Andy Watkin-Child, Founding Partner of The Augusta Group examines the steps being taken in the US to improve cyber-resilience.
2020 and 2021 were challenging years for US cybersecurity and cyber policy. 2020 ended with the SolarWinds hack and 2021 started with the Microsoft Exchange attacks, followed by the Colonial pipeline and JBS meat hacks. Attacks that highlighted the impact of nation state threat actors and their proxy’s, that when combined, set the US on a course of executive orders, cyber-legislation and regulatory enforcement that will continue into 2022 and beyond.
2021 was the year that the US started to come to terms with the fact that despite its prominent position in cybersecurity globally, its global supply chains, Critical National Industries and companies may not have been as secure as expected. Resulting in the signing of two important executive orders (EO) to address supply chain and cybersecurity. Executive Order 14017 (Americas Supply Chains) signed in February 2021, initiated reviews of current Supply Chain Risk Management (SCRM) and cyber-capabilities across Federal Agencies.
Executive Order 14028 (Improving the Nation’s Cybersecurity) was signed in May 2021, setting out a range of activities for Federal Government to assess, recommend and improve the protection of US National Security. Jump starting the US cybersecurity legislative and regulatory enforcement agenda.
Cyber-legislation, regulation and enforcement
Cyber regulation is not new for the US, in 2002 Congress passed the Federal Information Security Management Act (FISMA), updated in 2014 (FIS ‘Modernisation’ A). In 2016 the Department of Defense (DoD) modified DFARS 252.204-7012, requiring all covered defence contractors to comply with the 110 cybersecurity practices defined in NIST SP 800-171(R2) ‘Protecting Controlled Unclassified Information in Nonfederal Systems and Organisations’. Both programs failed to address their stated aims of managing Federal cyber-risk and DoD cybersecurity. Resulting in 2020 with the DoD implementing what is known as the CMMC (Cybersecurity Maturity Model Certification) program, updated in November 2021 (CMMC2.0) and the US Congress working to update FISMA in 2022.
There is more to come. Both the Senate and House of Representatives moved legislation forward in 2021 that included cyber. The ‘Infrastructure Investment and Jobs Act’ was signed into law and included a significant amount of cybersecurity investment for critical national infrastructure. The 2022 ‘National Defense Authorisation Act (NDAA)’ also included cybersecurity to secure DoD infrastructure. The Chair of the Securities and Exchange Commission (SEC) made it clear in January 2022 that cybersecurity, governance and regulatory reporting will be a focus for the SEC in line with Securities laws. Impacting public firms requiring access to capital in the US through its regulated financial markets.
2021 also saw cyber regulatory enforcement by the US Department of Justice (DoJ) and Treasury (DoT) openly discussed. The DoJ announced it has set up a ‘civil fraud initiative’ in October 2021, utilising the False Claims Act (FCA) to pursue companies that are government contractors who receive federal funds, when they fail to follow required cybersecurity standards. The Department of Treasury (DoT) updated its advisory on the ‘Potential Sanctions Risks for Facilitating Ransomware Payments’ (September 2021) under OFAC (Office of Foreign Asset Control). Setting out an enforcement agenda for cybersecurity and ransomware payments in 2021 and going forward.
Why should the international community pay attention?
The first reason is the US is the world’s largest trading nation. The combined spend of US Federal Government in 2021 was over US$6.8 trillion and by way of example the US DoD spends over US$600 billion annually on defence. The US commands a lot of buying power and can set the requirements it expects its trading partners to meet, including cyber standards. The second is US capital markets are the largest in the world and companies that want access to US liquidity are reliant on US financial markets, governed by Federal laws.
The third is the reach of the US government through its supply chains. By way of example, the DoD has been trying to enforce cyber regulations across its global supply chain since 2017 through its DFARS regulations. Requiring DoD contractors and subcontractors to implement the 110 NIST SP 800-171 cybersecurity practices or lose out on defence contracts. Cybersecurity standards that are significantly greater than any other regulated standards globally.
If you want to control the agenda, you control three things. Regulation, the marketplace and the access to money. In this case the Federal Government can control all three. With cyber having such a significant impact on the US economy, the legislative and regulatory focus in the US is currently setting the cyber regulatory programs required to trade with Federal, State, Local and Tribal governments. The regulatory requirements for cybersecurity governance and reporting for access to its financial markets and the regimes, programs and standards that the US expects its domestic and international suppliers to follow if they want to access to its lucrative markets.
For more information, visit: augustagrp.com
This article was originally published in the February 2022 edition of International Security Journal. Pick up your FREE digital edition here.