Published by The Lawfare Institute
in Cooperation With
Concerns over the possible Russian use of cyber weapons against U.S. domestic critical infrastructure in connection with the Ukraine crisis—warnings renewed on Feb. 11—should prompt reconsideration of the still-deferential posture of U.S. cybersecurity policy toward much of the private sector. Once again, though, complaints against “government mandates” may block action.
For more than 30 years, the federal government’s approach to cybersecurity has been based on the concept of public-private partnership. For many sectors, that has meant no regulation, even as the threat has grown and industry’s response has lagged. It took last May’s high-profile attack on Colonial Pipeline to prompt the Transportation Security Agency (TSA) to issue its first binding directives for that one highly critical infrastructure. TSA used existing powers, not specific to cyberthreats. With congressional action to grant new regulatory authorities highly improbable, it is remarkable how many other agencies also have existing authority that could be leveraged to improve the cybersecurity of private actors under their jurisdiction.
Agency Statutes Include Broad Authorities Over Safety and Reliability
Consider hospitals, already a prime target for ransomware, including—in the case of North Korea’s WannaCry—nation-state attacks. The Centers for Medicare & Medicaid Services (CMS) will not approve a hospital for participation in the Medicare and Medicaid system unless its brick-and-mortar facilities comply with the standards of the Life Safety Code of the National Fire Protection Association (or a comparable code imposed by state law) and the association’s separate Health Care Facilities Code. Likewise, CMS requires that hospital food and dietetic services must meet individual patient nutritional needs “in accordance with recognized dietary practices.” All in all, CMS has promulgated about two dozen “Conditions of Participation,” imposing scores of design and performance requirements on health care entities, from the largest hospitals to the smallest rural health clinics. Since few health care facilities could function without Medicare and Medicaid payments, the CMS standards cover a large part of the U.S. health care infrastructure. CMS’s broad statutory authority to issue standards to ensure patient health and safety is the very authority that the Supreme Court affirmed in January in upholding CMS’s vaccine mandate for health workers at Medicare- and Medicaid-supported facilities.
Yet, CMS told the inspector general for the Department of Health and Human Services in June 2021 that it had no plans to address the cybersecurity of the facilities it funds. There is a CMS requirement for emergency preparedness, which covers all hazards. It requires a backup for water and power but does not consider that those backup systems themselves may depend on digital controls that would be compromised in a halfway sophisticated attack. It requires “[a] system of medical documentation that preserves patient information, protects confidentiality of patient information, and secures and maintains the availability of records,” but it does not address any of the specific actions that could achieve those goals, from procurement policies that favor software developed using secure development practices to enterprise risk management strategies to employee training. All this despite the fact that the number of cyberattacks on health care facilities more than doubled in 2020. In November 2021, Southern Ohio Medical Center had to cancel appointments and divert ambulances to other hospitals after it was hit. Surely, in 2022, along with mandating the availability of a qualified dietician, the CMS criteria for effective and reliable health care should include some ability to withstand cyberattack.
The Department of Health and Human Services is not the only agency with unused authority that encompasses cybersecurity.
In establishing the Federal Communications Commission (FCC), Congress expressly said that it intended the agency to serve the national defense. In response to cybersecurity concerns, the commission has been quite aggressive in using various authorities to remove Chinese-made equipment from the telecommunications backbone and to deny or revoke the operating rights of China-controlled entities. Just last month, the FCC revoked the authority of China Unicom to provide international and domestic communications services in the U.S., following on last year’s revocation of the authorizations of China Telecom (Americas) to operate in the U.S. But as Tom Wheeler has laid out, the FCC has largely refrained from addressing the cybersecurity vulnerability of domestic telecommunications providers and their reliance on potentially vulnerable equipment and software made in the United States. FCC Chair Jessica Rosenworcel is pursuing a series of initiatives related to cybersecurity, but none so far focuses specifically on domestic carriers and none is comprehensive in scope.
As Wheeler has argued, the FCC “is the agency with the authority and responsibility to establish enforceable cybersecurity expectations for the nation’s commercial networks.” Indeed, the blanket authority that China Unicom and China Telecom were operating under, granted by rule in 1999 under Section 214 of the Communications Act, is the very same blanket authority under which all home-grown telecommunications service providers operate. And the standard for revoking the authorization of U.S.-owned carriers would be the same broad standard the FCC used in revoking the authority of the China-controlled entities: “in the public interest.”
Earlier this year, federal agencies warned that Russian state-sponsored actors have targeted a variety of U.S. critical infrastructures, including telecommunications. This comes on top of reports of espionage attacks targeting telecommunications companies in the U.S. and elsewhere. Surely, if the FCC can rely on Chinese espionage and reliability concerns to revoke any company’s prior authorization to operate, it can take the lesser step of imposing conditions on those authorizations to protect the public interest. In fact, that’s exactly what the Communications Act says: that the commission may attach to its authorizations “such terms and conditions as in its judgment the public convenience and necessity may require.”
Other agencies have similar sources of cybersecurity authority in their organic statutes. Just to cite a few more: The Food and Drug Administration (FDA) has authority under provisions of the Food, Drug and Cosmetic Act to ensure the safety and effectiveness of medical devices, which increasingly are connected to the internet. The FDA has made it clear that its Quality System Regulation requires that medical device manufacturers address cybersecurity risk. But as to details, like so many other agencies, the FDA has limited itself to nonbinding guidance. Even there, it has lagged. Updated guidance on the content of premarket submissions for management of cybersecurity in medical devices has been in draft form since 2018. Yet, as the Health and Human Services Office of the Inspector General report noted, according to one expert, a large hospital might have around 85,000 medical devices connected to its network, each a potential locus of attack.
One more example: railroads. The secretary of transportation has statutory power—indeed, a statutory duty—to “prescribe regulations and issue orders for every area of railroad safety.” Under this and other statutory authority, the Federal Railroad Administration (FRA) has issued detailed rules, standards and instructions governing the installation and maintenance of signal and train control systems, specifically including processor-based systems and components. Mostly, though, the provisions seem to be focused on electro-mechanical devices. One provision, for example, aims to protect signaling systems against unauthorized entry … by requiring that their physical housings be locked. Some rules do address cyber threats. One requires encryption of signals for integrity and authentication, but only for the subset of control systems known as positive train control. Under another rule, adopted in 2005 and apparently not modified since, each railroad shall adopt a software management control plan for its signal and train control systems, which shall be designed to ensure that the software for each specific site is properly configured, documented and maintained through the life cycle of the system. But as far as I could find, the FRA has adopted no comprehensive requirements for cybersecurity. I wouldn’t attribute this to lack of expertise or an outdated mindset; the FRA has, for example, what seem to be very sophisticated rules on human-machine interface. And the rail industry, like so many others, has a detailed set of cybersecurity best practices, but they remain voluntary, like those in so many other sectors.
I’m certainly no expert on Medicare and Medicaid requirements, or telecoms regulation, or food and drug law, or railroad regulation, so I may be missing something here, but the pattern seems consistent: Sector-specific regulatory agencies have existing authorities that could be used to adopt comprehensive (or even incremental) cybersecurity rules for the critical infrastructures under their supervision, but those powers have gone largely unused.
Under the Biden Administration, a Mix of Urgency and Hesitation
In this context, the executive branch moves following the Colonial Pipeline incident seemed to point the way to a broader initiative.
But the predictable industry pushback has grown, echoed by Republican lawmakers. When Secretary of Homeland Security Alejandro Mayorkas indicated in 2021 that he would issue cybersecurity orders for the rail and aviation sectors, Republican senators complained, citing what they said was the absence of an immediate threat or genuine emergency. Other Republican senators asked the Department of Homeland Security inspector general to review the process by which TSA had issued the pipeline directives. While they acknowledged that the TSA director had the statutory authority to issue emergency directives, the senators urged TSA to return to its “historically collaborative relationship with industry experts.”
Despite industry and Hill complaints, TSA moved forward in December with directives for freight and passenger rail carriers. The directives require owners and operators to designate a cybersecurity coordinator; report cybersecurity incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours; develop and implement a cybersecurity incident response plan; and complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems and identify remediation measures to address those vulnerabilities and gaps. The incident reporting requirement got the most attention in the popular press, but the requirements for a vulnerability assessment and remediation measures could be the directives’ most significant feature. Plans must be submitted to TSA by March 31. An awful lot turns on how TSA responds to the vulnerability assessment and remediation plans. A sign of the agency’s seriousness will be whether it sends any back for revision.
However, when it came to airports and airline operators, TSA held back, requiring only that they designate a cybersecurity coordinator and report cybersecurity incidents to CISA within 24 hours. Requirements to implement a cybersecurity incident response plan and to complete a vulnerability assessment and develop remediation measures were dropped. Instead, Homeland Security said that it intends to expand the requirements for the aviation sector and issue guidance to smaller operators.
More recently, the Biden administration has returned to its predecessors’ emphasis on public-private partnership, even avowing that it has only “limited authorities to set cybersecurity baselines for critical infrastructure.”
Of course, public-private partnership should remain a pillar of the nation’s cybersecurity policy. But it need not be the sole pillar, especially when the private sector isn’t stepping up. Already, the U.S. has a hybrid system of collaboration and prescription. It includes very detailed cybersecurity regulations for the bulk electric power system, drafted by industry but approved by—and sometimes strengthened at the behest of—the Federal Energy Regulatory Commission, with new measures in the works. In 2021, the Federal Trade Commission added much more specificity to its Safeguards Rule for financial services institutions under its jurisdiction. And just recently, the Securities and Exchange Commission proposed cybersecurity rules for investment advisers and investment companies, citing as authority provisions in the statutes for those sectors that say nothing specifically about cybersecurity.
The adoption of comprehensive federal cybersecurity legislation is politically inconceivable in today’s climate, and it would probably not be a good idea anyhow: Given technological and other differences among sectors, including different threat environments, tailoring of cybersecurity sector-by-sector will always be necessary. All the more reason for sector-specific regulatory agencies to use existing authorities within their sectors, perhaps comprehensively or, better yet, incrementally, to ratchet up cybersecurity practices.
A lot of cybersecurity attention has focused on CISA. But CISA is not a regulatory agency, nor should it be. CISA has extraordinarily competent leadership in Jen Easterly and her team. With its emphasis on information sharing and incident response, as well as protecting federal civilian networks, CISA is and should be the focus of ongoing and strengthened public-private partnerships. Initial reviews of the new Joint Cyber Defense Collaborative appear to confirm the utility of collaboration and the wisdom of centering it at CISA.
But outside of critical infrastructure companies and their trade associations, few if any would argue that the nation’s cyber defenses can rely solely on volunteerism. Many sector-specific regulatory agencies, if they follow the principles of rulemaking reaffirmed by the Supreme Court in the health workers vaccine case, will find that they have the authority to adopt binding cybersecurity rules for the entities under their jurisdiction.