White House deputy national security adviser Anne Neuberger said Thursday that the healthcare, water, and communications sectors will be the Biden administration’s next targets of additional regulation around cyber security—being providers of critical infrastructure in the U.S.
The regulatory additions are intended to be created through a collaborative effort carried out by various federal agencies. This is another way in which the administration hopes to close gaps in the nation’s critical infrastructure security. Particularly, given last year’s high-profile ransomware attacks against critical infrastructure targets—including the Colonial Pipeline attack that interfered with fuel supplies across the East Coast.
The Federal Communications Commission (FCC) would soon issue a “public notice regarding rulemaking for emergency public warning systems,” Neugerger said while speaking at a Washington Post Live event.
Recently, the chair of the FCC, Jessica Rosenworcel, has proposed several changes to the country’s emergency alert systems, which changes are designed to improve cybersecurity responsiveness. Additionally, the Environmental Protection Agency (EPA) has been tapped to assess existing regulations that focus on the security and safety of water infrastructure—including cybersecurity. This is the same approach employed for the Transportation Security Administration (TSA) as it worked to create new standards for pipeline operators; this same approach is cited as the methodology for the forthcoming project for securing the aviation and rail industries.
Neuberger specified that hospitals would be a primary focus for the Health and Human Services (HHS) Department, as they have increasingly been targeted by ransomware threat actors, likely due to the high stakes around hospitals’ operations.
Deputy advisor Neuberger has requested more action from Congress in creating cybersecurity standards for all critical infrastructure operators. She cited a lack of regulatory authorities for some sectors that should be high priorities, like information technology, critical infrastructure, emergency services, etc.
Neuberger explained, “We’re looking carefully at those to say, ‘What is needed in this space, and how do we approach this?’”
Notably, it has been confirmed by the research organization Recorded Future that 230+ healthcare providers were targeted by ransomware over the past year. CommonSpirit Health, one of the nation’s largest nonprofit healthcare systems, confirmed Wednesday that it was hit by a ransomware attack that resulted in widespread outages across its operations and it is still recovering.
Organizations across information technology, critical infrastructure, and other high-risk industries would do well to be proactive in building out improved cybersecurity programs rather than waiting for regulatory pressures. They should use an approach of risk assessment and mitigation through application of appropriate security measures. Webcheck Security is uniquely able to assist in this effort, with a team of Fractional Information Security Officers (FISOs) who can act as security consultants, temporary internal personnel, or permanent “embedded” security leaders. Contact Webcheck today for a free discussion of your organization’s needs.