White House targets 3 critical infrastructure sectors for new cyber regulations
Communications, water and health care are the next critical infrastructure sectors the Biden administration plans to work with to increase their baseline cybersecurity, White House deputy national security adviser Anne Neuberger said Thursday.
The effort, which will be carried out by various federal agencies, is the latest step by the administration to seal gaps in the security of critical infrastructure against hackers in the wake of last year’s high-profile ransomware attacks, including one targeting the Colonial Pipeline that disrupted the East Coast’s fuel supply.
Speaking at a Washington Post Live event, Neuberger said the Federal Communications Commission would soon issue a “public notice regarding rulemaking for emergency public warning systems.”
FCC chairwoman Jessica Rosenworcel recently proposed several changes to emergency alert systems designed to improve their cybersecurity following the discovery of vulnerabilities in August.
Meanwhile, the Environmental Protection Agency would examine existing regulations that call for safety and security of water infrastructure to include cybersecurity — a tactic the administration used with the Transportation Security Administration to create new digital standards for pipeline operators and will employ again for the aviation and rail industries.
Neuberger said the Health and Human Services Department would work with hospitals — which have come under increased ransomware attacks recently — to put in place “cyber guidelines” followed by additional work to secure “devices and broader health care.”
More than 230 health care providers have been targeted by ransomware in the last 12 months, according to data collected by Recorded Future. On Wednesday, one of the largest nonprofit health care systems in the U.S. — CommonSpirit Health — confirmed it suffered a ransomware attack that caused widespread outages.
Neuberger, who previously called on Congress to do more to establish cybersecurity standards for critical infrastructure operators, noted “there are not” many regulatory authorities for some sectors — such as critical infrastructure, emergency services or information technology.
“We’re looking carefully at those to say, ‘What is needed in this space, and how do we approach this?’” she said.