The Biden administration is eyeing ways to harden cybersecurity defenses for critical infrastructure, announcing Wednesday the development of performance goals and a voluntary public-private partnership to protect core sectors.


What You Need To Know

  • The Biden administration on Wednesday announced it is taking several new steps to help defend U.S. companies from cyberattacks, seeking to thwart the recent uptick in ransomware attacks that have targeted areas of critical infrastructure 

  • The actions, outlined in a new White House directive, include a list of “performance goals” for U.S. critical infrastructure companies to meet as they work to strengthen their digital defenses

  • The Biden administration will also form public-private partnerships with U.S. companies to bolster cyber defense and resiliency; the administration has not ruled out making this voluntary effort mandatory

  • One administration official said that short of legislation, “there isn’t a comprehensive way to require deployment of security technologies and practices that address ... the threat environment that we face"

The actions, outlined in an order being signed by President Joe Biden, are an acknowledgment of the cybersecurity vulnerabilities of critical industries — a reality made clear by the May hack of the nation’s largest pipeline, which delivers about 45% of the fuel consumed on the East Coast.

But they’re also meant to address the “patchwork of sector-specific statutes” that have been adopted piecemeal over time and that leave the government without a uniform or adequate cybersecurity threshold, according to a senior administration official who briefed reporters before a formal announcement.

"Our current posture is woefully insufficient given the evolving threat we face today," the official said. "We really kicked the can down the road for a long time. The administration is committed to leveraging every authority we have, though limited, and we’re also open to new approaches, both voluntary and mandatory."

The partnership was launched as a pilot program in April with electricity utilities, and additional alliances with other sectors will be formed this year. It comes as federal officials have been promoting greater cybersecurity resiliency among private companies, including announcing new requirements and protections for pipeline operators last week.

The partnership is voluntary, though the administration has not ruled out the possibility of mandatory requirements in the future, the official said. But short of legislation, the official said, “there isn’t a comprehensive way to require deployment of security technologies and practices that address, really, the threat environment that we face.”

In addition, Wednesday’s order will direct the departments of Homeland Security and Commerce to develop cybersecurity performance goals for critical infrastructure.