The White House has been conducting classified cybersecurity briefings with executives from select critical infrastructure sectors as part of an ongoing effort to compel industry leaders to invest more in their digital defenses.
The next meeting, scheduled for September, will be with executives from across the aviation industry, a senior White House cybersecurity official told CyberScoop.
The Biden administration’s effort to increase industry support for upgrades to critical infrastructure formally launched last summer when the president signed a national security memorandum assigning federal agencies to develop cybersecurity performance goals for various critical infrastructure initiatives.
Since then, senior White House officials have been quietly meeting with executives and leaders of trade groups as it works to shape forthcoming cybersecurity regulations for critical infrastructure operators.
So far, the threat briefings have proven highly effective, Anne Neuberger, Biden’s deputy national security adviser for cyber and emerging tech, told CyberScoop in an interview earlier this month.
“This way they are able to see the issues through the same lens as us,” said Neuberger, who is leading the briefings. “For the private sector, it’s a cost; for the government, it’s a commitment to not allow a foreign actor to disrupt critical services. … If a company is operating a water facility serving 50,000 Americans in Florida, we can all agree that following these mandates are critical to ensuring continuity in the event of an attempted cyber breach.”
Neuberger added that the threat briefings underscore the administration’s commitment to come to “a reasonable compromise once everyone is working off the same intelligence.”
The upcoming meeting with aviation officials follows years of documented hacker attempts to breach aviation entities. In February, the cybersecurity firm Proofpoint published research showing a “consistent, active cybercrime threat” to the aviation sector since at least 2017.
The meeting with aviation officials will closely follow another recent White House briefing tailored for specific transportation sector executives. Railroad executives from across the country came to the White House for an Aug. 4 classified briefing on cyberthreats targeting their industry as well, Neuberger said.
Ted Greener, a spokesperson for the Association of American Railroads (AAR), told CyberScoop that executives from five of the seven largest American railroads attended Neuberger’s White House briefing. Norfolk Southern Corporation and Union Pacific — the country’s largest railroad company with $6.5 billion in revenue last year — were unable to attend due to scheduling conflicts, Greener said. Companies who could not attend will meet with TSA and have similar briefings.
“The railroad industry appreciates the administration’s commitment to sharing intelligence and security information,” Greener said in a prepared statement. “In follow-up, we have arranged through the Transportation Security Administration (TSA) for the same briefing to be provided to railroads’ chief information security officers and cybersecurity leads.”
Greener said that the White House focus on helping companies execute on the administration’s cybersecurity mandates has ensured that the government’s “desired outcomes are met in the context of the proactive and comprehensive efforts focused on continuously enhancing cybersecurity that railroads have maintained for more than two decades.”
He added that the White House acknowledged the industry’s “sustained commitment” during the briefing.
Neuberger said that in addition to providing rail officials with a classified threat briefing she also showed the railroad executives the draft of a revised TSA directive for how they can improve the sector’s cyber readiness.
“We highlighted that we’re open to hearing their concerns and input, but that we had a responsibility to set a cybersecurity standard that was adequate against the threats they had just heard about,” Neuberger said of the briefing. “I think most Americans would be surprised to learn that minimum mandatory cyber standards are not in place in most sectors, including critical manufacturing, hospital networks and water plants, which is why the president has put such a relentless focus on improving the cybersecurity of critical infrastructure.”
Under the directive, major passenger and freight railroads are required to report cybersecurity breaches quickly; appoint a cybersecurity coordinator; draft an incident response plan; and conduct a review of operations to formally assess cyber vulnerabilities. The administration’s emphasis on critical infrastructure cyber defense follows last spring’s ransomware attack on Colonial Pipeline, the nation’s largest oil pipeline.
President Biden launched the administration’s industrial control system cybersecurity initiative last April, with an initial focus on more than 150 electric utilities representing almost 90 million customers. A month later, the Colonial Pipeline attack stunned government officials and triggered what Neuberger told CyberScoop is meant to strengthen “the digital alarm system and locks” that will better protect critical infrastructure against cyberattacks.
“This is obviously a huge task, so we are working sector by sector in a very structured approach,” Neuberger said.
The administration is in the third stage of its work on the initiative, she said, having already identified both cyberdefense gaps and critical companies in each sector. Now, Neuberger said, the threat briefings are a key component of step three, which she described as “working with lead agencies and owners and operators of critical infrastructure to put the cybersecurity requirements in place.”
Neuberger’s threat briefings began last year when oil and gas pipeline executives came to the White House in three groups due to the size of the sector. After a series of meetings with officials, Neuberger said last month that TSA recently issued revised guidelines for the oil and gas sector.
She told an audience at the Center for a New American Security last month that the briefings have focused on “how we see China or Russia potentially disrupting railroads in the country.” At the time, she said the railroad briefing that took place earlier this month would also focus on how a cyberattack could compromise hazardous materials railroads transport.
Neuberger told the CNAS audience that her work protecting critical infrastructure is so vital to her that she keeps a picture of a Pittsburgh bridge that collapsed in January in her office to remind her “where smart can make a difference.”
“Triaging of the problem is something tech can do for us,” she said at the time.
Clarified 8/31/22: to include additional information from the Association of American Railroads.