How to fine-tune the White House’s new critical infrastructure directive

It’s been more than a decade since the United States last revised the key policy document that describes the federal government’s role in protecting U.S. critical infrastructure, but this week the Biden administration finally took a significant step to update these authorities. With the release of National Security Memorandum 22 (NSM-22), the White House has issued a much-needed update to Presidential Policy Directive 21 (PPD-21), which was issued in 2013 and has become outdated in the face of a rapidly changing threat landscape.

On the whole, NSM-22 offers some important reforms to how the federal government hopes to protect U.S. critical infrastructure given more severe cyberattacks. But by omitting to designate the space and cloud computing industries as critical infrastructure, the document also leaves something to be desired. Moreover, it’s unclear whether the Cybersecurity and Infrastructure Security Agency, which NSM-22 places at the helm of the mission to protect American infrastructure, has the resources it needs to respond to a highly complex threat landscape.

The previous directive, PPD-21, was crafted when the nation’s cybersecurity challenges were relatively simple compared to today’s complex and sophisticated threats. In the years since, we have witnessed a deluge of devastating attacks across our critical infrastructure. Most recently, the Change Healthcare ransomware attack caused major disruption to the U.S. health care system. Meanwhile, Russian-linked hackers have breached a Texas water facility, and the Chinese-linked hackers known as Volt Typhoon have pre-positioned malware to disrupt U.S. infrastructure in the event of a conflict.

The new NSM represents a positive step forward in adapting to these evolving threats. One of its key achievements is the formal codification of CISA as the national coordinator for Critical Infrastructure cybersecurity efforts across the government and private sector. This move recognizes the critical role that CISA plays in ensuring the nation’s resilience and security.

Furthermore, the NSM introduces the concept of Systemically Important Entities (SIEs), acknowledging that specific organizations and systems have far-reaching impacts that extend beyond their immediate sectors. By identifying and prioritizing the protection of these SIEs, the memorandum aims to mitigate the cascading effects that disruptions to these entities could have on interconnected systems and critical services.

While the NSM represents progress, it has its limitations and missed opportunities. Despite their growing importance, one glaring omission is the failure to designate space and cloud assets as critical infrastructure sectors. While cloud infrastructure warrants consideration, given its role underpinning digital services, the space domain demands urgency. This arena is increasingly contested, with adversaries recognizing the strategic value of space-based capabilities and actively seeking ways to disrupt or deny our access in this rapidly emerging frontier. From communication and navigation to surveillance and weather forecasting, space systems underpin a wide range of vital civil and military operations, making their protection a matter of economic and national security.

Another concern is the need for more funding or resources allocated to CISA and the sector risk management agencies (SRMAs) — which refer to those agencies designated to oversee a given critical infrastructure sector — to carry out their expanded roles and responsibilities under the new NSM. While the memorandum aims to provide an updated policy framework and better define these agencies’ roles, it needs to address the critical issue of resourcing.

Effective implementation of any policy directive hinges on adequate resources such as personnel, technological capabilities, and funding. These resources are necessary for agencies like CISA and the SRMAs to meet the heightened expectations the NSM sets, potentially undermining its overall effectiveness.

As threats continue to evolve, the roles and resources allocated to these agencies will become even more crucial in securing their respective sectors and maintaining the overall resilience of the nation’s critical infrastructure. Congress must recognize the importance of adequately funding and staffing these organizations to ensure they can effectively fulfill their mandates and accomplish their missions.

Collaboration between government agencies, the private sector, and other stakeholders will be vital in identifying and addressing potential gaps or areas for improvement. The United States can ensure its cybersecurity posture remains robust and responsive to the evolving threat landscape through continued collaboration, adaptation and a proactive approach to policy development.

Missed opportunities aside, make no mistake: NSM-22 represents a step in the right direction. There will be opportunities to address these shortcomings and refine the nation’s cybersecurity policies. We must make the next set of updates before another decade. A proactive approach is crucial and will help ensure the U.S. remains agile and responsive to emerging threats.

Frank Cilluffo directs the McCrary Institute for Cyber & Critical Infrastructure Security at Auburn University. He previously served as a commissioner on the U.S. Cyberspace Solarium Commission and served as a special assistant to President George W. Bush for Homeland Security. Alison King is the vice president of government affairs at Forescout Technologies and an OT Cyber Coalition executive member. Previously, she was a staff member of the U.S. Cyberspace Solarium Commission.