In 2013, the Obama Administration rolled out “The Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience”, a forerunner to the Cybersecurity and Infrastructure Security Agency (CISA), created “to strengthen and maintain secure, functioning and resilient critical infrastructure.”
The directive was groundbreaking in 2013, noting the importance of the rising risk of cyberattacks against critical infrastructure. But as cyber risks are constantly shifting, every cybersecurity program needs to be re-evaluated, and CISA is no exception. That’s why, in April 2024, President Joe Biden signed a new directive that reinforced CISA’s role in protecting critical infrastructure from cyber threats.
This new National Security Memorandum (NSM) was long-awaited by the cybersecurity industry. While it firmly establishes CISA’s role in national security, it falls short in efforts to address changes in the critical infrastructure landscape over the past decade.
Why no updates to critical infrastructure industries?
In the original Obama-era document, sixteen industries are labeled as critical infrastructure, which work directly with different agencies and Cabinet-level departments labeled as Sector Risk Management Agencies (SRMA). These industries and SRMAs include Chemical, Critical Manufacturing and Emergency Services under the Department of Homeland Security, Food and Agriculture under the Department of Agriculture and Financial Services under the Department of Treasury.
In the Biden NSM, those sixteen industries remain intact, with nothing more added. That the NSM doesn’t include space or bioeconomy — two critical infrastructure industries recommended for inclusion by CISA — surprised many in the security sector.
Despite the role that space plays in telecommunication, internet services, satellites and GPS, government officials said it was left off the list because the space infrastructure is widely segmented and part of other sector agencies.
“There is no single agency in charge,” Sam Visner, Chair of the Board of Directors at the Space Information Sharing and Analysis Center and a fellow at the nonprofit Aerospace Corporation, was quoted as saying in CyberScoop.
While not included in the critical infrastructure security directive, the bioeconomy industry is the focus of a 2022 Executive Order and building a deeper understanding of the new technologies that form the industry.
CISA’s role cemented
Even though the industry list remains unchanged, CISA’s role has been more clearly defined. The NSM has deemed CISA as the “national coordinator for security and resilience” of the nation’s critical infrastructure and partnering agencies. CISA will now officially “leverage its statutory responsibility to lead the national effort to understand, manage and reduce risk to cyber and physical infrastructure by working across the interagency and further supporting the implementation of SRMA roles and responsibilities,” according to the agency’s website.
As part of its role, CISA will be responsible for assessing progress to improve security priorities and resiliency across the sixteen critical infrastructure agencies, as well as identifying threats and recommending measures to improve cybersecurity. CISA will support its partners across the government in the sharing of critical security information.
Security of the critical infrastructure has never been more important. With the increasing threats coming from nation-state actors, a rise in attacks directly against critical entities and the questions surrounding the impact of AI or cloud computing and other newer technologies on overall cybersecurity, it was time that directives around critical infrastructure were revised. The NSM, while admittedly falling short with the exclusion of the emerging role of crucial industries, offers a way to coordinate the varied subsections of the infrastructure and their governing agencies and should play an important role in securing the nation overall.