People pass a water treatment plant and electrical power lines on a a bike path in Arlington, Virginia on August 13, 2021.

People pass a water treatment plant and electrical power lines on a a bike path in Arlington, Virginia on August 13, 2021. ANDREW CABALLERO-REYNOLDS / AFP

New National Cyber Strategy: Raise Defensive Baseline for Critical Infrastructure

The White House wants to get electrical systems, gas pipelines, water treatment plants, and more up to a consistent level of cybersecurity.

Efforts to bring all U.S. critical infrastructure up to a network-security baseline will top the Biden administration’s first National Cybersecurity Strategy, which is expected to be released today. 

“This strategy sets forth a bold new vision for the future of cyberspace and the wider digital ecosystem,” said acting National Cyber Director Kemba Walden during a press call Wednesday. “The president's strategy fundamentally reimagines America's cyber social contract. It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it.”

The five pillars composing the strategy include defending critical infrastructure, disrupting threat actors, promoting data privacy in technology development, increasing federal investments in cyber research and development, and fostering more international partnerships to promote global cyber defense.

Within the strategy's five priority areas, the largest emphasis was placed on protecting critical infrastructure systems, which have been prime targets for malicious cyber actors. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said that the Biden administration has focused on codifying the minimum cybersecurity mandates for this sector, building atop the emphasis for more private sector partnerships and information sharing.

“The Biden administration's fundamental commitment is that Americans must be able to have confidence that they can rely on critical services, hospitals, gas pipelines, air water services, even if they are being targeted by our adversaries,” she said. 

Harmonizing cybersecurity regulations across each critical infrastructure sector––along with new designations for what qualifies as critical infrastructure––is a key part of the strategy’s bid to improve the U.S. cyber defense posture. A senior administration official at the press briefing said some sectors, such as the electrical grid and nuclear facilities, are more regulated when it comes to implementing cyber protocols. Water management entities, by contrast, currently have fewer cybersecurity mandates to protect their systems. 

“There are other sectors where we're looking at similar things and finding ways to close gaps,” the administration official said. 

In the coming months, the Environmental Protection Agency will help launch this endeavor by offering a new interpretation of an existing rule requiring water facility owners and operators to incorporate basic cybersecurity protocols into their sanitation surveys. 

Beyond critical infrastructure security, the strategy will also change how law enforcement handles cybersecurity breaches. 

Neuberger said that part of dismantling organized threat actors will involve treating cybersecurity breaches as national security issues, rather than simply criminal activity. She cited the Federal Bureau of Investigation as a leader in this arena. 

The increased intersection of diplomacy and cybersecurity spurred the Biden administration to prioritize collaborations with “like-minded” nations to help counter cyber threats in the current geopolitical arena. Neuberger cited adversary nations—such as Russia and its war on Ukraine, as well as continued tensions between the U.S. and Iran—as backdrops for an increase in malicious cyber activity. 

“Cyber threats are fundamentally transnational threats; they cross borders,” she said.

The National Cyber Strategy is the latest major regulatory document issued from the new Office of the National Cyber Director, building atop President Joe Biden’s previous executive order that called for more regulations and vigilance surrounding national cybersecurity. 

Matt Hayden, the vice president of General Dynamics Information Technology and former senior advisor to the Director at the Cybersecurity and Infrastructure Security Agency, told Nextgov that the strategy designates leadership from the federal government, it will also work to safeguard and regulate some private sector entities upon which the American public depend. 

“They're going to use existing regulatory options to move the ball on pressuring agencies, and to regulate agencies and organizations in the private sector, to move forward on this safer platform and better controls across the board,” Hayden said. “They are going to use every lever they can pull to get as many private sector organizations that the American people rely on to be more secure from a cyber perspective.”

Walden echoed this, saying that the strategy will look at existing gaps in private industries to help reduce burdens of cybersecurity compliance, such as cost.

“This strategy asks more of industry, but also commits more from the federal government,” Walden said.