By Christopher Bing and Nandita Bose
WASHINGTON (Reuters) – The White House is signaling to U.S. critical infrastructure companies, such as energy providers that they must improve their cyber defenses because additional potential regulation is on the horizon.
U.S. President Joseph Biden signed a national security memorandum on Wednesday, launching a new public-private initiative that creates “performance controls” for cybersecurity at America’s most critical companies, including water treatment and electrical power plants.
The recommendations are voluntary in nature, but the administration hopes it will cause companies to improve their cybersecurity ahead of other policy efforts, said a senior administration official.
The announcement comes after multiple high profile cyberattacks this year crippled American companies and government agencies, including a ransomware incident which disrupted gasoline supplies.
“These are the thresholds that we expect responsible owners and operators to go,” said the official. “The absence of mandated cybersecurity requirements for critical infrastructure is what in many ways has brought us to the level of vulnerability that we have today.”
“We are pursuing all options we have in order to make the rapid progress we need,” they added.
Biden on Tuesday warned that if the United States ended up in a “real shooting war” with a “major power” it could be the result of a significant cyber attack on the United States, highlighting what Washington sees as a growing threat posed by hackers from Russia, China, Iran and North Korea.
“The federal government cannot do this alone,” said the official. “Almost 90% of critical infrastructure is owned and operated by the private sector. Securing it requires a whole of nation effort.”
The official described the current state of cybersecurity rules for critical infrastructure companies as “patchwork” and “piecemeal.”
“We’ve kicked the can down the road for a long time,” said the official.
(Reporting by Christopher Bing; Editing by Lincoln Feast.)