Open in app

Sign in

Write

Sign in

The President’s Speech and Critical Infrastructure

By Ravi Nayyar

A Techno-Legal Update
7 min readSep 24, 2021

This week, the UN General Assembly held its 76th Session. Of course, one of the world leaders to address the UNGA was the President of the United States. Because of my doctoral research, I honed in on the following bit of POTUS’s speech:

We’re hardening our critical infrastructure against cyberattacks, disrupting ransomware networks, and working to establish clear rules of the road for all nations as it relates to cyberspace.

The bolded bit in particular.

And I wondered what the US had achieved in that context.

(This piece will not directly touch on the ‘disrupting ransomware networks’ bit because I have dealt with the issue of hitting the financial infrastructure for said networks in a previous piece on this site, as well as a series of four posts (1, 2, 3, 4) for the blog of the ANU Journal of Law and Technology. I support the United States’ recent sanctioning of the SUEX OTC, S.R.O. virtual asset exchange, especially in light of its role in laundering ransom payments. I applaud Treasury’s Office of Foreign Assets Control updating its guidance on sanctions risk which attaches to ransom payments recently. Also, due to my lack of experience in offensive cyber policy, I will defer to Dmitri Alperovitch’s excellent op-ed from earlier this week on the need for the United States to leverage its offensive cyber capabilities against ransomware actors. Also, if you have any feedback on my essay looking at offensive cyber operations from a criminal law theory standpoint, please sing out!)

Achievement = Policymaking

Critical Infrastructure

Of course, one could argue there has been ‘hardening’ of United States critical infrastructure because of the degree of policymaking in that space. For instance, the President’s National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems from July this year. Section 1 states the policy of the present Administration ‘to safeguard the critical infrastructure of the Nation, with a particular focus on the cybersecurity and resilience of systems supporting National Critical Functions’. Section 2 introduces the ‘Industrial Control Systems Cybersecurity Initiative’, a voluntary, public-private partnership for critical infrastructure, primarily seeking to encourage and facilitate:

deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks.

Per section 3(b), sectoral regulators (defined under US federal law) as well as other government agencies and departments were tasked with helping critical infrastructure people ‘implement the principles and policy outlined in this memorandum’. Section 4 directs the Secretary of Homeland Security to ‘develop and issue cybersecurity performance goals for critical infrastructure’, with the Cybersecurity & Infrastructure Security Agency (‘CISA’) releasing ‘preliminary cross-sector control system cybersecurity performance goals’ under the auspices of that section. Those goals cover nine areas of cyber resilience, including:

  • Risk Management and Cybersecurity Governance;
  • Architecture and Design;
  • System and Data Integrity, Availability, and Confidentiality; and
  • Supply Chain Risk Management.

Cyber Resilience

The above work is adjacent to American policymaking this year on cyber resilience more generally. There have been the cybersecurity executive order, NIST’s guidance on critical software security measures and the US Department of Commerce specifying the minimum requirements for a Software Bill of Materials, to name a few examples.

We have seen some strong words coming out the USG as well when it comes to cyber risk. There have been the parallels drawn by the FBI Director between the ransomware onslaught and the attacks of 11 September 2001. There was the open letter from Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, to corporate America, which ‘urge[d them]… to take ransomware crime seriously and ensure…[their] corporate cyber defenses match the threat’, and provided a list of security measures they ought to implement. There was also the formation of a ransomware task force, first reported in July.

Cyber Diplomacy

The Yanks have also used the right words on the international stage in realtion to fighting the malicious targeting of critical infrastructure and, per the President’s speech, ‘working to establish clear rules of the road for all nations as it relates to cyberspace’.

In April 2021, the United States joined its fellow Five Eyes (‘FVEY’) countries in condemning the targeting of critical infrastructure by malicious cyber actors. Out of that FVEY Ministerial, the countries also released a Ministerial Statement on Ransomware. Flagging the ‘significant threat to Governments, critical infrastructure and essential services on which all our citizens depend’, the countries pledged to work together to comprehensively deal with the threat.

Hot on the heels of the Colonial Pipeline attack, critical infrastructure protection and ransomware came up in the Biden-Putin summit at Geneva in June, with the American President stating in the post-summit press conference that: (emphasis added)

I talked about the proposition that certain critical infrastructure should be off limits to attack — period — by cyber or any other means… Of course, the principle is one thing. It has to be backed up by practice. Responsible countries need to take action against criminals who conduct ransomware activities on their territory.

The United Nations’ Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (‘UN GGE’), of which the United States is a part, published its report in July. The UN GGE pointed to the ‘increasingly serious’ targeting of critical infrastructure worldwide; echoing the reference to ransomware attacks against critical infrastructure in G7 states ‘growing in scale, sophistication, and frequency’ from the October 2020 Ransomware Annex to the G7 Finance Ministers and Central Bank Governors’ Statement on Digital Payments.

Among the norms for responsible state activity in the fifth domain that it proposed, the UN GGE recommended: (emphasis added)

Norm 13 (f) A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public…

Norm 13 (g) States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199.

One can also look at the references to cooperation on cyber issues in the AUSMIN Joint Statement from September. The Australian Foreign Minister and her American counterpart:

acknowledged the deepening collaboration [between the two countries] on cybersecurity, including intelligence sharing, personnel exchange, training and exercises, [and] capability development… The principals emphasized the imperative of holding malicious cyber actors to account and noted the need for regional cooperation to improve cybersecurity…

But What Has That Policymaking Achieved?

Well, surely the proof of the pudding for the Biden Administration’s policymaking would be in a comprehensive, sustained decline in attacks against and/or breaches of the cyber resilience of US critical infrastructure entities over the year, right?

For the sake of argument, let’s assume that it would be.

So has said decline eventuated?

Well, looking at the months after the May cybersecurity executive order, not really.

Look at the following examples (ie those that made the news):

  • 1,200 K-12 schools (throughout 2021), from which hackers have exfiltrated and published students’ PII (including Social Security Numbers);
  • JBS (June), the ‘world’s largest meat producer’;
  • Kaseya (July), whose software would be deployed by MSPs that service critical infrastructure operators;
  • Eskenazi Health (August), which ‘operates a 315-bed hospital, inpatient facilities and community health centers throughout Indianapolis’, and was forced to divert ambulances to other hospitals;
  • Howard University (September), which was forced to cancel classes;
  • a farm (September), which lost US$9 million in a ransomware attack;
  • New Cooperative (September), an Iowa agricultural cooperative: attacked by the same ransomware group which pledged only a few months earlier to not attack critical infrastructure sectors; on whose software ‘about 40% of [American] grain production runs’; and on which ‘11 million animal feed schedules rely’;
  • Alaska Department of Health and Social Service (September), whose computer network was compromised by (the Department alleges) a nation-state espionage actor;
  • TTEC (September), a major customer service provider to large corporations, including members of critical infrastructure sectors like financial services and telecommunications; and the
  • Port of Houston (September, attack successfully defended), one of the largest US port authorities and targeted by a suspected state-sponsored actor.

If the risk to critical infrastructure was not that large an issue, why then that Anne Neuberger felt the need to do a press briefing at the White House prior to the recent Labor Day holiday to ‘raise awareness… particularly for critical infrastructure owners and operators who operate critical services for Americans’ of the threat from malicious cyber actors?

And specifically recommend mitigation measures, that is, basic ones: patching, having strong passwords, putting in place multifactor authentication, reviewing and practising incident response plans?

Ms Neuberger was matched by the FBI and CISA in their Joint Cybersecurity Advisory on ‘Ransomware Awareness for Holidays and Weekends’.

Okay, perhaps the heading for this section is unfair to an extent considering the recency of some of the above policy developments.

But then again, it is not like critical infrastructure operators have been asked to reinvent the wheel. Having better threat detection capabilities and public-private information sharing are hardly new policy imperatives, for instance. It is not like the aforementioned preliminary goals that CISA released are so revolutionary that we need to give operators a lot of time to understand and implement them. As CISA itself acknowledged, the goals were based on a review of existing USG literature, including CISA and NIST material.

Either way, in light of the definition of critical infrastructure under American federal law, the stakes are quite high to get the cyber resilience of critical infrastructure assets and systems into a robust enough state.

As the UN GGE put it: (emphasis added)

This norm [Norm 13 (f)] also points to the fundamental importance of critical infrastructure as a national asset since these infrastructures form the backbone of a society’s vital functions, services and activities. If these were to be significantly impaired or damaged, the human costs as well as the impact on a State’s economy, development, political and social functioning and national security could be substantial.

Mere policymaking won’t cut it against threat actors.

As the legendary commentator, HG Nelson, inquired: (emphasis added)

What do people have to do to make things stop?

Critical Infrastructure
Cybersecurity
Cyberdiplomacy
United States
Ransomware

--

--

A Techno-Legal Update
A Techno-Legal Update

Written by A Techno-Legal Update

19 Followers
1 Following

Vignettes from the intersection of law and technology, and a word or two about sport. Composed by Ravi Nayyar.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams