Government progress report on the US 100-day cybersecurity programme

In April this year, the Biden administration launched its 100-day plan to strengthen cybersecurity of critical infrastructure. DOE issued a progress report on its implementation on 16 August.

Some related comments:

  • It appears that the Administration is now finally breaking with the basic approach of the Executive Order (E.O. 13920) issued by President Trump on May 1, 2020, which formally bans the use of foreign-origin electricity devices and systems that pose a potential threat to U.S. transmission.
  • However, the big question remains: what was the specific trigger for the issuance of the E.O.?! The most suspected cause is the “factory” hacking of a Chinese-made large transformer. In the USA, 200+ Chinese made large transformers have been installed in the last few years. There could be a serious and ongoing threat if the Chinese-made 345/230 kV transformer, weighing about 227 tons, seized in the Port of Houston in the spring of 2020 and then delivered to the national security profile SNL (Sandia National Laboratories), did indeed contain hacked electronics (or if other transformers delivered earlier could have such hacked but undetected electronics). However, no information has been made public for more than a year now on the results of the Sandia investigation.
  • It is also apparent that, contrary to the practice of the Trump administration, the Biden administration places particular emphasis on operating consultation mechanisms with the widest possible range of stakeholders.
  • There is a strong indication that the Biden administration will ‘only’ set out a framework for the development of cybersecurity for critical infrastructures, but will not recommend any specific technology or service provider. Incidentally, this approach is in line with that of SeConSys, which also only recommends a framework.
  • The 100-day programme was an important step in mobilising the relevant areas. However, it is clear that a miracle cannot be done in 100 days. Yet the time factor is one of the most serious problems. The series of attacks that started with SolarWinds/Orion shows that the US cyber defence needs to be significantly strengthened. Until this is done, attacks of similar severity cannot be ruled out (as was the case with the Colonial Pipeline attack).

In the light of the developments of the last year or so, and the long life span of ICSs – 5-10, even 15-20 years – it may be justified to take measures in Hungary as soon as possible, to be developed in a framework similar to the SeConSys operating mode, based on close professional cooperation between stakeholders, in order to strengthen the cyber defence of Hungary.

What is your opinion?

We welcome your comments, whether you agree or disagree with the above. These could be the subject of a new post, for example, in order to stimulate a substantive exchange of views.