Experts call for overhaul of 'outdated' critical infrastructure cyber policy

KanawatTH/Getty Images

A new report analyzes the federal government’s approach to infrastructure cybersecurity as a key strategy document is getting a rewrite.

Updated: 8:57 a.m., June 7

Despite the Biden administration’s outspoken support for increased public and private sector collaboration to bring more advanced technology into government operations, a new report makes the case for an overhaul of how these partnerships form and which agencies lead risk mitigation efforts.

The report, authored by the Cyberspace Solarium Commission 2.0 — a project continuing the efforts of the original Congress-based commission that sunsetted at the end of 2021 — reviews the cybersecurity protocols issued by sector risk management agencies, and notes the urgent need for improved public-private sector collaboration policies and updated SRMA guidance supporting critical infrastructure cybersecurity.

“The policy underpinning this public-private sector relationship has become outdated and incapable of meeting today’s demands,” the report said. “This report identifies flaws in both the design and implementation of public-private collaboration policy and argues that these flaws are amplified by discrepancies in the structure, resourcing and capabilities of SRMAs.”

The timing of this report’s launch coincides with the review of the Presidential Policy Directive on Critical Infrastructure Security and Resilience, known as PPD-21. Initially written in 2013, PPD-21 first identified 16 critical infrastructure sectors that required more federal protection from both digital and physical damage. 

Experts affiliated with the CSC 2.0 point out several flaws within each SRMA that oversees operations of sectors like water and transportation, mainly due to the advanced age of the policy in a changing threat environment. 

“It's a 2013 era policy. It's outdated,” said co-author Mary Brooks, a public policy fellow at the Wilson Center, during a press call. “The security environment has shifted substantially over the past decade. Technologies have evolved, the risk environment has evolved. And as policies and regulations have evolved with those risks, it's been done very frequently in an ad hoc way and not really in a systemic or holistic manner.”

The report states that one of the biggest inconsistencies in how federal agencies help critical infrastructure mitigate cyber threats is a disorganized relationship with private industry tech partners, who are emerging as key players in helping protect consumers and keeping the government abreast of the current tech landscape. 

“It's very much key for the U.S. government to work in partnership very closely with the private sector to understand and to manage these security risks, whether those be cyber risks or physical risks or something that fuses the two,” Brooks said. 

In addition to improving communications with private sector partners, the CSO 2.0 devised 10 other recommendations to improve gaps in cybersecurity policy for critical infrastructure organizations, including updating outdated strategy documents, harmonizing inconsistent guidance for SRMAs across industries, regulating public and private sector partnerships, facilitating avenues to update critical infrastructure sectors and improving information sharing procedures. 

Notably, the report also recommended augmenting the Cybersecurity and Infrastructure Security Agency’s leadership as a risk management regulator.

“CISA is mentioned in law as a national risk coordinator,” said coauthor Mark Montgomery, the senior director of the Foundation for the Defensive Democracies’ Center on Cyber and Technology Innovation. 

Montgomery, who also served on the original federally-mandated Cyberspace Solarium Commission, added, “We've put forward several times the idea that they should probably be in-law as a national risk management agency.”

As the Biden administration works on its rewrite of PPD-21, the report specifically recommends that the updated policy should designate CISA as the national risk management agency, specifying new responsibilities and supporting improved communication with other SRMAs to continue executing the Biden administration’s National Cybersecurity Strategy. 

“Despite these challenges, this report concludes that the overall concept underlying the government's critical infrastructure protection system — anchored in an approach that balances regulation, incentivization and collaboration — remains the best method to coordinate the public and private sectors,” the report said. 

CISA told Nextgov/FCW  that it is actively helping the White House-led process to update PPD-21, and is working alongside SMRAs to define an updated CISA role that better coordinates the national effort to protect critical infrastructure. 

“We believe the rewrite will help clarify CISA’s role as this National Coordinator, as a SRMA to critical infrastructure sectors and as a resource for our partners to help them assess, mitigate and respond to threats,” an agency spokesperson said.