May 20, 2024 By Sue Poremba 2 min read

In 2013, the Obama Administration rolled out “The Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience”, a forerunner to the Cybersecurity and Infrastructure Security Agency (CISA), created “to strengthen and maintain secure, functioning and resilient critical infrastructure.”

The directive was groundbreaking in 2013, noting the importance of the rising risk of cyberattacks against critical infrastructure. But as cyber risks are constantly shifting, every cybersecurity program needs to be re-evaluated, and CISA is no exception. That’s why, in April 2024, President Joe Biden signed a new directive that reinforced CISA’s role in protecting critical infrastructure from cyber threats.

This new National Security Memorandum (NSM) was long-awaited by the cybersecurity industry. While it firmly establishes CISA’s role in national security, it falls short in efforts to address changes in the critical infrastructure landscape over the past decade.

Why no updates to critical infrastructure industries?

In the original Obama-era document, sixteen industries are labeled as critical infrastructure, which work directly with different agencies and Cabinet-level departments labeled as Sector Risk Management Agencies (SRMA). These industries and SRMAs include Chemical, Critical Manufacturing and Emergency Services under the Department of Homeland Security, Food and Agriculture under the Department of Agriculture and Financial Services under the Department of Treasury.

In the Biden NSM, those sixteen industries remain intact, with nothing more added. That the NSM doesn’t include space or bioeconomy — two critical infrastructure industries recommended for inclusion by CISA — surprised many in the security sector.

Despite the role that space plays in telecommunication, internet services, satellites and GPS, government officials said it was left off the list because the space infrastructure is widely segmented and part of other sector agencies.

“There is no single agency in charge,” Sam Visner, Chair of the Board of Directors at the Space Information Sharing and Analysis Center and a fellow at the nonprofit Aerospace Corporation, was quoted as saying in CyberScoop.

While not included in the critical infrastructure security directive, the bioeconomy industry is the focus of a 2022 Executive Order and building a deeper understanding of the new technologies that form the industry.

CISA’s role cemented

Even though the industry list remains unchanged, CISA’s role has been more clearly defined. The NSM has deemed CISA as the “national coordinator for security and resilience” of the nation’s critical infrastructure and partnering agencies. CISA will now officially “leverage its statutory responsibility to lead the national effort to understand, manage and reduce risk to cyber and physical infrastructure by working across the interagency and further supporting the implementation of SRMA roles and responsibilities,” according to the agency’s website.

As part of its role, CISA will be responsible for assessing progress to improve security priorities and resiliency across the sixteen critical infrastructure agencies, as well as identifying threats and recommending measures to improve cybersecurity. CISA will support its partners across the government in the sharing of critical security information.

Security of the critical infrastructure has never been more important. With the increasing threats coming from nation-state actors, a rise in attacks directly against critical entities and the questions surrounding the impact of AI or cloud computing and other newer technologies on overall cybersecurity, it was time that directives around critical infrastructure were revised. The NSM, while admittedly falling short with the exclusion of the emerging role of crucial industries, offers a way to coordinate the varied subsections of the infrastructure and their governing agencies and should play an important role in securing the nation overall.

More from News

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Why the Christie’s auction house hack is different

3 min read - Christie's, one of the world's leading auction houses, was hacked in May, and the cyber group RansomHub has claimed responsibility. On May 12, Christie’s CEO Guillaume Cerutti announced on LinkedIn that the company had “experienced a technology security incident.” RansomHub threatened to leak “sensitive personal information” from exfiltrated ID document data, including names, dates of birth and nationalities. On the group’s dark website, RansomHub claims to possess 2GB of data on “at least 500,000” Christie’s clients from around the world.…

Should there be a total ban on ransomware payments?

3 min read - The debate about the United States government banning companies from making ransomware payments is back in the headlines. Recently, the Ransomware Task Force for the Institute for Security and Technology released a memo on the topic. The task force stated that making a ban on ransomware payments in the U.S. at the current time will worsen the harm to victims, society and the economy. Additionally, small businesses cannot withstand a lengthy business disruption and might go out of business after…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today