President Joe Biden assumed office in January 2021 amid an unquestionably challenging environment for cyberthreats. A month earlier, a cybersecurity researcher from Google subsidiary Mandiant discovered an exploited vulnerability in network management software developed by SolarWinds. Over the next several weeks, a series of high-profile ransomware attacks breached a range of companies, including natural gas provider Colonial Pipeline, meatpacker JBS Foods and IT software maker Kaseya. Meanwhile, the world was confronting the scale of the intrusion, as the blame fell on Russian threat actors. The events colored the new administration's priorities and programs of work, which the U.S. Chamber of Commerce has organized into three categories.
Priority 1: Raising baseline cybersecurity requirements for critical infrastructure
From the first security directives issued by the Transportation Security Administration to the “More Than a Password” information campaign developed by CISA (Cybersecurity & Infrastructure Security Agency) to open letters to the business community, the administration's first cybersecurity priority was to voluntarily leverage regulations to raise baseline requirements protecting critical infrastructure.
Why this matters
The Biden administration expects organizations of all sizes to increase their cybersecurity and risk management investments.
Applicability
The administration has taken a sector-by-sector approach to review each of the 16 infrastructure sectors designated vital to the United States under the USA Patriot Act, the Homeland Security Act of 2002, and Presidential Policy Directive 21—all measures enacted to bolster security for the country’s physical and digital infrastructure.
What does good look like?
Standards-based compliance is increasing the minimum expectation by governments. The U.S. Chamber recommends that organizations use the Cybersecurity Framework developed by NIST (National Institute of Standards and Technology) to guide risk management and to conform with ISO/IEC 2700X, which was developed jointly by the International Organization for Standardization and the International Electrotechnical Commission, as well as NIST’s SP 800-53 and 800-171 standards.
Priority 2: Securing the software supply chain and driving security by design
Second only to legitimate credentialed access, supply chain threats and attacks are among organizations’ top cybersecurity risks.
Administration action: The Biden administration published the definitive policy directive for software supply chain security, Executive Order 14028, Improving the Nation’s Cybersecurity, in May 2021.
Why it matters
EO 14028 sets forth roughly 60 action items related to supply chain security, including these minimum elements: a software bill of materials, guidelines for software supply chains and updates to regulations for contractors.
Applicability
Acting through the Federal Acquisition Regulatory (FAR) Council, the Biden administration will require new software security and incident reporting by nearly all federal contractors.
Priority 3: Enhancing the government's visibility of cybersecurity incidents
The United States, the European Union and other governments around the world have promoted initiatives to close the visibility gap between government agencies and cyberattack victims. The U.S. Chamber has also promoted global principles to guide policymakers who are considering the establishment of business incident reporting requirements.
Why does disclosure matter?
The first of two theories contends that public disclosure of material cyber incidents will prompt prioritization and longer-term investment by organizations at the executive level. The second theory purports that government agencies are blind to the heightened threat environment, and only enhanced visibility will ensure that they:
- Better understand national risk.
- Prioritize resources for the most at-risk entities.
- Tailor improved mitigation for victims.
Cost versus cyber risk reduction?
CISA recently estimated that implementing its CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) rules will cost CISA and the industry $2.6 billion over 11 years of implementation. Will the tidal wave of incident reports actually result in risk reduction? Despite policymakers’ best intentions, probably not—at least in the near term. However, there may be incremental reductions in cyber incidents and breaches on a yearly basis.
For more information, contact Vince Voci (vvoci@uschamber.com), vice president for cyber policy and operations at the U.S. Chamber of Commerce.