In late July, 2021, the Biden Administration issued a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (“Memorandum”).
Through this action, the government will be establishing preliminary cybersecurity performance goals for both government and private industry by no later than the end of September, 2021.
As White House Press Secretary Jen Psaki noted just prior to the formal announcement, this Memorandum, along with the ICS Cybersecurity Initiative, TSA’s Security Directives, and President Biden’s Executive Order on Improving the Nation’s Cybersecurity that he signed back in May “all are parts of our focused and aggressive continuing effort to address these significant threats to our nation within that first line of modernizing defense of our cybersecurity — of the administration’s cybersecurity strategy. See National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems | The White House, Briefing Room Statement issued July 28, 2021
While the Memorandum is mostly a set of guidelines rather than mandatory steps, the Biden Administration is relying on both the government as well as private businesses to understand that combating the dangers of cybersecurity attacks is in the collective national interest. The White House also noted that the initiative will address the largely disparate laws and recommendations that currently guide public and commercial entities, which has been a “patchwork of sector-specific statutes that have been adopted piecemeal, typically in response to discrete security threats in particular sectors that gained public attention.” See National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems | The White House, Briefing Room Statement issued July 28, 2021
By September, 2022, the Secretary of Homeland Security is charged with issuing sector-specific critical infrastructure cybersecurity performance goals. As with all such initiatives, the administration is constrained by financial limitations, as thememorandum states that implementation is “subject to the availability of appropriations, where funding assistance may be required to implement control system cybersecurity recommendations.”
Through this Memorandum, the government seeks to establish the Industrial Control Systems Cybersecurity Initiative (“Initiative”) as a “a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems.” See Memorandum Section 2. It remains to be seen if the government and private industry even agree to new plans to thwart cybersecurity threats, much less implement such a program.
If the Initiative comes to fruition next year, both governmental institutions as well as private entities may be subject to not only requirements to participate in efforts to combat cyber security threats, but also to report their findings and results. Similar to the May 2021 Executive Order on Improving the Nation’s Cybersecurity, under this latest Memorandum, “[t]he Federal Government will work with industry to share threat information for priority control system critical infrastructure throughout the country.” See Memorandum Section 3. No details are given, however, on what threat information sharing would be required or how this process might be shaped.
While much of the plan is yet to be developed and is extremely broad, the underlying objectives are clear-cut. The July Memorandum states: “[T]here is a need for baseline cybersecurity goals that are consistent across all critical infrastructure sectors, as well as a need for security controls for select critical infrastructure that is dependent on control systems.” See Memorandum Section 4.
Businesses looking for ways to follow the objectives set forth in the Memorandum and further protect their assets against cyber security threats should work with information technology experts and consult with experienced counsel who is well versed in this critical area.
By Stewart Banner, Crystal & Giannoni-Crystal, LLC