On CISA's role in protecting critical infrastructure, White House sticks to the script

President Joe Biden signed on Tuesday a new directive that affirms the Cybersecurity and Infrastructure Security Agency's central role in the federal government's protection of the nation's critical infrastructure sectors.

The revised Presidential Policy Directive 21 does not alter the list of 16 critical infrastructure sectors despite calls from former officials, industry groups and outside experts to add major industries, such as space and cloud computing, since a rewrite was announced in late 2022.

Instead, the directive signed Tuesday reinforces the 2018 statute that established CISA and the agency's mandate to coordinate national efforts to secure and protect critical infrastructure from cyberattacks and natural disasters.

It follows CISA’s release last month of the first draft of a landmark rule detailing how critical infrastructure entities must report cyberattacks to the federal government. 

The long-awaited rewrite of the directive also comes as administration officials sound the alarm about hackers allegedly connected to the Chinese government conducting attacks with the long-term goal of causing physical destruction. The hacking campaign marks a sharp escalation in China's willingness to potentially target U.S. infrastructure — activity well beyond Beijing’s usual effort to steal state secrets.

The national security memorandum names CISA the “national coordinator for security and resilience” of U.S. critical infrastructure and directs so-called sector risk management agencies to assess whether existing minimum cybersecurity standards meet potential digital vulnerabilities, Caitlin Durkovich, National Security Council director for response and resilience, told reporters during a conference call on Monday.

“We know that America's adversaries may attempt to compromise our critical infrastructure to undermine the will of the American public and impede the projection of U.S. military power abroad,” she said, alluding to the threats created by the Chinese hacking group known as Volt Typhoon, and others. 

“Resilience, particularly for our most sensitive assets and systems, is the cornerstone of homeland defense and security.”

CISA Director Jen Easterly said the “good news is that the work that is being directed in the [national security memorandum] is underway,” noting her agency has already reestablished the Federal Senior Leadership Council and designated systemically important entities within critical infrastructure, prioritized based on the potential for disruption to the country.

The updated policy also directs the U.S. intelligence community, in line with the 2023 National Intelligence Strategy, to collect and share information with critical infrastructure owners and operators. 

Still, the plan is likely to be criticized for its lack of sweeping changes, including following through on a congressionally-mandated CISA report that argued for the designation of space and bioeconomy sectors.

A senior administration official, speaking on the condition of anonymity, said “because space is really a part of so many different sectors, it did not at this time make sense to break space out as a separate sector.” Instead, it will continue to be managed by a working group co-chaired by CISA. 

Overall, the official said, the tweaked directive “helps to reinforce the statutory role” CISA already enjoys and puts a spotlight on how the threat landscape has evolved “given the highly interdependent, highly connected, highly digitized, and frankly highly vulnerable, nature of the critical infrastructure that Americans rely on every hour of every day.”

Having a “coordinating element to really manage that cross-sector risk and drive down that cross-sector risk, it's incredibly important to the security of the nation.”

In a statement, Homeland Security Secretary Alejandro Mayorkas said the new memorandum  “empowers the Department of Homeland Security to lead our government’s efforts, alongside our administration partners, to better confront the increasingly complex and frequent threats facing our critical infrastructure.”