The Biden administration’s sustained focus on strengthening the cybersecurity of critical infrastructure is a sign that more regulatory action may soon follow, attorneys say.
The White House and a core group of federal agencies have continued to release updated cybersecurity guidance and requirements geared toward better protecting private companies in the most vulnerable sectors. The chemical sector is the latest focus, with the administration advancing its “Chemical Action Plan” in an October statement.
Threats to the nation’s 16 critical infrastructure sectors identified by the US Cybersecurity and Infrastructure Security Agency—such as health care and energy—have risen as foreign nations seek to disrupt key services in the US. The government’s response is elevating the standard of care that private companies working in infrastructure sectors should meet, according to attorneys practicing in cybersecurity and compliance.
While most of the guidance released so far has been nonbinding, attorneys said they expect the government to eventually shift more toward issuing regulations backed up by enforcement actions.
“I’m sure the Biden administration would love to have certain legislation passed for some of the requirements or aspirations or goals, but in the interim it’s creating a climate where they can choose how to enforce, how much to enforce,” said Marcus Christian, a partner at Mayer Brown LLP who practices in cybersecurity and compliance.
The White House has thrown its weight behind efforts to boost cyber defenses in four critical infrastructure sectors so far, with plans to address two more in the immediate future and eventually, all 16 sectors.
A Roadmap to Regulation
Spurred by a 2021 White House memorandum, the Department of Homeland Security released voluntary cybersecurity performance goals for all critical infrastructure sectors in October, which attorneys say established a new industry baseline.
Until more prescriptive requirements are released, the nonbinding-goals strategy allows private companies flexibility in identifying which cybersecurity measures are worth devoting resources to, Christian said. But the new guidance also raises the perceived security standard companies are held to, he said.
“I certainly think that you will find complaints and lawsuits that will make reference to higher bars of volunteer standards and all kinds of different authorities indicating certain requirements or pseudo requirements or quasi requirements for cybersecurity,” Christian said, adding that the merit of those arguments would have to play out in court.
Voluntary security standards often become mandatory years later, said Arjun Prasad Ramadevanahalli, an associate at Morgan, Lewis & Bockius LLP who advises clients in the energy sector on cybersecurity compliance.
“We recently saw that with the pipeline industry, and the way that evolution started, right, was sort of a mixed patchwork of industry-established standards and guidelines from the federal government that were completely voluntary,” Ramadevanahalli said.
Government audits and other enforcement of pipeline cybersecurity standards developed slowly until the 2021 ransomware attack on Colonial Pipeline Co. caused a shutdown that affected the East Coast for days. The cyberattack pushed the Transportation Security Administration to issue new cyber requirements. A similar evolution is now playing out across the other critical infrastructure sectors, Ramadevanahalli said.
The Biden administration’s current strategy on establishing cybersecurity best practices without overwhelming regulation is especially helpful to less cyber-mature infrastructure sectors like water and wastewater systems, which need more time to get outdated technology up to speed, according to Marcus Fowler, the CEO of Darktrace Federal. His company provides cybersecurity artificial intelligence services to companies operating in all 16 critical sectors, Fowler said.
Several cybersecurity enforcement actions are already queued up to go into effect in the years ahead, including a rule from CISA that will require infrastructure companies to report cyber incidents within 72 hours.
Heightened focus on cybersecurity is already changing the legal landscape for infrastructure companies that have contracts with third-party service providers, particularly for firms in sectors facing updated mandatory requirements.
“Part of the changing landscape for those companies that may be critical infrastructure and otherwise is that more and more, they’re being called upon to be accountable for the cybersecurity not only of their companies but also their vendors and their vendors’ vendors,” Christian of Mayer Brown said.
Companies want to avoid government enforcement or investigation and have sought to lower that risk by holding their vendors to the same standards the government is introducing, said Lawrence “Chip” Muir, a partner at Dunlap Bennett & Ludwig PLLC who focuses on government regulation and contracting.
Muir said infrastructure companies are adding provisions to their vendor contracts that increase scrutiny of how and where third parties store data and who can access it. Safeguards like cyber insurance and liability clauses, both becoming increasingly common, can help protect the infrastructure company if a vendor is at fault for a cyber breach, he said.
“The nice thing about that is that it articulates what you’re expecting of your partners, so that they can actually demonstrate the compliance,” Muir said. “It’s a way to act as a monitor in actual compliance, which should make safety overall much stronger in the environment.”
Vendors working with the federal government are already facing cybersecurity mandates in response to the 2020 SolarWinds breach, in which hackers compromised systems in nine federal agencies via third-party software. Federal contractors must now self-attest or obtain a third-party assessment guaranteeing their compliance with government cybersecurity requirements
Even in sectors that are not yet subject to updated mandatory controls, new cybersecurity guidance means “there definitely will be an expectation” that vendors start adhering to a new baseline, Ramadevanahalli of Morgan Lewis said.
Private infrastructure companies hoping to minimize risk should take a proactive approach to updating contractual cybersecurity agreements while the regulatory landscape is still fairly forgiving, Muir said.
“Start getting proactive, start reviewing those documents, start thinking about what’s in the realm of possible that you can do to have a more responsible and compliant ecosystem for your clients,” Muir said.