On March 21, 2022, President Biden publicly recognized that, while his Administration is prioritizing modernizing the federal government’s cybersecurity practices, it is the patriotic obligation of the private sector to invest as much as it can in preparing for cyberattacks.
Over the course of the past month, media images of the war in Ukraine show the kinetic destruction of Russian artillery, missiles, and aerial assaults. Yet, as President Biden warns, it is the unseen Russian cyber capabilities that now presents a clear and present danger to U.S. national security. President Biden warned that “[b]ased upon evolving intelligence Russia may be planning a cyberattack against us.” He noted that “[t]he magnitude of Russia’s cyber capacity is fairly consequent and its coming.”
Notwithstanding, he notes that while the Federal government is doing its part, the private sector largely decides the protections that it will or will not take to mitigate the risk of and prepare for the inevitable cybersecurity attack. Understanding this dichotomy, President Biden urges companies, particularly those companies considered operating in or supporting critical infrastructure sectors, to take a selfless approach to cybersecurity. He admonishes, “[l]et me be absolutely clear about something, it is not just in your interests that are at stake…it is the national interests at stake and I would respectfully suggest it is a patriotic obligation to invest as much as you can.”
What does this mean for U.S. companies, particularly those considered operating in or supporting critical infrastructure sectors? It means act now.
In short, it has arguably never been more critical for U.S. companies to assess their preparation to mitigate the risk of and respond to a cybersecurity incident. This is particularly so, as trends indicate that cybersecurity regulations and respective enforcement will only continue to expand under the Biden Administration.
As a clear demarcation line, on May 12, 2021, President Biden signed the Executive Order (“EO”) “Improving the Nation’s Cybersecurity,” setting forth his priority to protect the United States from malicious cyber actors. Since then, the federal government has not only taken significant measures to modernize the federal government’s cybersecurity practices, but has begun to further regulate the cybersecurity practices of the private sector. By way of example, this includes:
- The U.S. Department of Justice Civil Cyber-Fraud Initiative (available here);
- The Transportation Security Administration’s Security Directives for transportation operators and pipelines (available here);
- The Security and Exchanges Commission (“SEC”) proposed cybersecurity risk management rules and amendments for registered investment advisors and funds (available here);
- The SEC’s proposed rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies (available here); and
- The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (available here).
As the EO makes clear, “[t]he private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.” Whether it is out of a patriotic duty to protect critical infrastructure against malicious cyber actors or to prepare to meet inevitable additional regulations, the time is now to ask yourself are we ready?