- The White House has picked healthcare, water and emergency communications as its next critical infrastructure focus areas, with the aim of raising minimum security standards, Anne Neuberger, the White House deputy national security advisor for cyber and emerging technology, said Thursday at an Axios event.
- Many peer governments have minimum cybersecurity standards in place for critical infrastructure, said Neuberger. "We're now recognizing we very much need to do that in the U.S.," building on what the administration has seen happen in recent ransomware attacks, including those against a U.S. hospital chain.
- At the end of October, the Cybersecurity and Infrastructure Security Agency will also roll out minimum security standards that can apply to organizations across sectors.
Water, emergency communications and healthcare are soft spots in U.S. critical infrastructure resiliency, areas that if compromised could directly affect people's safety.
The attention on healthcare comes after a tumultuous period for the sector. One of the nation's largest health systems, CommonSpirit Health, is still reeling from a ransomware attack that is disrupting services.
The U.S. counts 16 sectors as critical infrastructure, but some already have a high standard of security in place. Financial services, for example, has existing policies dictating security compliance.
The White House's goal is for Americans to have confidence in all critical services and is honing in on those sectors that don't already have standards in place, according to Neuberger.
The White House is now aiming to fill the gaps, much as it did with its focus on oil and gas after the Colonial Pipeline ransomware attack last year. The Transportation Security Administration rolled out security guidelines for oil and gas, and will introduce additional guidelines for aviation and rail, Neuberger said.
Rolling out security guidelines is not without its hiccups. After key stakeholders pushed back, The White House brought in executives across the sector to share top secret, classified context around threats targeting the sector, Neuberger said.
The TSA revised the security directives with the executive input and used a similar model of public-private sector collaboration to develop aviation and rail guidance.