The United States is trying to make it easier for companies and organizations to bolster their cybersecurity in the face of growing attacks aimed at crippling their operations, stealing their data or demanding ransom payments.
Officials with the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) rolled out their new Cybersecurity Performance Goals on Thursday, describing them as a critical but voluntary resource that will help companies and organizations make better decisions.
“Really what these cybersecurity performance goals present is a menu of options to advance one’s cybersecurity,” Homeland Security Secretary Alejandro Mayorkas told reporters, describing the rollout as a “watershed moment” for cybersecurity.
“They are accessible, they are easy to understand, and they are identified according to the cost that each would entail, the complexity to implement the goal, as well as the magnitude of the impact that the goal’s implementation would have,” he added.
For months, U.S. officials have been warning of an ever more complex and dangerous threat environment in cyberspace, pushing the government’s “Shields Up” awareness campaign, driven in part by Russia’s invasion of Ukraine earlier this year.
They have also called attention to cyberattacks by Iran and North Korea, while warning that both nation states and non-state actors have increasingly been scanning and targeting U.S. critical infrastructure, from water and electric companies to airports, which were struck by a series of denial-of-service attacks earlier in October.
Private cybersecurity companies have likewise warned of a growing number of attacks against health care companies and education and research organizations.
While some bigger U.S. companies and organizations have been able to devote time, money and other resources to confront the growing dangers, U.S. officials are concerned that others have not.
In particular, CISA has worried about small to mid-sized businesses, along with hospitals and school systems, often described by officials as target rich but resource poor because they do not have the money or resources to defend systems and data from hackers.
Officials said the new guidelines, which focus on key areas like account security, training, incident reporting, and response and recovery, and come with checklists, are designed to ease the burden. The officials also said they anticipate the goals will change and evolve along with the threat.
The newly unveiled goals “were developed to really represent a minimum baseline of cyber security measures that if implemented, will reduce not only risk to critical infrastructure but also to national security, economic security and public health and safety,” said CISA Director Jen Easterly, calling them a “quick start guide.”
“[It’s] really a place to start to drive prioritized investment toward the most critical practices,” she said.
According to CISA, many of the new goals are already resonating, including with state and local officials running U.S. elections.
“We’ve been working with them to implement several of these best practices, as well as ensuring that they have the tools and resources and the capabilities to ensure the security and resilience of election infrastructure,” Easterly told reporters Thursday. “I’ve met with election officials even just over the past few days … and they all expressed confidence in particular in the cybersecurity across all of their systems.”
CISA also said Thursday that U.S. states and territories needing more help can take advantage of $1 billion in grants that are being made available over the next four years.
The grants, designed specifically to help protect U.S. critical infrastructure, were first announced last month.