The U.S. intelligence community will be required to share information about threats to critical infrastructure with the owners and operators of those systems under the terms of a revised policy document that President Joe Biden is set to sign Tuesday.
The highly anticipated revision to Presidential Policy Directive 21, which governs how the federal government interacts with and protects critical infrastructure, comes amid a sharp increase in cyberattacks against entities like water treatment facilities, the electrical grid and communications providers.
The revised document aims to improve the flow of information between the federal government and the businesses responsible for operating U.S. critical infrastructure.
“America faces an era of strategic competition where state actors will continue to target American critical infrastructure, and tolerate or enable malicious activity conducted by non-state actors,” Caitlin Durkovich, Biden’s top homeland security adviser who was a key figure in rewriting the document, said during a call with reporters Monday. “Resilience, particularly for our most sensitive assets and systems, is the cornerstone of homeland defense and security,”
The updated document replaces an Obama-era memo that defines the 16 critical infrastructure sectors and the federal government’s involvement in protecting vital services that underpin modern life.
Biden administration officials said the rewritten document aims to address both technological and geopolitical changes that have altered the threats facing U.S. critical infrastructure.
“The threat environment has changed significantly since PPD-21 was issued in 2013, shifting from counter-terrorism to strategic competition, advances in technology like artificial intelligence and malicious cyber activity from nation-state actors,” Cybersecurity and Infrastructure Security Agency Director Jen Easterly said during the press call.
National security officials have warned in recent months that Beijing is carrying out increasingly aggressive operations against U.S. critical infrastructure, with the goal of being able to disrupt key American industries in the event of a conflict. At the same time, financially motivated crime groups are seeing increasing success in hitting critical infrastructure targets, such as a recent attack on a payment processor that threw parts of the U.S. health care system into disarray.
The number of successful attacks impacting critical infrastructure has caused concern within the Biden administration as the digital defenses of critical infrastructure sectors vary widely. A senior administration official said that the revised directive tasks CISA and the Office of the Director of National Intelligence to develop a system that streamlines “engagement” with critical infrastructure owners and operators so that they “have the intelligence and the information that they need.”
The revised document also clarifies CISA’s role as the national coordinator responsible for protecting U.S. critical infrastructure and attempts to modernize the policy structure that oversees critical infrastructure entities that are rapidly digitizing, a development that may introduce efficiencies but also new risks.
Under the new memorandum, the Department of Homeland Security would be required to submit to the president every other year a national risk management plan that would summarize risk mitigation efforts.
One thing that is not changing, however, are the 16 sectors designated as critical infrastructure. The growing importance of space systems and rapidly expanding space economy had prompted many space industry experts to argue that the rewrite of PPD-21 should designate the space industry as critical infrastructure, a move the Biden administration declined to make.
A senior administration official said during Monday’s call with reporters that a thorough review had concluded that the 16 existing critical infrastructure entities should not be altered. “I think the takeaway is that the processes that had been developed over the past decade to articulate those critical infrastructure sectors were sound processes,” the official said.
Under the revised memorandum, agencies overseeing critical infrastructure sectors — what are known as sector risk management agencies — will be required to assess whether existing authorities and regulations are sufficient to address the risks the sectors they oversee are facing.
The revised directive also clarifies the roles and responsibilities of CISA as the national coordinator of the effort to secure critical infrastructure and its role as a sector risk management agency for eight sectors.
A senior administration official said that the agency is at work finalizing a list of about 500 systemically important entities — a list of the critical infrastructure entities whose disruption would have severe societal consequences. The entities on that list, which will not be made public, are expected to receive additional attention, including setting minimum cybersecurity standards, the official said.
The list of systemically important entities replaces what had been known as “Section 9” entities.
The policy re-write has been in the works for some time. In November 2022, Biden said in a letter to congressional leadership that he planned to revise the directive.
“The effort to draft this new policy began over a year ago,” said Durkovich, who led the development of PPD-21. “And the process has included significant input from the private sector, our state, local, tribal and territorial partners, and other stakeholders and critical infrastructure experts from across the country.”