Cybersecurity has become a key concern for companies worldwide. As a method to protect company assets, it equals regulatory compliance and robust IT infrastructure. Yet, amazingly, many organizations in the U.S. are still unaware of its importance. However, a recent intervention from the U.S government could be about to change this.
President Biden is championing cybersecurity awareness in the U.S. more than any other previous premier. And it may not come as a shock. Considering the massive upsurge in cyber-attacks over the past few years, cybersecurity is right to be high on the agenda.
However, what has surprised many industry experts and business owners is the scale and breadth of the President’s plans. With close to two billion dollars being pumped into cybersecurity defenses, could compulsory cybersecurity compliance be in the cards?
Step One: The Executive Order on Cybersecurity
In May 2021, President Biden released an Executive Order on Improving the Nation’s Cybersecurity. In it, he describes “persistent and increasingly sophisticated malicious cyber campaigns.” These attacks “threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”
Biden’s order is over 8,000 words long, but in brief, it covers the following. Firstly, the federal government must partner with the private sector to respond to cyber threats. At the same time, cybersecurity is to become a top priority of the Biden administration.
In response, private firms, such as cloud providers, must share information on cyber threats with the authorities. Finally, it’s essential to upgrade the government’s security provisions at a national level. And, they must also update methods of detection and resolution of cyber threats.
Biden’s initiative is a comprehensive action plan that will shake up the way cybersecurity is addressed at a federal level. However, it’s just the tip of the iceberg.
Step Two: The Memorandum
In July 2021, the White House released its National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. The memorandum came after a series of disastrous ransomware attacks.
These attacks directly impacted the lives of thousands of U.S. citizens. One of the most significant occurred two months before the release of the memorandum.
Using a breached password, hackers were able to shut down the Colonial Pipeline, the largest fuel pipeline in the country. As a result of the attack, they distributed half of the fuel supply on the East Coast. This led to fuel shortages and issues with air travel.
The order is probably the most sweeping cybersecurity measure in U.S. history. It directs both the Department of Homeland Security and the Department of Commerce to set cybersecurity goals to protect infrastructure.
At the same time, it instructs companies responsible for critical infrastructure like gas and water supplies to adhere to these goals. At this early stage, these collaborative efforts are voluntary. However, there are signs that they could become legally binding. They are developing these initial goals in conjunction with a study on the potential for a legal framework for critical infrastructure cybersecurity.
In a press briefing to discuss the order, a spokesperson also hinted that voluntary measures could become legally binding. “Our current posture is woefully insufficient given the evolving threat we face today,” they said. “We really kicked the can down the road for a long time.”
“The administration is committed to leveraging every authority we have, though limited, and we’re also open to new approaches, both voluntary and mandatory.”
Step Three: A Multi-Billion-Dollar Commitment
The Biden administration has committed trillions of dollars to improve infrastructure in the U.S. And, at the start of August, the White House revealed that included in this allocation would be $1.9 billion in funding for cybersecurity improvements.
In short, the aim is to “modernize and secure federal, state, and local IT and networks.” On top of this, the funding will be used to “protect critical infrastructure and utilities”. It will also “support public or private entities as they respond to and recover from significant cyberattacks and breaches.”
In total, they will allocate funding $500 million in grants to state and local governments. To apply, it is required that authorities must submit a plan. In it, they will have to explain how they will use the money to bolster or create cybersecurity defenses.
With so much money being provided to government bodies, it’s not unreasonable to presume that they require the private sector to follow suit. If Biden achieves his aims of securing federal, state, and local government bodies, why would he allow private companies to slip through the net?
What Do These Cybersecurity Efforts Mean For Businesses?
Today, Biden’s cybersecurity efforts are admirable but have yet to receive recognition. First, there will be an evaluation of the initial goals. From there, the evaluation will have conclusions made as to the effectiveness of the goals. If companies have taken on the challenge and achieved the objectives set, then maybe they will remain voluntary.
However, if companies critical to infrastructure security neglect to achieve these goals, the law could force them to adopt the goals. Enforced cybersecurity compliance might sound imposing, but is it such a bad idea?
Regulatory compliance is already active in almost every jurisdiction on Earth. Privacy regulations are in force to protect customer data. The banking industry must follow strict codes of conduct. And laws govern the financial sector to ensure transparency.
All of these regulations are in place to protect consumers. So is cybersecurity compliance really that far removed? Maybe not. Especially when the consumers in question, in terms of national infrastructure, are in the millions.
With so much emphasis on cybersecurity provisions and such a large investment, the current administration has committed to the cause. In light of this, if companies fail to adhere to the goals set for them, compulsory cybersecurity compliance looks as though it could become a reality.
