Companies face stricter cyber rules in 2022
Summary
State-sponsored hacks and ransomware attacks pushed the US into aggressive cyber policies that end the era of voluntary standardsAttacks against critical infrastructure operators, government agencies and private companies spurred President Joe Biden’s administration to significant action on cybersecurity in 2021. This year, security chiefs face further cyber reforms, a workforce shortage, and ongoing threats from ransomware groups.
A May presidential executive order dramatically shifted what had been a relatively hands-off approach to cyber in the past, with voluntary guidelines and little oversight. Increasingly the government is telling entities critical to the country’s cyber infrastructure exactly what is expected of them, former officials say.
Companies in some sectors are now required to report cyberattacks, appoint dedicated staff to liaise with officials, and must design their networks to conform with zero-trust principles.
“I do think what the Biden administration has done over the past year is disruptive," said Sujit Raman, a partner at law firm Sidley Austin LLP, and a former associate deputy attorney general at the Justice Department. “They have moved quite aggressively away from voluntary standards and have been willing to impose mandatory standards. It’s disruptive in a novel way."
Agencies such as the Transportation Security Administration have published new standards that require pipeline operators to strengthen cybersecurity and conduct audits to show they have done so.
Federal agencies have also been ordered to find and close flaws in the software they use and to draw up guidelines for every critical infrastructure sector they oversee.
The fallout from hacks of SolarWinds Corp. and Microsoft Corp. software dominated the first months of 2021, with thousands of companies and several federal agencies affected by the attacks. The U.S. government later attributed the campaigns to state-sponsored hackers in Russia and China, respectively. Both governments have denied involvement.
Homeland Security Secretary Alejandro Mayorkas had been describing ransomware as a threat to national security since March, but the attack on Colonial Pipeline Co. in May brought the subject into sharp relief. That incident forced Colonial to shut down the largest fuel artery on the East Coast for six days, pushing up prices and causing fuel shortages in some southeastern states after panic buying.
“The recognition of the impact that a ransomware attack on a commercial critical infrastructure sector can have on our nation, I think accelerated the need for the government to have a more coordinated and focused response," said Brad Medairy, an executive vice president at consulting firm Booz Allen Hamilton Inc.
Serious cyberattacks on food-processing giantJBS SA and technology provider Kaseya Ltd. struck as the Justice, State, Homeland Security and Treasury departments initiated broader efforts to contain cyber threats. The U.S. issued sanctions or charges against alleged ransomware operators in Russia and Ukraine for the Kaseya attack, a Russia-based cryptocurrency exchange, and cybersecurity companies accused of staging conferences for recruiting spies.
In July, the Senate confirmed Chris Inglis as the first national cyber director, a role Mr. Inglis has described as a quarterback for the government’s cybersecurity efforts. During his confirmation hearing in June, Mr. Inglis previewed more assertive action from the government along the same lines as it enforces standards for the aviation sector.
“When [companies] conduct critical activities upon which the nation’s interests depend, it may well be that we need to step in and we need to regulate," he said.
U.S. officials in 2022 are likely to issue further cyber requirements to critical infrastructure companies, including the water supply, said Sidley Austin’s Mr. Raman.
An ongoing shortage of cybersecurity talent will also be a problem, Mr. Medairy, of Booz Allen, said. The (ISC)2, a cyber professional association, puts the gap at around 2.7 million globally.
“We’re dealing with a significant cyber workforce and talent shortage, and the government can’t solve the problem alone," Mr. Medairy said.
But while the government’s appetite for more prescriptive cybersecurity rules continues, the extent to which these changes have been effective is unclear.
A breach-reporting mandate also has bipartisan support in both the House and Senate, although it was removed from the National Defense Authorization Act as part of a compromise to pass the bill. Senior officials, including Cybersecurity and Infrastructure Security Agency Director Jen Easterly, have urged lawmakers to pass these laws with short time frames for reporting incidents.
Justice Department officials have also said that, without further rule making by Congress in 2022 such as mandatory breach reporting, the question of whether attacks are going up or down is hard to answer.
“If we knew the full picture, the Federal Bureau of Investigation or someone else would be able to spit back an answer that says we have 100% reporting and we’ve seen an increase or a decrease. We’re not there right now," said John Carlin, principal associate deputy attorney general, at a WSJ Pro Cybersecurity conference in December
