pipeline Security Act introduced by Rep. Emanuel Cleaver on May 14, which has garnered 15 cosponsors to date.
“Financial consequences are often the only way to get the attention of the C-suite,” Lin observed. “The only question there is whether they are large enough to get enough attention.”
Why cloud modernization is critical to multi-domain operations
JADC2 is a forcing function, driving digital transformation of network infrastructure.
Textron, Leonardo bank on M-346 global experience in looming race for Navy trainer
“The strength we think we bring is that [the Navy is] going to go from contract to actually starting to turn out students much quicker than any other competitors,” a Textron executive told Breaking Defense.
