Cybersecurity has been a priority since President Joe Biden took office in the wake of the SolarWinds compromise, while protecting critical infrastructure from cybersecurity threats quickly became a top national security issue when a series of damaging ransomware attacks against Colonial Pipeline, foodmaker JBS and IT provider Kaseya caused substantial disruption to American society in 2021.
Since then, the administration has stepped up cooperation with the private sector, and worked to leverage new and existing regulatory authorities to expand visibility over cyberattacks affecting different industries, while tightening cybersecurity protocols and protections within targeted sectors, from companies who manage our water systems and move our oil and gas to industries that transport people and goods via rail and flight.
However, a new report released June 7 from the Cyberspace Solarium Commission 2.0 — a successor organization to the body of experts and lawmakers who helped reshape U.S. cybersecurity policy over the past five years — claims this “incremental” and still-largely voluntary approach is no longer sufficient to keep America’s essential functions and services secure and stay ahead of a faster-moving digital threat landscape.
The report argues that the Cybersecurity and Infrastructure Security Agency, which Congress empowered as the federal government’s lead coordinator around critical infrastructure protection, is not appropriately resourced or supported by interagency partners to fulfill its role as a national risk manager, nor is it positioned to provide necessary guidance to other agencies.
“[T]he federal government has endeavored for decades to build a strong relationship with the private sector. Nevertheless, the policy underpinning this public-private sector relationship has become outdated and incapable of meeting today’s demands,” the report states in its introduction. “Similarly, the implementation of this policy — and the organization, funding, and focus of the federal agencies that execute it — is inadequate.”
The report, which draws on analysis from former Solarium participants, cyber policy experts and interviews with current and former government officials, calls for strengthening CISA’s role as national risk manager for critical infrastructure while boosting resources and authorities to individual sector risk management agencies to play a larger role in the nation’s cybersecurity ecosystem.
In addition, interviewees from industry said they wanted CISA (or some other government entity) to ensure better interagency information sharing so that companies only have to communicate to the government once about a particular incident.
Biden administration, DHS must refresh “stale” and “outdated” approach to securing critical infrastructure
Part of this confusion, the report argues, is due to a number of strategy and policy documents governing critical infrastructure that haven’t been updated in years and no longer reflect the realities of the current threat landscape.
One of those documents, Presidential Policy Directive-21, outlines how the federal government classifies and oversees its relationship with critical infrastructure and which sectors qualify. It hasn’t been updated since 2013, and a planned re-write announced by the Biden administration last year could serve as a vehicle for a new or modified approach. It could also lay the groundwork for adding other industries, like commercial space systems and cloud providers, to the list.
Mary Brooks, a public policy fellow at the Wilson Center and one of the authors of the report, called PPD-21 in its current form “outdated” and ill-suited to the current realities facing many critical infrastructure organizations. Further, the long delay in updating it has prevented other sector risk management agencies from moving forward with a refresh of their own individual sector plans.
“The security environment has shifted substantially over the past decade, technologies have evolved, the risk environment has evolved and as policies and regulations have evolved with those risks, it’s been done very frequently in an ad-hoc way, and not really in a systemic or holistic manner,” she said.
PPD-21 is far from the only policy document withering on the vine. According to the Government Accountability Office, the National Infrastructure Protection Plan, also hasn’t been updated by DHS since 2013, and is so old it pre-dates the creation of CISA. Yet another document, the National Critical Infrastructure Prioritization Program, was created after 9/11 and is supposed to be used by CISA to prioritize support to high-value systems and assets that would cause cascading effects across American society if disrupted, but it doesn’t substantively cover cybersecurity threats, CISA’s main mission.
Agencies with sector-expertise need a bigger role
The report also points to the diminished role of sector risk management agencies as a problem worth addressing.
While CISA is responsible for high-level policy and coordination between critical infrastructure and the federal government, other agencies like the Department of Energy, the Transportation Security Administration and the Environmental Protection Agency, are also designated as “sector risk management agencies” and charged with overseeing specific sectors.
However, these agencies have played an increasingly smaller — or at least less visible — role over the past decade as agencies like CISA and the FBI have come to the fore, even as they often hold the actual statutory authority and domain expertise for sectors and industries under their purview.
There also continues to be wide gaps between different agencies in terms of their authorities, effectiveness, resources, planning and ability to coordinate around digital threats to critical infrastructure.
The result has been an inconsistent mishmash of approaches, with sectors like finance and energy benefiting from mature federal input and clearly defined roles and responsibilities while other sectors like water, oil and gas operate in a far more decentralized and disorganized fashion that leaves them unprepared to deal with the complexity of the global supply chain or the cascading, cross-industry of modern cyberattacks.
Nowhere was this more apparent than during the Colonial Pipeline ransomware attack in 2021.
According to interviews with public and private sector officials, executives at Colonial notified the FBI (the lead agency for threat response) of the breach, but did not notify CISA (the lead agency for asset response). CISA, which learned about the breach from the FBI, in turn did not notify the Transportation Security Administration or the Department of Transportation, both of which serve as co-sector risk management agencies for the pipeline subsector.
Adding to the confusion, while DOT and TSA were responsible for the physical pipelines, the jet fuel they carried actually falls under the purview of yet another sector risk management agency, the Department of Energy. The White House eventually placed Energy officials in charge of the federal response, the incident laid bare just how byzantine and onerous the status quo has become.
“The whole process — the whole episode — really showed how the seams and the overlaps within the current framework mean the whole thing is really poorly suited to speed and crisis response,” said Annie Fixler, director of the Center on Cyber and Technology Innovation at foreign policy think tank the Foundation for Defense of Democracies and another co-author of the report.
CISA, federal agencies need to get their ducks in a row
The Solarium recommendations come as some members of Congress and federal watchdogs have expressed similar concerns around the federal government’s outdated plans for protecting critical infrastructure. A GAO investigation last year concluded that CISA needed to revisit some of its governing documents, like the National Infrastructure Protection Plan, while also refreshing individual plans for all 16 sectors currently designated as critical infrastructure.
Tina Won Sherman, director of critical infrastructure protection and transportation security at GAO, told Congress earlier this year that CISA “does not have a standardized approach for agencies to estimate costs, or make requests for resources, does not consistently measure the maturity and effectiveness of the agencies, has created but not yet filled liaison positions with them and does not obtain regular feedback on their partnerships.”
The report recommends a similar approach, noting that no agency has updated its sector risk management plan since 2015, despite being mandated to do so every four years.
Different sectors “have had to adapt on their own over the past decade across three presidential administrations and how the success or failure of different sectors has been a “personality-driven process — with the more assertive or proactive SRMAs doing better than their counterparts.”
Brooks concurred with that sentiment, saying one of the primary responsibilities for Congress and the executive branch should be “figuring out where the edges of the roles” are between CISA and sector risk management agencies.
“The expertise really does rest kind of lower down. It rests in the industry…and it rests in SRMAs that are really working with industry on a day-to-day basis,” she said.