Top White House cyber official says Congress should push for digital security mandates

A senior White House official on Thursday said Congress could do more to set basic cybersecurity standards for critical infrastructure sectors to better protect them against digital threats.

“We are behind other countries in setting cybersecurity requirements for the critical elements of infrastructure, the most significant — water, power, pipeline, hospitals in the country, as well as the technology that crosses all of them,” Anne Neuberger, deputy national security adviser for cyber and emerging technology, said during an event at the Center for a New American Security.

"When we drive a car, the car comes with the seatbelt, comes with airbags. It comes with standards for what's the speed you can drive on the road. And what happens if there's a major accident?" Neuberger said at the Washington-based think tank. "We need the same with cyber."

She noted that the administration has taken various actions — most notably through last year’s sweeping executive order — to push the private sector to voluntarily boost security, but that lawmakers could prod operators to do more to bolster digital defenses.

"We really need the Hill to put in place those mandatory standards," Neuberger said.

Her remarks come days after the Transportation Security Administration issued revised cybersecurity directives for oil and natural gas pipelines. The administration originally unveiled the guidance after a meeting with sector executives following the ransomware attack that temporarily shut down the Colonial Pipeline last summer, disrupting the East Coast’s fuel supply. However, the directive was met with fierce opposition from industry leaders.

Neuberger said the White House will host a group of railroad executives next week for a classified briefing about the cyber threats posed by nation states like Russia and China. 

She also said the Environmental Protection Agency would “shortly” issue a rule to extend its water system sanitation reviews to include cybersecurity considerations.

But even there, she added, "we need the Hill to ensure that those authorities are clear.”

Momentum is growing on Capitol Hill to protect crucial U.S. digital assets from hackers.

The House version of the annual defense policy bill includes language to designate “systemically important entities” to the most vital organizations with the 16 categories of U.S. critical infrastructure. The new label would require operators to enact strong digital security standards and share threat intelligence with the government in exchange for federal support.

The Senate draft of the massive policy bill does not contain such a provision. Once the chamber votes on its version, legislators will hash out their differences in a conference committee.

Neuberger said Congress is a “major partner” in looking at sectors that lack authorities or “where there's hesitancy by agencies to move without real Hill backing to do so.”

She said she has received “a lot of interest and excellent feedback" from lawmakers about the “right path" to enacting clear cyber regulatory authority for more sectors.

“We're really looking forward to, over the next few months, continuing that engagement, hearing the input of members of the Hill and staffers as well, and crafting that together,” according to Neuberger.