The case for mandatory cybersecurity requirements is strong. Opt-in guidelines and recommendations can only push cybersecurity so far and, as CISA Director Jen Easterly has said, “we can’t PSA our way out of this.”
Private companies and, especially, public utilities are stretched thin– often requiring their cybersecurity lead to do acrobatics for every dollar allocated to securing their systems. Every cent of the budget has to be weighed against thin margins and an often dubious board. Mandatory requirements not only call attention to how important cybersecurity is for these companies but also provide the backing cyber leads need to ask for increased budgets and buy-in from company leadership. Unfortunately, their future is not bright.
What happened?
Regardless, the Environmental Protection Agency (EPA) has officially withdrawn its memorandum released last March. The rule was narrowly tailored to only impact Public Water Systems (PWS) water filtration systems and required only that states include annual assessments of these systems’ networks in their yearly surveys. The EPA intended to set a baseline and gain a better understanding of the current status of PWS networks, not require an overhaul of cybersecurity programs (or the lack thereof) across the country.
The withdrawal follows the initiation of a lawsuit by the Attorneys General of Missouri, Iowa, and Arkansas against the EPA, filed in April. Though the rule was in pursuance of the February-released National Cyber Strategy which prioritized defending critical infrastructure through mandatory requirements, these three AGs asserted that the rule was an overly-costly federal intrusion on a state’s issue. This suit in addition to the precedent set by 2022’s West Virginia v EPA that asserted the EPA does not have the authority to regulate “new and big problems” has led the agency to its decision to pull back the rule.
Why should I care?
With this lawsuit and the EPA’s decision combined with the 2022 SCOTUS decision, the main path for mandatory regulations in 6 of the 16 critical infrastructure sectors lies solely in Congress. The cybersecurity and technology world moves quickly and emerging threats must be able to be addressed much faster than Congress’s ability to respond.
Critical infrastructure upholds our daily lives. If the government is completely incapable of passing timely and impactful rules to govern the cybersecurity of the nation’s most vulnerable and important systems, we will all be far worse off because of it. This, all during a time when the targeting of critical infrastructure in the United States is on the rise, spells trouble.
The primary path forward now is to hope that critical infrastructure owners and associations invest in and assert the need for cybersecurity themselves. CISA and other non-regulatory agencies (or agencies without authority in this arena) regularly put out guidance and best practices that organizations can choose to follow. Treating these as must-haves rather than nice-to-haves will be the key to building a more resilient nation as cyber threats continue to grow in quantity and sophistication across the world.