Author: Eric Geller
The Biden administration is updating the US government’s blueprint for protecting the country’s most important infrastructure from hackers, terrorists, and natural disasters.
On Tuesday, President Joe Biden signed a national security memorandum overhauling a 2013 directive that lays out how agencies work together, with private companies, and with state and local governments to improve the security of hospitals, power plants, water facilities, schools, and other critical infrastructure.
Biden’s memo, which is full of updates to the Obama-era directive and new assignments for federal agencies, arrives as the US confronts an array of serious threats to the computer systems and industrial equipment undergirding daily life. In addition to foreign government hackers and cyber criminals seeking to destabilize American society by crippling vital infrastructure, extremist groups and lone actors have plotted to sabotage these systems, and climate change is fueling natural disasters that regularly overwhelm basic services.
Foreign cyber threats present an imminent risk. Caitlin Durkovich, the deputy homeland security adviser for resilience and response, stated during a briefing that America is entering a period of strategic competition in which state actors will continually target the country’s critical infrastructure, and also possibly assist or condone harmful activities run by non-state actors.
The memorandum released has three main objectives: to establish the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security as the leading agency responsible for defending infrastructure from harmful parties and natural threats; to expand collaborations with the private sector via quicker, broader sharing of information; and to apply the groundwork for minimum cybersecurity standards for sectors currently without them.
This regulatory initiative indicates a significant departure from the government’s approach to infrastructure security from ten years ago. The Biden administration, recognizing that voluntary collaborations did not sufficiently minimize risks to essential services, implemented new cybersecurity regulations for the aviation, pipeline, railway, maritime, and medical device industries. Currently, the Department of Health and Human Services is developing security guidelines for the healthcare establishments. The administration now intends to use these new guidelines to accelerate similar efforts in other sectors.
As Durkovich explains, it is crucial that everyone collaborates to establish fundamental security standards for infrastructure, as these sectors underpin American society and democracy.
The document tasks the government’s “Sector Risk Management Agencies,” or SRMAs—each of which oversees and assists one or more infrastructure sectors with cyber and physical security—with determining whether existing rules adequately address their industries’ vulnerabilities and, if not, crafting new rules. The memo includes a process to help agencies if they conclude that they lack “the tools or authorities necessary to ensure effective implementation of those requirements,” a senior administration official said during Monday’s briefing, speaking anonymously pursuant to the White House’s terms.
That process is designed to support agencies like the Environmental Protection Agency, which tried to issue cyber requirements for water systems in 2023 but abandoned the effort after a legal challenge from industry groups and Republican-led states.
Juliane Bergmann
Julian Chokkattu
Charlie Wood
David Gilbert
Anticipating further industry pushback to new rules in various sectors, the White House is promising to collaborate with companies. “These requirements … need to be developed in close coordination with the owners and operators of that infrastructure to ensure they are appropriate and proportionate to the vulnerability,” the senior administration official says.
In addition to new cyber standards, the memo attempts to kickstart more harmonious and productive information-sharing relationships between government agencies and private companies. The private sector often complains that agencies either declassify information too slowly or keep it tightly restricted to only executives with security clearances. Many companies say that without timely access to the government’s detailed intelligence about hackers’ activities, it is difficult to stay ahead of those adversaries.
To address these tensions, Biden is directing US spy agencies to redouble their efforts to “collect, produce, and share intelligence” with infrastructure operators, Durkovich says.
The memo requires the Office of the Director of National Intelligence (ODNI) to produce a report on the state of the government’s information-sharing with the private sector. As part of that process, the senior administration official says, ODNI will work with CISA and other agencies to write procedures for better outreach to companies.
The government can look to two recent case studies for insights about the best ways to share useful information without jeopardizing the sensitive sources and methods used to gather it. As Russia began its expanded invasion of Ukraine in 2022, the intelligence community declassified and published intelligence about the Kremlin’s plans at such a rapid tempo that it stunned many former officials. And when officials wanted to warn companies about the seriousness of China’s recent cyber intrusions into US infrastructure, they convened classified briefings that starkly laid out the potential damage Beijing could do in the event of a war.
“We have a lot of instructive emerging practices and lessons learned from what has happened in the first three years of this administration,” says the senior official.
In addition to the report on information sharing, the memo also gives ODNI 180 days to produce a formal intelligence assessment on threats to America’s infrastructure, and the senior official says the government “will work to share that” with companies to the extent possible.
Beyond its major substantive changes, the new memo significantly boosts the stature of CISA, which did not exist when the previous plan was written. The memo codifies CISA’s twin roles as a government-wide coordinator for infrastructure security work and as the designated SRMA for eight of the 16 sectors.
CISA has pursued its role as the lead infrastructure protection agency in multiple ways, its director, Jen Easterly, told reporters during Monday’s briefing.
First, CISA reestablished a council of senior officials that makes major decisions about how agencies coordinate to address risks. Second, Easterly says, CISA has provided agencies with “guidance and templates” to help produce risk assessments and risk management plans for each of their sectors. Third, CISA is finalizing a list of “systemically important entities” whose operations power daily life in fundamental ways.
Juliane Bergmann
Julian Chokkattu
Charlie Wood
David Gilbert
The government will collaborate with companies on the important-entities list, which consists of less than 500 entities, “to ensure they have the resources necessary to manage risk,” as stated by a senior administrative official. These companies will also be prioritized for regulation.
Although the memo updates key elements of the government’s defense strategy, it does not alter the fundamental framework underpinning this work: the 16 sectors, each containing a group of related industries, which comprise the nation’s critical infrastructure. A CISA report released in late 2021 suggested that the administration consider introducing new sectors for the space and bioeconomy industries, but officials decided against this idea.
“As space significantly intersects with various sectors, it was deemed nonsensical to segregate space as an independent sector at this time,” explains the senior official. Nonetheless, CISA is concentrating on space cybersecurity. Government leaders also determined that the unique risks of the bioeconomy were not sufficient to justify a new sector. However, if significant changes occur in the risks these industries face, they might have their own sectors in the future, the official adds.
Considering the rapid changes in these risks and other situation, the memo instructs the DHS to present a “national risk management plan” to the White House every two years, summarising the government’s preventive measures.
Biden administration officials see the new document as more than just an updated strategy. To them, it is a watershed moment in how the government organizes itself to protect Americans from poisoned water, widespread blackouts, and other infrastructure disasters.
The new memo, Durkovich says, “prepares us for the next decade—what the president calls the decisive decade—and what lies out on the horizon.”