Less than a week after the Transportation Security Administration responded to the Colonial Pipeline shutdown with a landmark order for oil and gas pipelines to abide by cybersecurity rules, major food supplier JBS had operations interrupted by its own cyberattack. The United States government traditionally handled cybersecurity on a sector-by-sector basis. How does it respond to a problem that transcends industry boundaries?
JBS is the world’s leading provider of meat, operating in six countries, and producing 32 billion pounds per year. It announced Monday that an “organized cyberattack…may delay certain transactions with customers and suppliers.” It is unclear what the motivations for the cyberattack were, financial or otherwise, but the incident leaves many questioning how government and industry alike can better tackle increasingly glaring security gaps throughout critical infrastructure.
“These past few months have shown us that, in both the public and private sector, we have not done the work we need to do to defend critical IT networks from cyberattacks, which will only become more frequent and more complex in the future,” Sen. Mark Warner, D-Va., told SC Media via email. “As the chairman of the Senate Intelligence Committee, I will continue working with the Biden administration to bolster our defenses across our critical infrastructure and other sectors.”
The fact that there are other providers of meat means that an outage at one node of the supply chain is not immediately as dire as the Colonial Pipeline shuttering the major passageway for gasoline on the East Coast. But the food sector is for good reason one of the industries deemed critical by the federal government.
“People want to eat,” said Meg King, director of the Wilson Center’s Science and Technology Innovation Program.
Indeed, the government recognizes 16 critical infrastructure sectors. The Biden administration has only taken regulatory action for one aspect of one of those sectors – pipelines – with an executive order suggesting industry-led changes to a second – the electric grid. But threats go well beyond gas and power. Before Colonial and JBS, a water treatment facility in Oldsmar, Florida was targeted by hackers who attempted to poison the water supply.
But it can be exceedingly dificult for the government to address cybersecurity problems expediently across multiple industries at the same time.
“If Congress is your best option, we’ve got some bigger problems,” said King, herself a former Hill staffer. “This is a problem that is multi-sectoral, which for Congress is really hard because of jurisdiction.”
At the same time, with differing federal agencies designated to oversee the various strains of critical infrastructure, each operating with different regulatory constraints and facing different cybersecurity concerns, a coordinated step forward from the Biden administration across all sectors would also be very difficult.
On Tuesday morning, Sen. Angus King, I-Maine, suggested that Congress move forward on one proposal that would simplify the process: recognizing a new classification of “systemically important critical infrastructure,” or SICI, to define the most critical of critical infrastructures. The Cybersecurity Solarium Commission, co-chaired by Angus King chaired, suggested that SICI be granted greater access to government resources while also facing additional security requirements.
“We keep having wake up calls and we keep not waking up,” he said on CNBC. “Now it’s the food supply. A month ago, it was fuels. It could be energy next. It could be transportation, it could be the financial sector. And we’ve really got to scale up our responses.”
While the Solarium Commission was able to pass more than two-dozen proposals into law last year, SICI was singled out at this year’s RSA Conference by former commissioners, including lawmakers Reps. Mike Gallagher, R-Wisc. and Jim Langevin, D-N.H., as a priority for the year ahead.
“SICI legislation would provide someone, presumably the [Cybersecurity and Infrastructure Security Agency] or DHS, with the authority to impose requirements,” said Suzanne Spaulding, a Solarium commissioner, director of the Defending Democratic Institutions program at the Center for Strategic and International Studies, and a former head of CISA’s predecessor, the National Protection and Programs Directorate.
Spaulding noted that many of the ideas narrowly construed for pipeline security in the TSA order could easily apply to a wide swath of extremely critical infrastructure. In fact, she said, Spaulding unofficially made an effort to do something similar during her time at NPPD after Obama’s Executive Order 13636 had NPPD compile a list of infrastructure where a cyberattack would have the most catastrophic effect.
“I wrote a letter to the CEOs of all those entities and said, ‘please designate a point of contact for us to work with.’ So the idea that these critical functions like Colonial Pipeline, need to have a PoC for CISA 24/7, seems pretty fundamental basic,” she said.
That said, there is risk tied to government treating infrastructure too generally, said Tobias Whitney, former senior manager of critical infrastructure protection at the North American Electric Reliability Corporation, the industry group setting regulatory standards for energy firms, and current vice president for energy security solutions at Fortress Information Security. Different infrastructures have different security needs.
To address any regulation in aggregate could lead a security program that “is watered down with requirements not necessarily germane to the sector,” he said.
“But I can definitely understand the other side of the equation, too,” Whitney added. “We’re starting to see continued exploits of the back office and IT networks. Given some of those similarities, it might make sense for some targeted actions.”