Opponents of the US in the cybersphere were probably not thrilled when they found out who they would be up against with Anne Neuberger’s appointment as US deputy national security advisor for cyber and emerging technology.
In an exclusive interview with The Jerusalem Post, Neuberger said she and others in the Biden administration have brought a “relentless focus” to the issue of cyberdefense.
“It is a part of lifting everyone up. Everyone is capable of improving. There are different [economic] sectors and different levels of their understanding of the threat and of their maturity.”
Anne Neuberger
“It is a part of lifting everyone up. Everyone is capable of improving. There are different [economic] sectors and different levels of their understanding of the threat and of their maturity,” said Neuberger in explaining her approach to strengthening America’s cyber protections.
- See No. 14: Promoting Israel
- See No. 16: Keeping America and its allies secure
- See full list
- See 2021's list
Neuberger knows something about combating opponents relentlessly, having served for more than a decade at the National Security Agency as director of cybersecurity, as assistant deputy director of operations and as the agency’s first chief risk officer.
The state of US cyberdefenses
And yet with all of that background, having to move from cyber combat with America’s enemies to going on defense for America’s civilian sector was no simple switch. Questioned about how far along the US has come in improving its cyberdefenses since the December 2020 SolarWinds and May 2021’s Colonial Pipeline mega-hacks, the cyber chief suggested taking a step back.
“The story of cybersecurity is decades-long. We didn’t make enough progress over the years for how we secured critical infrastructure of power plants, water” and other sectors, said Neuberger.
“Almost immediately after the administration took office, we started drafting the [first new cyber] executive order. It got released right after [the] Colonial [Pipeline hack], but it was after months of work. President [Joe] Biden knew the issue. It was clear that cyber was a priority.”
However, she said the Colonial Pipeline hack “crystallized in the US the understanding of what cyberattacks on critical infrastructure could do. Biden’s executive order set a high bar. It was aggressive, but achievable.”
Expressing the Biden administration’s underlying strategy, she said the key was to have technology meet certain standards to properly handle incident response, tighten information sharing and issue directives.
Moreover, she said her team performed a review of all of the governmental authorities. Until then, government officials’ focus had been on requiring legislation to achieve any real movement in how the country conducted itself regarding the cyber arena.
“We started using every authority we had [even without getting new powers from Congress]. We found the TSA [Transportation Security Administration] authority to set rules for the oil and gas sector. We moved on to transportation by rail. Next week, we are working on aviation. We are working sector by sector,” she explained.
Next, she said, “You have to make sure to lock the digital doors and have [metaphorical] alarm systems so that you can have confidence that these are defended systems.”
One sector that has been especially vulnerable to getting hacked in the recent past is the water sector.
Pressed about whether the Biden-Harris administration’s progress since a major hack of the water network of Oldsmar, Florida, in February 2021 would prevent a similar attack now, she responded, “If you asked me that question today, the answer varies by sector because the state of cybersecurity and the federal government’s authority to directly improve companies’ security is different for each sector (critical infrastructure in the US is largely private sector).
“If you asked me about oil and gas pipelines, we’ve made meaningful progress in improving cybersecurity for the approximately 100 companies [that] operate critical pipelines. If you asked me about the water sector, where there are over a thousand critical companies, we have a plan and are working across the country step by step. We exercised the TSA emergency authorities to ensure that all 96 critical oil and gas pipelines meet” set cyberdefense standards, she said.
However, regarding the water sector, she noted, “There are 1,600 [distinct] critical water sectors in the US. They are a combination of public companies and municipal companies. The EPA [Environmental Protection Agency] believed they did not have the authority to do the equivalent of a mandate [as with oil and gas]. We worked with them for six months.”
She and Biden went to visit the Louisiana water network. Neuberger highlighted that the infrastructure for the network dates back to the 1930s. “Now the relevant officials are starting to modernize that infrastructure. But as people add connectivity, this brings new cyber risks. Our work highlighted to them that there are new cyber risks.”
Eventually, the administration hooked on to the strategy that since they can issue rules that set standards for water safety, so now “they can set standards for water for cybersecurity.”
Still, there have been some delays in applying pressure to water companies to reform because “the nature of the authority and the model is different, since we couldn’t just do mandates.”
“We are perfecting the guidelines which are coming out this fall. They will be coming out from the Department of Homeland Security. We are working to align IIJA [the November 2021 Infrastructure Investment and Jobs Act] money to help cover some of the costs” to the water sector for improving its cyber game.
Further, she said, “Water is a sector that needs some real work on cyber resilience. This is not a snap-your-fingers moment. Rather, it is a complex combination of finding authorities, assembling funding and seeking creative ways to set standards.”
In contrast to the water sector, which has years of catching up to do, the administration has found the “banking sector has been dealing with money laundering and criminal conspiracies for years” and is on the cutting edge of cybersecurity defense.
But other sectors still do not fully “understand the risks to cybersecurity.” Another key to proper defense is simply to “hire great people.”
More and more experts are admitting that democracies are farther behind in guarding data privacy than protecting their critical infrastructure.
“There is a difference between infrastructure and data. The whole Internet economy runs on data. Data brokers sell data. We have to work to lock down some of that data. There are various efforts underway,” Neuberger said. “If a country wants to impact another country, it will try to disrupt and degrade its access to critical infrastructure. This is our top focus.”
She also highlighted the US’s cyber cooperation with Israel, saying, “We really gain a lot from our partnership with Israel, sharing intelligence, sharing cybersecurity techniques used to defend networks, learning what models are useful to set technology standards for systems and data.”
Neuberger was asked about her experience of differences in policy or style now that the Israel National Cyber Directorate is run by Gaby Portnoy, who replaced Yigal Unna in February.
“What Gaby notes is that we all use similar systems. Technology is global, and communications are global. We use similar software and hardware, like Cisco routers,” she said. “The more sharing [of] information from attacks we see, the more the defenders are successful. When we deepen intelligence sharing, we deepen cybersecurity.”