White House advisory group says market forces ‘insufficient’ to drive cybersecurity in critical infrastructure
A White House advisory board is recommending the federal government create new economic incentive programs to prod critical infrastructure owners and operators to raise their cybersecurity standards, develop new liability protections around information sharing and simplify an increasingly complex national cyber regulatory regime.
The recommendations are part of a report approved Thursday by the National Security Telecommunications Advisory Committee, which is made up of representatives from the nation’s largest telecommunications companies as well as cybersecurity firms. The report focused on why so many organizations that provide critical services to the nation often struggle to adopt best practices or invest sufficient resources into their cybersecurity operations.
It concluded that market forces alone are “insufficient” to incentivize privately owned entities to prioritize cybersecurity at the levels needed to protect national security.
The report also found that stakeholders in critical infrastructure are broadly unaware of the technical assistance and programs already offered by the federal government to help improve cybersecurity, and are facing increasingly complex compliance burdens as the Biden administration has sought to flex its regulatory powers to raise the cybersecurity bar in different sectors.
To address these obstacles, the committee recommended that the Office of the National Cyber Director work with industry to examine a range of new financial incentives, such as tax deductions and federal grants, to help close the cybersecurity investment gap. It also recommended that ONCD work with other federal agencies on a nationwide push to educate owners and operators about free federal services — like CISA’s Cyber Hygiene Service, the NSA’s Cyber Collaboration Center and NIST’s National Cybersecurity Center of Excellence — that aren’t being effectively utilized.
The committee also suggested that ONCD take the lead on developing a strategy that provides “unambiguous language” that carves out liability protections and safe harbor for companies to more freely share information around cyber threats and vulnerabilities that could impact one or multiple industrial sectors.
National Cyber Director Harry Coker gave brief remarks during the meeting, thanking the committee and remarking on the recommendations in the report: “I’ve already reviewed them and I like them.”
Matthew Desch, CEO of Iridium Communications and co-chair of the subcommittee that created the report, said the conclusions were drawn from more than 50 briefings conducted by NSTAC members with critical infrastructure providers, cloud and tech service providers, consultants, trade associations and think tanks.
“The lack of consistent adoption and implementation of cyber best practices and standards is especially problematic as U.S. critical infrastructure entities face a significantly heightened threat landscape, and even more so considering the current geopolitical climate,” Desch said.
The recommendations in the report were approved shortly after U.S. officials warned in January that a hacking group tied to the Chinese government, known as Volt Typhoon, has spent years lurking inside the systems and networks of American critical infrastructure providers. Brandon Wales, CISA’s executive director, said the group’s “aim appears to be burrowing into our critical infrastructure for the purpose of conducting disruptive or destructive attacks.”
