The ransomware attack against the Colonial Pipeline Company spurred panic buying and fuel shortages along the Eastern Seaboard. Although the attack did not target pipeline control systems, it forced the temporary suspension of fuel shipments via a major pipeline network, according to a company statement. The Biden Administration announced Executive Order (E.O.) 14028 (the EO), “Improving the Nation’s Cybersecurity” on May 12, 2021, framing it as a response to the pipeline incident and other recent cyberattacks. While the EO creates requirements that apply to federal agencies and government contractors, the Administration hopes that these actions will have a secondary effect of improving
cybersecurity among critical infrastructure companies.
An official, briefing reporters about E.O. 14028, said, “Anybody doing business with the U.S. government will have to share incidents so that we can use that information to protect Americans more broadly.” Asked whether the Administration would support congressional efforts to expand information sharing and incident reporting requirements “to a broader set of private companies, perhaps starting with critical infrastructure, such as Colonial,” the official responded, “Absolutely.”
Using actions aimed at federal agencies to drive critical infrastructure security and resilience (CISR) departs from the policy framework first instituted in the late 1990s and subsequently expanded. The 1998 Clinton Administration executive action, Presidential Decision Directive-63, “Critical Infrastructure Protection,” established a framework for public-private partnerships across several designated critical infrastructure sectors. The directive stated that these partnerships should be “genuine, mutual and cooperative,” and that market incentives would be “the first choice for addressing the problem of critical infrastructure protection,” with regulation used as a last resort in the case of a “material” market failure
affecting the health or safety of Americans.