COLUMN: 5 Ways to Update Critical Infrastructure Security and Resilience Policy in an Age of Strategic Risk


Earlier this month, President Biden announced his intention for the administration to “review and revise, as appropriate” the nation’s foundational policy on critical infrastructure, Presidential Directive 21 (PPD 21). This is a watershed moment for homeland security, as Presidential policy has long been a driver of the nation’s approach to critical infrastructure, which more meaningfully defines the fundamental relationship between – and within – government and industry to manage risk. And it’s a welcome decision.

PPD 21, itself, is the third major iteration of the Executive’s Critical Infrastructure Policy. In 1998, following the Oklahoma City bombing and the rise of the Internet, President Clinton established the importance of the issue through the Presidential Decision Directive via PDD-63 on “critical infrastructure protection,” which established much of the modern American framework for government-industry. coordination and sharing of information on threats and vulnerabilities. President Bush updated this with a terrorism-centric policy on critical infrastructure protection via Homeland Security Policy 7i (HSPD 7) in 2003, which established the idea of ​​coordinated security management. Intelligence-driven risk and vulnerability led by the Department of Homeland Security (DHS). And President Obama replaced HSPD 7 with an all-hazards approach in PPD 21 in 2013 with the shifted focus from critical infrastructure “protection” to “security and resilience” and recognition that there was a need to balance” left and right”. -boom activities” to support the safe operation of critical infrastructure.

I led the Integrated Interagency Task Force responsible for implementing PPD 21 and the associated administration policy, Executive Order 13636 on Critical Infrastructure Cybersecurity. Together, these two policies have proven to be enduring statements that have served the nation well. It is, however, time that PPD 21 was not just revised, but revised.

The explanation of why a policy update is needed can be found in the introduction of the National Infrastructure Protection Plan, which provides that the national plan for securing critical infrastructure should change when the change in the policy, operational and risk environment for critical infrastructure demand. We are at this stage and it is time to update PPD 21 as the relevant changes related to critical infrastructure have been significant enough to require a new policy framework.

Specifically, critical infrastructure risk has changed over the past 10 years, largely because it is now driven by contradictory actions by nation states that threaten U.S. critical infrastructure in an effort to weaken security. national and economic security of the United States; the operating environment has changed due to the ubiquity of technology and digital data to enable the functionality of critical infrastructure; and the political environment has changed due to the welcome bipartisan recognition that making America strong requires a focus on strengthening America’s critical infrastructure and associated industrial base. It’s not that these elements weren’t seen in 2013, but they weren’t at the forefront of policy makers when developing DPL 21. Now, however, they need to be and states- States need a strong critical infrastructure security and resilience policy that is designed for this era of strategic risk and strategic competition.

So if the time has come for change, which seems to be the administration’s consensus, what changes should be included in the policy? Let me offer five recommendations that are at the top of my list that I hope the Biden administration will consider. Specifically:

  1. The new presidential policy should establish the idea that it is the policy of the administration not only to manage risk, but to reduce risk to critical infrastructure. The National Critical Function (NCF) set ( established by the National Risk Management Center (NRMC) within CISA provides the lexicon and measurement model critical infrastructure risks and investments should be made to build this framework and measure the security and resilience of critical functions currently and make explicit the national policy objective of improving these CNFs. (As part of this, the set of 55 NCFs initially put in place in 2019 should be gradually modified according to lessons learned.)
  2. The new presidential policy should be more risk-based and geared towards the idea that the national imperative is to focus first and foremost on the security and resilience of the country’s most important critical infrastructure. The current policy does not distinguish between infrastructure that is loosely defined as essential and that which is systemically important, which has the effect of limiting attention to the most critical elements. Framing the prioritization explanation on the basis of systemic criticality would be a welcome change on the part of the executive branch.
  3. Within this framework, the new presidential policy should review and streamline the current structure of 16 critical infrastructure sectors into a more manageable set of national priorities. The operationalization of 16 critical infrastructure sectors has proven difficult to manage and there is reason to believe that a smaller set of more equally sized sectors would be an improvement. To this end, I propose the following sector structure based on a review of critical functions: banking and finance, communications, critical manufacturing (to include research and development), defense and space industrial base, energy, food and agriculture, government services (to replace government facilities and include electoral infrastructure), health and public health, information technology, transportation, water and wastewater. This broadens the definition of some of the current sectors and subsumes four sectors in the above: chemicals, dams, emergency services and nuclear. It also recognizes that “commercial facilities” are too diffuse to be truly considered critical infrastructure.
    It also allows for a much more balanced approach to assigning Sector Risk Management Agencies (SRMAs) where DHS is now the default SRMA for a diffuse set of industries. In doing so, adding the Department of Commerce as a new SRMA would be an interesting addition to match the overlap of security and innovation policies.
  4. The new presidential policy should clarify the intended relationship between SRMAs and associated regulators. Agencies such as the Federal Communications Commission, Federal Energy Regulatory Commission, Securities and Exchange Commission, and Election Administration Commission all have key authorities that can increase the reliability of critical infrastructure, which can lead to security and safety outcomes. of resilience. Currently, however, PPD 21 does not provide a sustainable pathway for collaboration between SRMAs and independent regulators and the coordination process is largely ad hoc. An affirmative statement of how regulation plays into critical infrastructure risk reduction is needed and a structural solution for sustainable collaboration between executive agencies and independent regulators is needed. This should be done by making regulatory harmonization a central policy objective of the executive branch.
  5. The new presidential policy should explicitly reiterate the policy goal of linking national security, economic security, science and technology policy, and emergency management into a cohesive set of national outcomes. Silos between sets of missions must be broken down for effective risk governance.

The final question facing the PPD 21 review is how to orchestrate the policy. A critical open question is how to properly balance the role of the Secretary of Homeland Security as the “national coordinator” for critical infrastructure with the coordinating bodies that operate within the President’s executive office (specifically the Security Council National Office and the Office of the Cyber ​​Director). The Secretary of DHS has delegated the coordinating role to the Cybersecurity and Infrastructure Security Agency (CISA) and its predecessors (the National Directorate of Protection and Programs and the Office of Infrastructure Protection). This has created friction between agencies and unclear lines of accountability within CISA where the agency has a key policy implementation coordination role, as well as a role related to the operational coordination of the critical infrastructure security (and nationwide operational support), while also serving as stand-alone sector risk management. Agency for half of critical infrastructure sectors. The three distinct roles strained CISA priorities and were executed inconsistently.

The new policy has three options for solving this problem: the first would be to take the coordination role out of a department and place it in the White House; the second would be to appoint the CISA Director as a matter of policy to be the coordinator and to empower parts of CISA to explicitly serve as the national coordinator (this could be a role that could be taken on by an adequately resourced NRMC ); and, the third would be for the coordinating role of the secretary to be played by an element of DHS headquarters while the director of CISA directs operations.

My bias, no doubt biased by my past experience, is that the latter is the better option. I know the executive branch is hesitant to micro-manage agency responsibilities, but the structure and coherence of CISA is inextricably linked to the success of PPD 21 and Presidential policy, which clearly shows the importance of a structural solution for national coordination.

As the Biden administration enters its third year, the timing is perfect for this policy review and update. Measuring what has worked and what hasn’t worked over the past 25 years will be important, but so will an affirmative statement that critical infrastructure security and resilience require updates to the fabric. to better synchronize the levers of national power to support critical infrastructure owners. and operators.


Comments are closed.