Mayorkas pushes baseline cyber regulations following critical infrastructure hacks
Add Axios as your preferred source to
see more of our stories on Google.
Photo illustration: Shoshana Gordon/Axios; Photo: Zachary Hupp/DHS
U.S. regulators must hold companies accountable for their poor cybersecurity practices, Homeland Security Secretary Alejandro Mayorkas told Axios.
Why it matters: U.S. critical infrastructure has proven vulnerable not only to highly skilled nation-state hackers who lurk in American infrastructure, but also to low-level hackers who can simply guess a utility operators' password.
What they're saying: "Given adversary nation-states' activities [and] given the state of the cybersecurity of our critical infrastructure, has the voluntary framework really advanced cybersecurity to the extent needed?" Mayorkas said. "There's concern there."
The big picture: Historically, critical infrastructure sectors — like schools, health care and utilities — haven't faced mandatory cyber requirements. The Biden administration has been working to change that.
- The Cybersecurity and Infrastructure Security Agency (CISA) has started pushing a concept called secure by design, in which tech manufacturers will eventually be required to bake stronger cybersecurity practices into products as they're being developed.
- The White House has spent years working with individual agencies to institute minimum cybersecurity requirements for the infrastructure sectors they regulate.
- Just this week, the president signed an executive order giving the Coast Guard new powers to regulate maritime cybersecurity.
Between the lines: Despite initial pushback, U.S. tech companies are "progressing" and coming around to CISA's secure-by-design principles, Mayorkas said.
- He compared this new regulatory shift to the transition automakers faced when they were required to put seatbelts in cars.
- "There's an increasing receptivity to the notion," he said. "It's a very significant business model change, so it's not going to happen with the click of a finger."
Driving the news: Mayorkas shared his regulatory approach with heads of state, government officials and company executives during keynote remarks at the Munich Security Conference last week.
- He argued that the best path forward was new regulations that shift the burden of security away from consumers and onto tech manufacturers — while still fostering innovation and public-private partnerships.
The intrigue: The European regulators in the audience at Munich often take a stricter approach to cybersecurity.
- Mayorkas told Axios he had heard from executives at multinational companies who believed the European regulators have more "distance" between themselves and the industries they're regulating.
- "That's why I spoke as I did in Europe to try to really diminish that degree of adversity, which chills the cooperation that's critical to cybersecurity," he said.
Zoom out: All of this comes as Mayorkas faces a historic moment as the first cabinet secretary to be impeached since 1876.
- He told CNN in Munich that he wouldn't let the impeachment "slow me down." But DHS and its agencies are facing mounting GOP criticism that could hinder its work to secure the 2024 elections from physical threats, hackers and disinformation.
- "The security work that we do is absolutely critical," Mayorkas said. "We do it apolitically, and the politicization of so many things that are not political is unfortunate."
Between the lines: Mayorkas added that the department is working closely with secretaries of state in all parties — and he's banking that their partners will continue to trust DHS, despite the partisan blowback, because of the integrity of the department's efforts.
- "And I think many people are exhausted by the politics," he added.
