More than 20 years after the idea was first proposed, only to be struck down by officials who valued corporate profits over the national interest, a federal agency has imposed mandatory cybersecurity requirements on privately owned companies.
The regulation, issued Tuesday by the Transportation Security Administration, in consultation with the Department of Homeland Security, requires owners and operators of critical pipelines—chiefly those carrying natural gas and hazardous liquids—to “implement a number of urgently needed protections against cyberintrusions.”*
The measure, which was prompted by the ransomware attack on Colonial Pipeline in May that created a gas panic in the Southeast, requires all such companies to do the following:
• Develop and implement a “contingency and recovery” plan for cyberintrusions;
• Compare the plan with DHS standards, identify gaps, develop measures to fill them, and gain approval for them from the Cybersecurity and Infrastructure Security Agency, or CISA;*
• Appoint and identify, within seven days, a cyber coordinator (and a backup cyber coordinator) who is available to the DHS’s CISA officials “24/7”; and
• Report all cyberintrusions to CISA within 12 hours of the incident.
The TSA issued similar pipeline guidelines in 2018, but it stressed, “This document is guidance and does not impose requirements on any person or company.”
By contrast, the July document states very clearly that it is laying down requirements.
So far, only the pipeline industry is affected, but the National Security Archive—a private research group based at George Washington University—noted in a report on Friday that the new regulation marks a “pivot” from the “hands-off” approach of previous administrations, suggesting that “the federal government will no longer shy away from imposing cyber standards on private entities in critical infrastructure sectors.”
Back in 2000, Richard A. Clarke, who at the time was President Bill Clinton’s cybersecurity adviser, drafted a lengthy executive order imposing mandatory regulations. But private companies lobbied strenuously against it, and Clinton’s chief economic advisers warned that it would erode the efficiency and competitiveness of American IT companies. Clinton never signed it.
As a compromise, Clarke created Information Sharing and Analysis Centers, where federal agencies would provide guidance to corporations on how to improve security against cyberintrusions. Presidents George W. Bush and Barack Obama went a few steps further—for instance, Obama appointed a chief information security officer for the entire federal government—but compliance remained voluntary. As with the 2018 guidelines, the executive orders stated explicitly that they were listing recommendations, not requirements.
The new measure changes all that, at least for one important economic sector, potentially for the rest as well.
Over the past 20 years, as cyberattacks have grown in number, certain sectors have responded vigorously to the challenge. Banks and financial firms have ranked highest, mainly because security is at the core of their business: If banks keep getting hacked, customers will withdraw their money. Banks also have the money to hire the best IT technicians. As a result, banks are hacked hundreds or thousands of times a day, but the results are rarely devastating; the intruders are spotted and expelled pretty quickly. However, other firms—for instance, electrical plants, water works, and pipelines—have done relatively little to patch their vulnerabilities, in part because it’s expensive to do so, in part because attacks have rarely happened. Until recently. As attacks have grown increasingly routine and financially damaging, even the private companies are showing greater readiness to take action, even at some penalty to their bottom lines.
It remains to be seen how broadly the Biden administration will expand the regulation to other economic sectors, or how strenuously the new law will be enforced if some firms disobey. But this is a first step—ridiculously late, but a very big deal.
Correction, July 23, 2021: This piece originally mischaracterized CISA as part of the TSA. CISA and TSA are two separate agencies in the Department of Homeland Security.
Correction, July 24, 2021: The article also originally conflated some of the TSA’s responsibilities with those of the DHS.