White House critical infrastructure protection order is ‘outdated’ and needs rethinking, Cyberspace Solarium Commission says
A decade-old presidential directive that clarified how the private sector should protect critical infrastructure like power utilities and manufacturing plants has “become outdated and incapable of meeting today’s demands,” according to an influential cybersecurity policy organization.
The document — 2013’s Presidential Policy Directive 21, or PPD-21 — established which agencies were responsible for steering protection of each of the 16 critical infrastructure sectors, today known as sector risk management agencies (SRMAs). A report released Wednesday by CSC 2.0, the successor organization to the Cyberspace Solarium Commission, argues that the federal government could do more to apply the lessons learned by agencies and industry.
The Biden administration is currently revamping the document, and the report notes that the White House had taken several steps intended to strengthen federal digital security, including multiple executive orders and the creation of the Office of the National Cyber Director.
In the meantime, however, the White House’s “incremental approach” is “not delivering the necessary improvements to SRMA performance, especially as both physical and — especially — cyber threats to the country’s critical infrastructure continue to escalate,” the report states.
The PDD-21 overhaul, as well as the effects of “catalyzing” events like the Colonial Pipeline hack and the ongoing war in Ukraine, present “an incredible opportunity to sit down and to think about how we reshape the security relationship here and to do it in a way that really looks forward and says, 'OK , these are the problems we've run into the last 10 years. Let's fix it for today, but let's also fix it for the next 10 years and beyond,'" Mary Brooks, public policy fellow at the Wilson Center and co-author of the report, told reporters during a briefing on Monday.
The report also notes that interviews with government and industry representatives found that information and guidance on the existing SRMA framework is not easily accessible, causing confusion especially during a crisis.
The CSC 2.0 lays out a dozen recommendations the administration should take into consideration as it works to revamp the Obama-era directive, with half focused on the rewrite and the other half on implementation of the reworked document.
For instance, the modernized document should: clarify the Cybersecurity and Infrastructure Security Agency’s (CISA) role as the “national risk management agency;” identify not just critical infrastructure sectors but also their subsectors; and create a process for the directive to be routinely updated “rather than through a once-in-a-decade executive re-write or legislation when the executive branch fails to act.”
In terms of implementation, the CSC report suggests “adequate resourcing” for agencies to shepherd cybersecurity in their sectors; CISA, along with other entities like the National Security Agency, establish a cyber threat information collaboration environment; and refine existing emergency response law and policy.
Mark Montgomery, executive director of the CSC 2.0, said the problems with protecting critical infrastructure stretch back to the end of the Clinton administration.
“We are massively inconsistent across federal agencies in our performance as SRMAs and across the sectors in their willingness to cooperate and participate,” he told reporters.
“I'm happy everything's getting done. I think we're very late on PPD-21. I also think it's important to get this done to protect these resources,” he added. “We really got to get lots of great work going on, but if we don't get these core documents done, we're going to have a problem.”
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.