Issue in Brief: Recognizing the growing threat of cyberattacks to the nation’s critical infrastructure, the Biden Administration announced this week that President Biden is planning to take executive action to improve the nation’s cyber defenses. Further, Congress began its first session of the year by holding oversight hearings on the SolarWinds cyberattack—focusing, in part, on potential Congressional action to improve the nation’s cybersecurity.
On the Horizon: These developments underscore that businesses will increasingly face new legal and regulatory demands regarding certain cybersecurity practices. In particular, businesses that implement industrial controls systems (ICSs) should not only keep an eye on these developments but assess their existing systems and prepare to respond to likely changes in governing legal requirements.
In the last few years, the devastating potential for cyberattacks on critical infrastructure systems (CISs) has been on full display. Perhaps the most striking example of the dangerous potential for unauthorized third parties to obtain access to ICSs and operating systems for CISs (and all businesses) is the recent SolarWinds attack.
SolarWinds is an information technology (IT) company providing products that allow customers to monitor and manage their IT networks. SolarWinds has over 300,000 customers, one of which includes the federal government.
In December 2020, a cybersecurity firm, FireEye, revealed that hackers (thought to be from Russia, and potentially sponsored by the Russian government) exploited a SolarWinds tool called Orion by distributing malware via a software update. This malware created a virtually undetectable “backdoor” into compromised IT systems that leveraged Orion. SolarWinds estimates that at least 18,000 of its customers were vulnerable to this attack—and the New York Times estimates that up to 250 government agencies and companies may have been affected.
The SolarWinds attack is far from the only example of the ever-present danger posed by malicious cyber actors. Just last month, unidentified third parties accessed the supervisory control and data acquisition (SCADA) system—a common ICS—of a water treatment facility in Oldsmar, Florida, raising the concentration of the chemical lye in the water to lethal levels. Fortunately, an attentive employee of the facility quickly detected the change and reversed the lye concentrations to their normal levels before any of the water was affected. The Oldsmar facility serves a population of nearly 15,000—meaning that had this attack gone undetected, these individuals could have been exposed to lethal drinking water.
Attacks on CISs have also increasingly occurred abroad. Last year, suspected state actors from China accessed a power grid in Mumbai, India, turning off the power for many of the city’s nearly 20 million residents. In 2017, a Saudi Arabian oil and gas facility was targeted by cyber attackers in what FireEye described as an attack designed to cause physical harm to Saudi citizens. In 2015, Russian military officials levied an attack on the Ukrainian power grid.
The Biden Administration has made hardening the nation’s cybersecurity an early priority. Just this week, the Administration announced that it is preparing to take executive action to improve the nation’s cyber security defenses. Anne Neuberger—deputy national security advisor —stated that President Biden is aiming at “building standards for software, particularly software that’s used in critical areas.” Neuberger added: “[w]e have to be able to see and block malicious activity in industrial control system networks across energy, gas, electricity, pipelines, water and chemical critical infrastructure sectors.”
Congress has also set its sights on cybersecurity more generally. In February, Congress held oversight hearings with key players involved in the SolarWinds attack to understand how it occurred and how Congress can act to prevent similar incidences in the future. Those involved and attending the hearings noted that Congress’ focus began with understanding how the SolarWinds attack happened but later transitioned to understanding how to develop policy initiatives to prevent attacks in the future.
Right now, businesses in all sectors should be proactive about their cyber practices. Even without federal oversight, businesses can take many steps to enhance their cyber practices, which we discussed in a recent alert, available here.
Businesses should also anticipate forthcoming executive action and legislation that will impose heightened cybersecurity requirements. Although the Biden Administration has not provided many details regarding the forthcoming executive order(s), it seems likely that the administration may call on both Congress and executive agencies to promulgate requirements to harden defenses within CISs. In addition, Congressional officials have indicated that the following actions could be taken immediately to address cyber vulnerability:
- Improving training for those responsible for cyber-defenses;
- Dedicating more resources to cyber practices through spending and infrastructure bills;
- Developing industry best practices to improve cyber hygiene, including threat hunting—known as the practice of constantly searching for cyber threats; and
- Creating public-private partnerships with mandatory incident and threat reporting requirements—coupled with potential liability shields for businesses who oblige with federal reporting requirements to enhance compliance.
Further, the Cybersecurity & Infrastructure Security Agency (CISA) recently issued guidance for businesses with networks that were potentially compromised in the SolarWinds attack. CISA recommends: (1) assessing the severity of the compromise and long-term organizational risk; (2) allocating time and resources to evict the intruders; (3) engaging with third-party companies that specialize in responding to cyberattacks; and (4) seeking further guidance from CISA and industry experts.
Finally, industry experts have commented on the need for businesses to dedicate more resources to cyber practices. This may range from system upgrades to obtaining third-party certifications regarding corporate cyber practices.
While there is no single method to protect against cyberthreats or to remedy intrusions when they do occur, businesses should assess the status of their current cyber systems, identify gaps and potential improvements, and begin now to plan for operational contingencies and mitigation in the event of an attack.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.