Regulatory Alchemy: Turning Cybersecurity Guidelines Into Rules

In “Pirates of the Caribbean,” when Barbossa double-crosses Elizabeth, she invokes the Pirate’s Code, but Barbossa dismissively replies that “the code is more what you'd call ‘guidelines’ than actual rules.” Call it a reverse Barbossa, but the directive on pipeline security issued last week by the Transportation Security Administration (TSA) basically says that the TSA’s Pipeline Security Guidelines are now more what you’d call actual rules than guidelines.

In early May, the Colonial Pipeline carrying fuel to the East Coast shut itself down after being hit by ransomware. The resulting lines at some gas stations gave new urgency to decades-old warnings about the vulnerability of critical infrastructure to cyberattack. The TSA, which oversees not only airport security but also pipelines, responded with its directive effective May 28 and promised more.

Most of the reporting on the emergency directive has focused on its requirement that operators of major pipelines must report cybersecurity incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). But the directive has another major part, leveraging the TSA pipeline security guidelines. The guidelines date back to 2002; their current version is from 2018, with a recent update just this April. Couched as recommendations, the guidelines say that pipeline operators should have a risk-based security plan, which should include risk assessments, personnel training and security testing, among other elements. Section 7 of the guidelines focuses specifically on security measures for cyber assets. It is based on the voluntary Framework for Improving Critical Infrastructure Cybersecurity issued by the National Institute of Standards and Technology (NIST). On close reading, some elements of the NIST framework have been watered-down in the TSA guidelines. Nonetheless, the TSA guidelines spell out in considerable detail the baseline and enhanced cybersecurity measures that pipeline operators should apply to pipeline cyber assets based on their criticality.

This is where last week’s directive may be most significant. It required pipeline operators to immediately review Section 7 of the pipeline security guidelines, assess whether their current practices and activities to address cyber risks align with the guidelines, identify any gaps, identify remediation measures that will be taken to fill those gaps, spell out a timeline for implementing those measures, and report to the TSA and CISA within 30 days.

To be sure, that doesn’t expressly require pipelines to actually implement the remediation measures they identify. But even with that caveat, the directive is a big change in approach. For decades, across administrations, much of the nation’s cybersecurity policy has depended on “public-private partnership” (code for non-regulation) and voluntary guidelines. Aside from a few sectors, such as broker dealers regulated by the Securities Exchange Commission or the nuclear power industry, regulatory agencies generally have not demanded that entities under their jurisdiction report on their cybersecurity practices.

In the case of pipelines, the TSA guidelines expressly state, “This document is guidance and does not impose requirements on any person or company.” Last week, the TSA found authority for its directive in 49 U.S.C. § 114. The language there is not as explicit a grant of regulatory authority as it could be, but subsection (f)(11) gives the administrator the authority to “oversee the implementation, and ensure the adequacy, of security measures at airports and other transportation facilities.”

It remains to be seen what the TSA does with the reports due at the end of June. But the reverse Barbossa may be available to other agencies as well. Across the federal government, there are multiple cybersecurity guidelines, many issued under the direction of then-President Obama’s Executive Order 13636. From the Department of Homeland Security, there’s the Critical Manufacturing Sector Cybersecurity Framework Implementation Guidance. The Department of Energy in 2015 issued its Energy Sector Cybersecurity Framework Implementation Guidance. For entities outside the coverage of the Health Insurance Portability and Accountability Act, the Department of Health and Human Services issued Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. The Food and Drug Administration has issued multiple guidance documents for connected medical devices. The Department of Homeland Security has its Transportation Systems Sector Cybersecurity Framework Implementation Guidance.

These agencies and others likely have in their organic statutes language about ensuring safety or reliability in their respective sectors. Even while awaiting further action from the White House or Congress, agencies could find grounds to turn their guidelines into actual rules. A separate, harder question is whether the guidelines, even if made binding, would meaningfully increase cybersecurity; they may be too focused on process than actual security measures. But at this point, given the failure of the public-private partnership approach that has dominated national cybersecurity policy for many sectors for many years, new measures may be worth a try.