Politics|Biden to sign an executive order aimed at protecting critical American infrastructure from cyberattacks.
A day after President Biden warned that cyberattacks could lead to a “real shooting war,” he is expected to sign an executive order on Wednesday aimed at preventing hackings on America’s critical infrastructure.
While the order has been in the works for some time, the need was driven home by a series of major ransomware attacks, including against Colonial Pipeline, which provides the East Coast with 45 percent of its gasoline, jet fuel and diesel.
The order is mostly filled with voluntary measures for companies to meet a series of online security standards, like encrypting data and requiring two-factor authentication for all users on a system, to stymie hackers who possess stolen passwords. In a call with reporters Tuesday night, a senior administration official said the idea was to develop “cybersecurity performance goals” to assess how prepared each company or utility was.
The effort is a way to get beyond the “woefully insufficient” patchwork of mandates and voluntary actions to protect electric utilities, gas pipelines, water supplies and industrial sites that keep the economy running, the official said.
Such efforts have been tried before, dating to the presidency of George W. Bush. But Mr. Biden is the first president to talk about the issue — almost every week — as a national security imperative. It was the central topic of his meeting in June with President Vladimir V. Putin of Russia. And on Tuesday, visiting the Office of the Director of National Intelligence, Mr. Biden gave a grim assessment of where he believed the constant, short-of-war attacks on the United States, both state-sponsored operations and criminal ransomware, are headed.
“If we end up in a war, a real shooting war with a major power,” he told the intelligence officers there, “it’s going to be as a consequence of a cyberbreach of great consequence. And it’s increasing exponentially — the capabilities.’’
Mr. Biden’s chief challenge now is a lack of authority to mandate changes. He has already imposed security standards on providers of software to the federal government, betting that if a company is banned from selling to the government, it will also suffer in the commercial marketplace. He has ordered a series of increased protections for federal agencies, 10 of which were affected by the SolarWinds hacking last year, a broad invasion of the software “supply chain” used by 18,000 companies and governments.
But key elements of American infrastructure are run by private companies — and in Colonial Pipeline’s case, Russian-speaking hackers brought down the distribution system almost accidentally, after attacking the company’s business systems. That was followed by another ransomware attack on JBS, the world’s largest beef producer, which paid $11 million to start running again.
For years, many industries have maintained informal organizations that share cyberthreat information or best practices. But there are so many holes in the system that it has been relatively easy for Iran, Russia, China and ransomware groups to find ways to place malicious software in the systems, or initiate attacks that freeze data and make it impossible to operate, as happened to Colonial Pipeline and JBS.
The measures outlined in the new national security memorandum, called “Improving Cybersecurity for Critical Infrastructure Control Systems,” are being coordinated by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Commerce Department’s unit that sets industrial standards.