On March 18, 2022, President Biden issued a letter to California Gov. Gavin Newsom (the “March 18th letter”) requesting that he secure California’s computer systems and critical infrastructure in light of recent Russian cyberattacks against Ukraine. President Biden advised Newsom to gather his leadership team to discuss California’s cybersecurity and address several fundamental questions, including whether California’s Public Utility Commissions (or other California agencies) set minimum cybersecurity standards for California’s critical infrastructure.
President Biden further encouraged Newsom to promulgate the standards set forth in his May 2021 Executive Order, Improving the Nation’s Cybersecurity (the “May 2021 Executive Order”), to secure California’s computer systems and critical infrastructure.
Three days later, on March 21, 2022, the president issued a statement informing U.S. citizens that now is “a critical moment to accelerate our work to improve domestic cybersecurity and bolster our national resilience” (the “March 21st statement”). He averred that although the administration has made great efforts to strengthen U.S. national cyber defenses, they cannot achieve such an imperative goal alone. President Biden wrote that most of America’s critical infrastructure is owned and operated by the private sector and urged them to fortify their cyber defenses immediately.
The March 21st statement was accompanied by a Fact Sheet, where the administration encouraged private companies to employ specific actions to help protect U.S. critical services. Some of the suggested actions were included in the May 2021 Executive Order and March 18th letter. The most vital actions included:
- Mandating multi-factor authentication on computer systems;
- Deploying modern security tools on computers and devices;
- Inquiring insight from cybersecurity professionals to ensure that systems are patched and protected against all known vulnerabilities;
- Backing up data and ensuring that companies have offline backups;
- Conducting exercises and drills of emergency plans;
- Encrypting data;
- Educating employees on how to detect cybersecurity events; and
- Engaging proactively with a local FBI field office or a Cybersecurity and Infrastructure Security Agency’s (CISA) Regional Office to establish relationships in advance of cybersecurity events.
As emphasized in the March 18th letter and March 21st statement, state governments and private companies are currently at high risk for cyberattacks and should govern themselves accordingly. Taking this into consideration, companies operating in and around U.S. critical services and infrastructure should be aware of the administration’s comments and suggestions and should review their current cyber-defense protocols and procedures to ensure that the appropriate protections are in place. The CISA website provides helpful insight as to how private companies can help counter Russian cyberattacks.
For more information and other updates and alerts regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point.