A White House national security memorandum outlining how the government helps defend critical infrastructure from physical and digital attacks leaves gaps that only Congress can fill, experts warn.
The release last week of a long-awaited revision to an 11-year-old document known as presidential policy directive 21 (PPD-21) was considered a welcome step toward modernization from many in the security community, setting in stone how the White House plans to assist critical sectors like health care, water, and energy in the face of ongoing cyberattacks.
But much has changed since President Barack Obama signed PPD-21, which established the 16 critical infrastructure sectors and the agencies tasked as their overseers. National security officials have spent much of the past year sounding the alarm on Beijing’s hackers diving into critical infrastructure sectors amid increasing tensions around Taiwan. PPD-21, meanwhile, was created at a time when terrorism was top of mind and cybersecurity was a distant — but not outright ignored — consideration, according to Bob Kolasky, the founding director of the Cybersecurity and Infrastructure Security Agency’s National Risk Management Center.
Kolasky said that the current memorandum reflects “the geopolitical threat environment. So we are thinking about critical infrastructure security and resilience in the context of Volt Typhoon in China and … lessons learned from Russia and Ukraine. And I can tell you living it, that was just not top of mind in 2013 when PPD-21 was finally signed.”
Matt Hayden, a former assistant secretary of Homeland Security for Cyber, Infrastructure, Risk and Resilience, noted that CISA did not even exist when PPD-21 was first signed.
“The Office of the National Cyber Director didn’t exist” either, said Hayden, now a vice president in General Dynamics Information Technology’s intelligence and homeland security division. “We have a cyber framework now, a good structure in place that just isn’t reflected. We also have a lot of the intelligence community structuring around critical infrastructure protection. These things didn’t exist, candidly, when PPD-21 was framed.”
Even so, there are some portions of the policy that the Biden administration chose not to change, much to the chagrin of some experts. One major sticking point is that there are no changes to what is considered critical infrastructure, a term used by the government for industries that provide services needed for modern life, such as electricity, steel manufacturing, and water.
“The inability of this review to tackle the question of those changes to critical infrastructure sectors, is, I think, a failure,” said Annie Fixler, director of the Foundation for Defending Democracy’s Center on Cyber and Technology Innovation. “This review is 11 years after the first PPD-21 — to argue and to think that there’s been no changes across those sectors in 11 years … that’s disappointing.”
While the national security memorandum on critical infrastructure (NSM-22) does allow for the Homeland Security secretary to reevaluate the sectors every two years, cyber policy pros were hoping that space systems or cloud computing would be added to the list.
Space systems in particular have become a major point of contention among experts, as the booming industry plays an increasingly vital role to other sectors like energy and agriculture.
“That was something industry was really harping on,” he added. “They do have a work group setup for space, and the IT sector Council does discuss cloud application. So there is a home for that conversation, but it’s just not as defined as the others.”
During a call with reporters before last week’s announcement, senior administration officials said that while the National Security Council considered the change, they ultimately decided that the initial process for selecting the 16 current sectors was “sound.”
However, a major fix that was lauded by experts was officially establishing CISA as the national coordinator, a position the agency already carries out. But experts note that a presidential declaration communicates that role to the sometimes skeptical private sector and other federal agencies.
“In the past, there have sometimes been tension where something has been requested [by CISA] but not fulfilled because the other agencies, perhaps, saw this as a theater and not necessarily a critical request,” Fixler said. “So there is value in clarifying expectations so that agencies can be held accountable.”
Kolasky agreed, noting that “that stuff matters in the world of bureaucratic politics.”
But, ensuring that agencies like CISA have adequate funding and the authorities to build up resilience against attacks — such as minimum cybersecurity standards — requires Congress to step in, which fails to inspire confidence in experts like Fixler.
“It’s good to see that the administration and Congress are aligned on what sector risk management agencies are supposed to do,” Fixler said. “And yet there are a number of agencies whose budget for sector specific risk management activities is limited, to say the least.”
CISA Director Jen Easterly appealed to lawmakers for additional funds last Tuesday, saying that programs like monitoring are helping critical infrastructure protect themselves against threats like Volt Typhoon. Right-wing politicians may not be so eager to approve additional funding after some members have alleged that the agency was on a censorship campaign alongside social media companies, a claim Easterly herself has repeatedly denied.
Beyond CISA, the memorandum says that agencies tasked with helping sectors manage risk, such as cyberattacks, can submit a legislative proposal to the Office of Management and Budget, but it would still be up to Congress to move the ball forward.
But, Fixler points out, the president’s budget request sent out earlier this year hardly added much in the way of additional funds. While the budget requests are rarely carried out, they do signify what the priorities are in any administration.
In the fiscal year 2025 budget request, for instance, the U.S. Department of Agriculture asked for $3.2 million, with around $1.7 million dedicated to non-cybersecurity work. That means that the agency has an estimated $1.5 million budget to help the sector protect against criminal hackers and nation-sponsored campaigns, according to information provided by the Foundation for Defending Democracy.
Previous administration efforts to add new cyber mandates have failed due to limited authorities that agencies have in fully carrying out those duties. The Environmental Protection Agency, for example, ultimately had to shelve an effort to get cybersecurity rules in place for the water sector after multiple states and trade associations sued.
Meanwhile, hacktivists tied to Russia’s military intelligence arm have levied multiple cyberattacks against water facilities, though the attacks themselves were fairly unsophisticated and had little impact on services.
With NSM-22 coming near the end of Biden’s term, however, the people who put together the document might no longer be here to carry it out.
“Whether it’s a second administration or it’s the Trump administration, there’s a lot of turnover between administrations,” Fixler said. “So the authors of this are not necessarily going to implement and that’s challenging. So that’s also really disappointing.”