US spy agencies to share information on critical infrastructure in policy renewal

The US intelligence community will be required to share information about threats to critical infrastructure with the owners and operators of those systems under the terms of a revised policy document that President Joe Biden is to sign tuesday

The long-awaited overhaul of Presidential Policy Directive 21, which regulates how the federal government interacts with and protects critical infrastructure, comes amid a sharp increase in cyberattacks against entities such as water treatment facilities, the electric grid and communications providers.

The revised document aims to improve the flow of information between the federal government and companies responsible for operating critical US infrastructure.

“America faces an era of strategic competition where state actors will continue to target critical American infrastructure and tolerate or enable malicious activity by non-state actors,” Caitlin Durkovich, Biden’s top national security adviser who was a key figure in the rewriting of the document. , he said Monday during a call with reporters. “Resilience, especially for our most sensitive assets and systems, is the cornerstone of national defense and security.”

The updated document replaces an Obama-era memo that defines the 16 critical infrastructure sectors and the federal government’s role in protecting the vital services that sustain modern life.

Biden administration officials said the rewritten document aims to address both technological and geopolitical changes that have altered the threats facing America’s critical infrastructure.

“The threat environment has changed significantly since PPD-21 was published in 2013, moving from the fight against terrorism to strategic competition, technological advances such as artificial intelligence and malicious cyber activity from ‘state actors’,” said Jen Easterly, director of the Cybersecurity and Infrastructure Agency. he said during the press call.

National security officials have warned in recent months that Beijing is conducting increasingly aggressive operations against critical US infrastructure, with the aim of being able to disrupt key American industries in the event of a conflict. At the same time, financially motivated criminal groups are seeing increasing success in targeting critical infrastructure, such as a recent attack on a payment processor that brought chaos to parts of the United States’ healthcare system united

The number of successful attacks affecting critical infrastructure has caused concern for the Biden administration, as digital defenses for critical infrastructure sectors vary widely. A senior administration official said the revised directive directs CISA and the Office of the Director of National Intelligence to develop a system that streamlines “engagement” with owners and operators of critical infrastructure because “have the intelligence and information they need.”

The revised document also clarifies CISA’s role as the national coordinator responsible for protecting US critical infrastructure and seeks to modernize the policy structure that oversees the rapidly digitizing critical infrastructure entities, a development that may introduce efficiencies, but also new risks.

Under the new memorandum, the Department of Homeland Security would have to submit to the president every two years a national risk management plan outlining risk mitigation efforts.

One thing that does not change, however, are the 16 sectors designated as critical infrastructure. The growing importance of space systems and the rapidly expanding space economy had led many space industry experts to argue that the rewrite of PPD-21 should designate the space industry as critical infrastructure, a move that the Biden administration he refused to do

A senior administration official said on Monday’s call with reporters that a comprehensive review had concluded that the 16 existing critical infrastructure entities should not be altered. “I think the bottom line is that the processes that had been developed over the last decade to articulate these critical infrastructure sectors were sound processes,” the official said.

Under the revised memorandum, agencies overseeing critical infrastructure sectors, known as sector risk management agencies, will be required to assess whether existing authorities and regulations are sufficient to address the risks facing the sectors that supervise

The revised directive also clarifies CISA’s roles and responsibilities as the national coordinator of the effort to secure critical infrastructure and its role as the sector risk management agency for eight sectors.

A senior administration official said the agency is working to finalize a list of about 500 systemically important entities, a list of critical infrastructure entities whose disruption would have serious social consequences. Entities on that list, which will not be made public, are expected to receive additional attention, including setting minimum cybersecurity standards, the official said.

The list of systemically important entities replaces what had been known as “Section 9” entities.

The policy rewrite has been in the works for some time. In November 2022, Biden said in a letter to congressional leadership that he planned to revise the directive.

“The effort to draft this new policy began over a year ago,” said Durkovich, who led the development of PPD-21. “And the process has included significant input from the private sector, our state, local, tribal and territorial partners, and other critical infrastructure stakeholders and experts across the country.”