An ongoing review being conducted by the Biden administration of U.S. policy for offensive cyber operations is looking to ensure that these capabilities fit with the nation’s” foreign policy goals” and that they are the right capabilities, a White House official said on Wednesday.
There are two goals in mind with the policy review, the first being that given cyber capabilities are part of national means used to achieve national interests, “do we have the appropriate processes and reviews to ensure that any use of cyber capabilities fits within our foreign policy goals,” Anne Neuberger, deputy national security advisor for cyber and emerging technology, said during a fireside chat at the annual Aspen Security Forum.
The second objective “when we do our capabilities, we want our capabilities to be resilient, flexible and ready to be used when needed,” she said.
Neuberger was responding to questions posed by David Sanger, a New York Times reporter who moderated the conversation. He highlighted that the current U.S. policy on offensive cyber operations was crafted during the Trump administration and gives U.S. Cyber Command more leeway than previously to conduct these operations without “cumbersome” and time-consuming reviews and asked her why the policy is being revisited. The current policy is classified.
“The goal was ensuring that these capabilities, which are very important for all the reasons we talked about—they can bridge oceans, they can potentially prevent or mitigate the need for kinetic operations—that they would only be used to serve our national goals and in our national interest,” Neuberger said. “And to do that review to make sure that was the case, given that policies have changed. And that given these capabilities are so new, we’re learning each time they’re used, and as such want to have a regular way to take the lessons from operations that occur and capture that in both laws, policies and frankly, processes.”
Sanger also asked about lessons learned from the May 2021 cyber attack on Colonial Pipeline, which temporarily shut down pipeline operations along the East Coast, leading to fuel shortages.
Neuberger described the incident as “a major milestone in our nation’s cybersecurity policy and outcomes” and highlighted that the pipeline industry wasn’t required to have cybersecurity practices in place and that the government had no visibility into its security posture. A White House National Security Council-led review showed that the U.S. Transportation Security Administration did have emergency authorities to implement cybersecurity regulations for the pipeline industry, she said.
Now, as a result of new regulations, the U.S. government has visibility into the cybersecurity of the oil and gas pipelines, Neuberger said, describing the use of these authorities as a “major change.”
“And at any given moment in time in the run up to the Russia conflict, when the president turned to us and said, ‘Where are we from an oil and gas pipeline perspective?’ We knew what was in place and we knew we had the visibility and that the CEOs of those companies had been briefed,” she said.
TSA has since rolled out cybersecurity mandates to high-risk freight rail, passenger rail and transport operators, and also to the aviation sector. The agency requires that these entities, including the pipeline operators, designate a cybersecurity coordinator, report incidents to the Cybersecurity and Infrastructure Security Agency, develop an incident response plan, and conduct self-assessments to identify and mitigate potential vulnerabilities.
Neuberger said that the White House will be inviting all rail CEOs to a classified briefing in early August to discuss cybersecurity.
“So, we’re working sector by sector, to put that in place because we know that a disruption or a degradation would impact millions of Americans,” she said.