Recently, the Biden Administration released a plan for implementing sweeping cybersecurity regulations for critical infrastructure. The “National Cybersecurity Strategy” dated March 2023 outlines requirements for companies to implement certain cybersecurity measures and report cybersecurity incidents to the government.
The energy, transportation, chemicals, manufacturing, water, and other critical infrastructure industries are expected to be the most impacted by these regulations, as well as the challenges of implementing such regulations. In response, experts are calling for a coordinated approach to cybersecurity across all sectors, including government and private industry.
What Changes Would the New Legislation Impose?
Among the improvements that this recent bill proposes are the following:
- Increasing the use of minimum cybersecurity requirements in critical sectors is essential for national security and public safety. Streamlining and harmonizing regulations can reduce the compliance burden for businesses.
- Public-private collaboration is essential to defend critical infrastructure and essential services. The federal government and the Cybersecurity and Infrastructure Security Administration (CISA) will be required to work together more closely to coordinate their efforts.
- Integrating federal cybersecurity centers and strengthening federal incident response policies and practices.
For Federal Agencies
The government will work with Congress to close any gaps in statutory requirements for minimum cybersecurity standards or market failures related to cybersecurity.
For Energy & Transportation
For the energy and transportation sectors, new regulations will expand the adoption of secure-by-design principles and focus on ensuring the availability of essential services. These regulations will continue the work done in other areas, such as oil and natural gas pipelines, aviation, and rail. The Transportation Security Agency has been leading the way in these industries, and the Environmental Protection Agency has been working to establish similar standards for water systems.
For Healthcare
As ransomware attacks on hospitals and health systems increase, healthcare stakeholders have urged coordinated action from the federal government for years. Unfortunately, private sector efforts alone to counter significant cyber threats, even in recent years, have not been comprehensive enough. However, new legislation in the pipeline should have specific recommendations for cyber incident reporting coordination in the healthcare industry and for protecting sensitive medical data.
In fact, the American Hospital Association (AHA) and HITRUST are optimistic about the newly proposed national cybersecurity strategy, which aims to fight cybercrime and cyberterrorism.
What I.S. Partners’ Cybersecurity Specialists Think about Potential New Legislation
“Certainly, I think it’s encouraging that there is federal attention being paid to cybersecurity. There is a lot of legislation and policy that’s already in place—like HIPAA and FISMA—but as cyber threats continue to evolve, in terms of technology and techniques, it’s important that those regulations are revisited or supplemented with efforts, like this new strategy.”
– Ian Terry, CSM, SSCP, HCISPP, SO/IEC 27001 LA, PCI-DSS QSA, CISSP, and Director of Cybersecurity Services at AWA.
How will this new strategy be put into action?
Similar to HIPAA, which was intended to be general and was written in an open-ended way, the National Cybersecurity Strategy does not conform to any particular framework. “We’ve seen in the past that remaining high-level is a good way for the strategy to stay resilient against change over time, but it is hard to implement and enforce,” said Ian. “So, I imagine that, as we get a better understanding of what the commonplace technologies are, and what the threat landscape consists of, that more prescriptive recommendations and publications will trickle down from this federal strategy.”
“HITRUST is another framework that is well positioned to take the ball here and run with it. That’s because it already has a cybersecurity assessment in place, which is also in line with NIST 800-53. So, it may be that HITRUST takes the lead in this ambitious undertaking and advise the government. It will be interesting to see if that actually takes place.”
– David Dunkleberger, CPA, HITRUST CCSFP, and partner at I.S. Partners
“That being said, we do see some specific directions already within this document. It specifically mentions zero-trust architecture, multifactor authentication, encryption, and the adoption of cloud security tools,” explained Ian.
Will these recommendations become laws?
“I personally don’t anticipate that the federal government will legislate these types of recommendations in the near future. Like what we’ve seen with HIPAA, I think that the federal policy will remain mostly generic and will then be supplemented with more detailed, prescriptive publications and recommend frameworks that can be used to reach certain objectives, such as NIST 800-53,” continued Ian.
“We’ve already witnessed the government employ one strategy to force more private sector entities to upgrade their security through the new CMMC standard. Though that’s kind of a derivative of NIST, it’s a standalone certification framework not developed by the federal government; and yet, it has become a requirement for department of defense contractors and sub-contractors. So, this is a good example of how the government can push for stronger cybersecurity measures without actually writing them into law.”
Does the National Cybersecurity Strategy address data privacy, too?
“Cybersecurity naturally treads a bit into the privacy realm. Privacy is more about informed consent and allowing individuals to retrieve or delete their information. Security, generally, isn’t concerned with the rights of the owner; it’s more focused on protecting the data. But I have observed that certain objectives related to ‘privacy’ are achieved through cybersecurity,” explained Ian.
Related article: How Does the EU Cybersecurity Act Affect American Businesses?
Is There a Need for National Cybersecurity Regulation?
Yes, there is good debate over whether there is a need for national cybersecurity regulation, but in our field, the need for comprehensive, standardized, nation-wide regulations has been clear for many years. While we argue that regulation is necessary to ensure that critical infrastructure and sensitive information are adequately protected from cyber threats, others argue that regulation could be overly burdensome and stifle innovation.
Proponents of national cybersecurity regulation argue that it is necessary to establish minimum standards and best practices for cybersecurity across all industries. This would help ensure that critical infrastructure, such as power grids and transportation systems, are protected from cyber-attacks that could have devastating consequences. In addition, regulation could encourage companies to prioritize cybersecurity by creating legal and financial incentives for compliance.
And the Biden Administration agrees. Writers of the bill admit that voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes. As a result, critical infrastructure sectors should prepare for increased performance-based regulation, including minimum cybersecurity requirements.
Why hasn’t national cybersecurity legislation been put in place already?
There are a variety of reasons why there is no single, overarching national cybersecurity regulation in the United States. These reasons include the country’s federal structure, the diverse range of industries and sectors, and the various stakeholders involved. Instead of one unified regulation, different industry-specific and state-level regulations govern cybersecurity practices.
- Federalism: Due to the way the U.S. federal system is set up, states are able to enact their own legislation. This can sometimes lead to diverse approaches to cybersecurity since state-level regulations are usually designed to address specific risks and concerns within each state. This can make it challenging to create a unified national framework.
- Sector-specific regulations: Different industries often have unique cybersecurity needs and challenges. To account for this, the U.S. has developed sector-specific regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare and the Gramm-Leach-Bliley Act (GLBA) for financial institutions. These regulations aim to address the specific needs and concerns of each sector.
- Balancing security and privacy: Creating a national cybersecurity regulation would require striking a delicate balance between security and individual privacy rights. Achieving this balance can be difficult, as stronger security measures can sometimes infringe on privacy rights, and vice versa.
- Public-private partnerships: The U.S. government often collaborates with the private sector to address cybersecurity issues. This approach can be more flexible and efficient when compared to a top-down regulatory approach. The National Institute of Standards and Technology (NIST) Cybersecurity Framework, for example, is a voluntary set of guidelines that organizations can adopt to improve their cybersecurity posture.
While there is no single national cybersecurity regulation in the United States, the federal government has increasingly recognized the need for a more coordinated approach. The recent National Cybersecurity Strategy report and other initiatives aim to strengthen collaboration between federal agencies, states, and the private sector to address cybersecurity challenges better.
Prepare for Tighter Regulations in Advance
Contact I.S. Partners to begin the readiness phase for any of the leading security certifications today.
