White House Struggles to Overcome Roadblocks in Implementing Cybersecurity Strategy

Policy White House plan for implementing cybersecurity strategy faces roadblocks

A Chinese hacking campaign and a court ruling pausing minimum security standards for the water sector illustrate challenges in improving cybersecurity.

Christian Vasquez | July 13, 2023 | Getty Images

On Thursday, officials from the Biden administration unveiled a long-awaited implementation plan for the White House’s national cybersecurity strategy. However, the release of the plan was overshadowed by two significant events that serve as a reminder of the major obstacles the administration faces in improving the security of the U.S. computing infrastructure.

Chinese Hackers Exploit Cloud Computing Vulnerabilities

The first event involves a revelation made by Microsoft that Chinese-linked hackers were able to access the emails of high-ranking U.S. officials by exploiting flaws in cloud computing systems. These systems had been promoted by the Biden administration for their security benefits. This incident raises questions about the effectiveness of cloud computing solutions in protecting sensitive information.

Court Ruling Halts Cybersecurity Regulation for Water Systems

The second event involves a court ruling that temporarily suspended a regulation mandating U.S. water systems to improve their cybersecurity posture. The rule had required states to evaluate the industry’s digital defenses through sanitation surveys. This approach faced criticism as surveyors were seen as ill-equipped to evaluate cybersecurity. This ruling introduces potential roadblocks for future cybersecurity mandates for critical infrastructure sectors.

Obstacles to Achieving Stricter Cybersecurity Standards

The Biden administration’s strategy aims to establish stricter minimum cybersecurity standards for critical infrastructure and shift the responsibility for securing systems to better-resourced players, including the adoption of cloud computing solutions. However, the recent events highlight the hurdles that must be overcome to achieve these goals.

Legal Challenges to Cybersecurity Regulation

The court ruling on the water system cybersecurity regulation could create roadblocks for other potential moves by the administration to mandate improved cybersecurity using existing statutes. This could lead to the need for new authorities, which may require an act of Congress and a slower process to create stricter security standards. Additionally, the ruling may complicate the administration’s plans to harmonize different rules for various critical infrastructure sectors, a move that owners and operators of critical infrastructure have long called for to reduce overlapping regulations.

Concerns over Harmonizing Regulations

While harmonizing regulations across critical infrastructure sectors may seem like a positive step, some experts express concerns about the practicality of such an approach. Will Loomis, associate director of the Atlantic Council’s Cyber Statecraft Initiative, argues that there is a risk of missing the nuances and realities of different critical infrastructure sectors by pushing for a single set of regulations. The challenge lies in finding the right balance between standardization and addressing sector-specific needs.

The Role of Cloud Computing Security

Another significant concern raised by experts is the lack of focus on cloud security in the implementation plan. While the Biden administration’s cybersecurity strategy acknowledges the vulnerabilities in the cloud computing industry, the current implementation plan primarily addresses “know your customer” laws for infrastructure-as-a-service providers like Amazon, Google, and Microsoft. Experts argue that cloud security is a concentrated risk for the entire ecosystem and should be given more attention.

Advice for Improving Cybersecurity Measures

In light of the roadblocks and challenges highlighted by recent events, it is crucial for the Biden administration to reassess and strengthen its approach to improving cybersecurity. The following measures should be considered:

1. Collaborate with industry experts: Engage with cybersecurity experts from various sectors to develop effective and tailored cybersecurity standards that address the specific needs and challenges faced by critical infrastructure sectors.
2. Address cloud computing vulnerabilities: Recognize the risks associated with cloud computing and prioritize efforts to enhance cloud security. This may involve working closely with cloud service providers and exploring additional regulations to mitigate potential vulnerabilities.
3. Adopt a flexible approach to regulations: While harmonizing regulations across critical infrastructure sectors is important for reducing overlapping requirements, it is essential to acknowledge the nuances and specificities of each sector. Striking the right balance between standardization and sector-specific regulations is key to improving cybersecurity.
4. Promote public-private partnerships: Enhance collaboration between the government and private companies to strengthen cybersecurity measures. This can include sharing threat intelligence, best practices, and resources to effectively address emerging cyber threats.
5. Invest in cybersecurity education and training: Develop comprehensive cybersecurity education and training programs to equip professionals with the necessary skills and knowledge to protect critical infrastructure systems. This should include both technical and non-technical aspects of cybersecurity.

The Biden administration’s implementation plan for its cybersecurity strategy should be seen as a living document that acknowledges the need for future updates. It is crucial to continuously reassess and adapt cybersecurity measures to effectively mitigate evolving threats and protect the nation’s most sensitive infrastructure.

This report was prepared by , a current affairs commentator for The New York Times.