With President Biden's recent signing of a National Security Memorandum (NSM), the decade-old Presidential Policy Directive receives an update that, proponents say, will help strengthen the security of critical infrastructure within the United States. Security experts appear to have mixed opinions on the NSM's potential effectiveness.
A fact sheet published by the administration explains how the NSM authorizes the Department of Homeland Security (DHS) to lead the effort to secure critical infrastructure, with the Cybersecurity and Infrastructure Security Agency (CISA) as the national coordinator. The NSM requires the Secretary of Homeland Security to submit a twice-yearly national risk management plan detailing current efforts to mitigate critical infrastructure risks.
Also, the NSM directs the intelligence community to collect, analyze, and share threat intelligence related to critical infrastructure.
"A statement like this was long overdue," says Scott Crawford, information security research head, S&P Global Market Intelligence.
While the NSM doesn't change the current designation of the 16 critical infrastructure sectors, it does create a Sector Risk Management Agency to oversee each.
Finally, the NSM calls for minimum security and resilience requirements across the critical infrastructure sectors. The administration contends current limitations exist with voluntary industry security risk-management decisions.
"My immediate concern is they try to create a new standard, or they compromise to a standard that sets the bar too low," says Michael Farnum, advisory CISO at technology services provider Trace3. However, if they stick with an existing standard and hold critical infrastructure entities accountable, Farnum said he could support it.
While the NSM isn't specific regarding the details of the minimum security requirements that will be put into place, it does point to "existing voluntary consensus standards," notes Crawford.
"My immediate concern is they try to create a new standard, or they compromise to a standard that sets the bar too low."
—Michael Farnum
What consensus standards remain unclear, and Crawford suggests that ambiguity is likely intentional. "This is analogous to the SEC's "strategic ambiguity" in not defining what makes for a "material breach," he says.
Crawford adds that comparing the NSM to other regulatory actions within the administration may be informative.
"The FCC has begun to require funded organizations to certify that they have cybersecurity and supply chain risk-management plans based on voluntary NIST guidance. That's one example of how the NSM would let enforcement evolve between precedent and perhaps case law. At a minimum, it leaves them an open door for enforcement, even if the criteria begin with the existing status quo," he explains.
Regardless of the regulatory details, implementing the NSM will face challenges. Establishing binding security standards across diverse sectors will prove complex and demand deep collaboration and coordination among all public and private stakeholders.
Industry experts also wonder how well the NSM will be directly funded. The Biden administration cited the existing "investing in America" agenda that includes $448 billion in funding from the recent bipartisan infrastructure law, with $50 billion allocated to resilience funding. Details are lacking, however, as to how what's required in the NSM will be funded. Crawford wonders how that lack of direct funding will impact how effectively the objectives of the NSM can be executed.
"At a minimum, it leaves them an open door for enforcement, even if the criteria begin with the existing status quo."
—Scott Crawford
Concerns have also been raised about how real-time operational collaboration between the government and private operators will be facilitated during incidents. Jim McKenney, practice director of industrials and operational technologies at NCC Group, says that while he is encouraged by key elements in the NSM, real-time operational collaboration is a concern.
"Having clearly defined roles, secure communication channels, and expedited processes for requesting and receiving assistance is critical when every second counts to triage an incident," McKenney says.
"Overseeing cybersecurity and resilience efforts across 16 nationwide critical infrastructure sectors is a significant undertaking that will require serious investment in people, not just capital expenditures on federal or state infrastructure. We're talking about monitoring risks and developing security standards for everything from energy utilities and transportation networks to water treatment plants and financial services," he says.
For instance, McKenney notes that within the water sector alone, there are more than 15,000 wastewater treatment facilities within the country.
"Many [are] located in rural areas with limited resources. Handling that scale of oversight will require a serious influx of resources and personnel at CISA and the sector lead agencies," he says.
Improving the security and regulatory oversight across all critical infrastructure will undoubtedly take considerable time, consideration, investment, and collaboration. Not to forget that not all critical infrastructure sectors are in the same place when it comes to cybersecurity, such as the relative strengths in the financial services sector compared to the current weaknesses in the healthcare and public health sectors. Security experts remain cautiously optimistic that the NSM is another step in the right direction, but without more details, what the full path forward looks like remains unclear.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.