Top Biden administration officials on Thursday outlined steps taken to confront the increase in cyber threats against the nation, including through strengthening key critical infrastructure groups.
National Cyber Director Chris Inglis detailed these steps in both a strategic intent document issued by the White House and an op-ed in The Wall Street Journal, prioritizing issues including enhancing federal cybersecurity efforts, improving public-private coordination and shoring up resources and resilience to face cyber threats.
Inglis also spoke about the strategic intent document during an event at the Center for Strategic and International Studies (CSIS).
“It’s really a statement of what we intend to be held accountable for, contributions we intend to make that complement what the National Security Council does, what the Office of Management and Budget does, the sector risk management agencies, and so on and so forth,” Inglis said Thursday.
Inglis is the first national cyber director. The role was created by last year’s annual National Defense Authorization Act over two years after the previous White House cybersecurity coordinator position was eliminated under the Trump administration.
Inglis was unanimously confirmed by the Senate to the office in June. His confirmation came on the heels of a difficult year in cyberattacks that included the SolarWinds hack and ransomware attacks on groups including Colonial Pipeline and meat producer JBS USA.
The strategic intent document underlined the urgency of the moment and the need to enhance federal cyber coordination.
“We must confront issues like these today since they will only become more difficult to fix tomorrow, and will be the problems our grandchildren point to when they ask what we did when we had the helm,” the document reads.
As part of efforts to strengthen federal cybersecurity, Inglis announced Thursday that Federal Chief Information Security Officer (CSIO) Chris DeRusha would also take on the role of deputy national cyber director for federal cybersecurity.
“That is not a subjugation of his authorities to the national cyber director, it’s an alignment and a harmonization, such that we’ll make sure that what we do we do together,” Inglis said at CSIS. “If you are a CISO in the federal enterprise, we are finishing each other's sentences. We are not going to give conflicting guidance, it will always be complementary.”
Inglis spoke alongside Anne Neuberger, the deputy national security adviser for cyber and emerging technology, who teased the administration’s upcoming national cyber strategy, which Neuberger said will include “three lines of effort.”
These efforts will include strengthening domestic resilience against cyber threats, leading internationally on cybersecurity issues and making it a priority, and ensuring that the government has the necessary cybersecurity capabilities.
Neuberger also discussed the administration’s efforts to strengthen specific sectors against attacks, which have so far included a 100-day sprint to secure the electric grid. This has resulted, as of the beginning of October, in 150 utilities serving 90 million Americans committing to strengthening their cybersecurity.
She stressed Thursday the need to secure the water sector against attacks, and said the administration was pushing for the Environmental Protection Agency (EPA) to have more authorities in this space.
“Water is a great example. We really need legislation in this area in order to, for example, to give the EPA the authority to mandate practices for water, and indeed there is language we have submitted that we — the administration seeks to be included to ensure the EPA has those authorities,” Neuberger said.
A spokesperson for the White House National Security Council confirmed to The Hill that this effort is being prioritized by the administration, particularly after a recent alert put out by multiple federal agencies warning that water and wastewater facilities were targeted by hackers.
“We recognize that absent legislation there is no comprehensive way to require deployment of security technologies and practices to address the current and near-term threat environment,” the spokesperson said in a statement provided to The Hill. “Water is a specific area where we have recently identified specific threats. The Administration is actively working with Congress to provide ongoing threat information and technical assistance on legislation for critical infrastructure, including water.”
There is current debate on Capitol Hill about requiring certain critical infrastructure groups to report cybersecurity incidents to the federal government.
Both Inglis and Neuberger expressed support for more mandatory cyber standards in certain cases, comparing these to safety and security standards applied to automobiles.
“At some point we have to decide, what are those things that are so essential that they are not discretionary? We therefore have to insist that certain features and certain practices are built in,” Inglis said at CSIS. “We will do this for critical systems and in the digital infrastructure as well, but it will be by exception.”