What to Know About the Cybersecurity Implementation Plan and the Court’s Action over Water Cybersecurity Regulations
Estimated Read Time: 5 mins.
Written for:
Cybersecurity Providers
Water Utilities
In Brief:
The 8th Circuit Court of Appeals has temporarily blocked USEPA’s cybersecurity regulations.
On July 14th, the Biden Administration released its “Implementation Plan” for the March 23rd released “National Cybersecurity Strategy” (see From the Hill Cybersecurity #10 for a summary)
Of major concern to businesses are potentially overlapping and perhaps conflicting rules from the White House and federal and industry regulators that might require different processes and timelines to satisfy the requirements laid out between now and 2026.
The plan focuses on five (5) major areas and identifies 27 strategic objectives.
8th Circuit Court Action:
On July 13, 2023, the 8th Circuit Court of Appeals issued a temporary stay on the USEPA March 3, 2023, cybersecurity rules (see From the Hill Cybersecurity #8) enforced through the Sanitary Survey Process. The States of Missouri and Arkansas challenged the authority of USEPA to force cybersecurity requirement responsibilities on to the states and local water suppliers. Litigants argued the regulations created costly obligations and created liability.
The water sector has been seen as a vulnerable to cyberattacks which could cause dangerous increases in the concentration of chemicals normally used to treat drinking water or could create water shortages within certain systems. Both the National Rural Water Association (NRWA) and the American Water Works Association (AWWA) intervened in the suit in support of the Arkansas/Missouri challenge.
The two associations intervening in the suit is somewhat of an about-face for the industry who, in 2020, argued that jurisdiction over cybersecurity requirements should be removed from pending rules being drafted by the Transportation Security Agency (TSA) and given to USEPA. Arguments for moving that jurisdiction surrounded the lack of legal authority TSA has to regulate the water industry and the lack of knowledge TSA had over the industry’s operations. USEPA asserted jurisdiction in 2020 and began working with industry members on regulations in late-2021.
The suit, and the ruling on the stay, is likely to get little sympathy from Democratic lawmakers and only minimal sympathy from Republicans. Cyberattacks on the water industry, both foreign and domestic, have largely been detected through human interaction suggesting vulnerabilities that require systems’ protection. The USEPA rules are currently considered as “guidance” and not fully required by water agencies until 2025. Arguments by litigant that USEPA does not have jurisdiction could be easily remedied or clarified by Congressional action.
The Implementation Plan
The July 14th release of the “Implementation Plan” creates a path and timeline to accomplish the goals/ objectives of the March-released National Cybersecurity Plan. The plan establishes 27 goals/objectives for five (5) different “pillars,” including:
· Defend Critical Infrastructure
· Disrupt and Dismantle Threat Actors
· Shape Market Forces to Drive Security and Resilience
· Invest in a Resilient Future
· Forge International Partnerships to Pursue Shared Goals
Initial critiques of the Plan surround the requirements of complex interaction between the federal agencies and the establishment of requirements across industry sectors which may not be applicable or allow for implementation. For example, critics noted, the Implementation Plan provides authority to the National Security Council (NSC), in conjunction with the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA), to develop the cybersecurity requirements across critical infrastructure sections (Pilar 1, Objective 1), however, USEPA and TSA have already developed regulatory requirements for specific critical infrastructure sectors. This raises significant questions over conflicting regulatory requirements, standards, and authority. Also, the second objective of scaling public-private partnerships to close security gaps by 4th Quarter 2024 is being met with scrutiny. NIST/CISA collaboration on early-regulated industries has been painfully slow and the Agencies’ self-proclaimed “Labelling Scheme” for cybersecurity products has been ongoing without much advancement since 2020. The timeline calls into question the development of actual standards that will have effective requirements to close cybersecurity gaps or will create more of the same concerns over application of computational cybersecurity requirements on operational programs which may be vulnerable due to their connectivity to the IOT.
The plan puts 18 agencies in charge of leading at least one initiative, requiring many of the goals to be accomplished through interagency coordination. The White House has described the plan as a “living documents” requiring annual updates to reflect the response to continually developing threats. “Version 2.0” of the Plan is said to be published next spring. The public release of the Plan itself by the White House is unique. While initiatives and strategies are regularly published by various Administrations, details on the implementation of those strategies in such a comprehensive written and public format are rare.
Portions of the Strategy are already in progress. On June 20, 2023, the Department of Justice announced a new National Security Cyber Section in the National Security Division. On June 27, 2023, the Office of Management and Budget (OMB) issued a memorandum that outlines cybersecurity investment priorities for the federal government’s fiscal year 2025 budget and guidelines for agencies’ budget submissions. The Implementation Plan assigns each of the Strategy’s initiatives to a federal agency and provides ambitious deadlines for the completion of each.
For critical infrastructure providers, the age of plausible deniability is over. Active and periodically updates threat protections and response plans are required. Reporting is also a requirement and liability for failure to enact such protections fall upon the provider. While the 8th Circuit Court’s stay calls the authorities into question, bipartisan support for cybersecurity measures is very likely.
For cybersecurity providers, the issue is one of shifting liability and increasing opportunity. In early 2024, the NCDmust host a stakeholders’ symposium to explore different approaches to developing the software liability framework laid out in the Strategy, which will involve holding liable software companies that do not follow best cybersecurity practices. The legal symposium will involve discussions with software stakeholders in the private sector to develop a well-informed approach to the new liability regime. Bottom line is that providers are becoming a more heavily regulated industry and should not become lackadaisical in their regulatory review or oversell their products’ capabilities. The opportunities for the industry are just as clear. Like the overall Strategy, the Implementation Plan now works in required input from the private sector. Specifically, the Plan requests that agencies partner with the private sector to implement the Strategy. Cybersecurity providers should look for opportunities to assess the effectiveness of implementation efforts and provide feedback where appropriate. Those that are providing that feedback will have greater opportunity to shape the requirements and those that are attune to the new requirements will adapt in the marketplace faster, providing more opportunities to help achieve the goals of the Strategy and Plan.
Referenced Documents
The Administration’s Cybersecurity Implementation Plan can be found here.
From the Hill is an industry snapshot for Capitol Core Group clients in select industries of interest. It is compiled from Capitol Core research and discussions as well as outside resources including Bloomberg Government, Roll Call, Reuters, and other relevant sources. All data provided is public data but is compiled for ease of understanding.
This is the eleventh in the series on the topic of cybersecurity since 2020 and is a policy overview. Capitol Core initiated this snapshot due to release of the President’s Cybersecurity Implementation Plan and the 8th Circuit Court of Appeals action which impacts Capitol Core clients.
Michael W. McKinney leads Capitol Core’s “technology” practice area which includes cybersecurity.
Download the document: