Cybersecurity Infrastructure Protection United States and Canada
Tech at the Leading Edge March 22, 2023

Modernizing critical infrastructure protection policy: Seven perspectives on rewriting PPD21

By Will Loomis

In February of 2013, then President Obama signed a landmark executive order—Presidential Policy Directive 21 (PPD 21)—that defined how US Departments and Agencies would pursue a unity of government effort to strengthen and maintain US critical infrastructure. Almost a decade later, evolutions in both the threat landscape and the interagency community invite the US government to revise this critical policy.

As the current administration looks to modernize this essential piece of legislation, particular emphasis must be placed on two key steps. First, to deconflict and clarify the specific roles and responsibilities within the ever-growing interagency—particularly, the SRMA-CISA relationship. Second, to help policymakers better understand and work to implement a risk-based approach to critical infrastructure protection—if everything is critical, what gets prioritized?

To dive deeper on this topic, we asked seven experts to offer their perspectives on critical infrastructure and how we can rebalance the interagency to better secure that infrastructure:

If the US government were to change the way it categorizes or prioritizes critical infrastructure, what’s a better alternative to the current approach?

“Over time, the phrase “critical infrastructure” has become overused.  This overuse has led to varying definitions of the phrase, and the analyses conducted to better categorize the concept have led to inconsistent focus and findings across the sectors. The baseline definition— assets, systems, and networks, whether physical or virtual, [that] are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof – does not lend clarity because there is a definitional tension between infrastructure that is critical for sustaining and supporting Americans’ daily lives and the economy, and infrastructure that might be dangerous (ex. Chemical or nuclear facilities), but not necessarily critical.

The only way to resolve what should consistently be used as the underlying definition for “critical infrastructure” is clarify the goals or desired end state for these national risk management efforts.  For instance, there are stated end goals to support continuity of government objectives, but it is not clear that there are a similar set of national resiliency goals to support the nation’s critical infrastructure. Recent CSAC recommendations (September 2022) made this point directly: “Clear national-level goals in the areas of national security, economic continuity, and health and human safety would help organize public and private critical infrastructure stakeholders in the analysis of what it would take to accomplish those objectives.” Whatever end goal is articulated, it must be sustained consistently for a long time (10 years or more). This will create the continuity necessary to marshal the resources of both industry and government to carry out these goals.   

Government does not need to begin from nothing to carry out this work. The sector structure is in place, and the National Critical Functions are understood. Whatever end goal is articulated, mobilizing the initial analysis by using the current sector structure and what we already know about the critical functions in the following sequential approach:   

  • Foundational/lifeline sector analysis: Energy, communications, transportation, and water & wastewater. All are dependent on these critical functions, and existing analysis has shown that disruption impacts are felt at once; all are precursors to community restoration post-disaster.  
  • Middle level infrastructure: Chemical, financial Services, food and agriculture, healthcare/public health, and information technology (IT). The critical functions performed in these sectors are reliant on foundational infrastructure, are complex systems-of-systems, and are necessary for continuity of the economy/society.  
  • Higher-level infrastructure (end users, producers of goods and services): Commercial & government facilities, critical manufacturing, defense industrial base (DIB), and emergency services. In some ways, these sectors are consumers of infrastructure and not really providers of it.  This is not to suggest that the services provided by these sectors are NOT critical, but that they rely upon infrastructure provided by others.  

With clearly articulated, long-term national goals, leveraging structures and analysis completed to date, the means to identify, categorize and prioritize which infrastructure is “critical” will be a logical outcome of the analysis.”    

Kathryn Condello, Senior Director, National Security/Emergency Preparedness, Lumen Technologies

In theory, what is a Sector Risk Management Agency (SRMA)? In practice, how should a SRMA’s role change depending on what kind of organization plays that role?

“In theory, a SRMA should be the day-to-day, substantively deep operational partner within USG for private sector critical infrastructure partners. These SRMAs should be the entity that is in the trenches with critical infrastructure operators—working to better understand the threat environment, lift up and support those who lack sufficient resources or capabilities, and guide our partners to acceptable and more sustainable levels of risk management and resilience.

In practice, an organization’s resources and capabilities—and the role that they are able to play—varies a lot depending on the type of organization in this role. I’ll provide two examples here. First, some SRMAs—like the Coast Guard—have regulatory capabilities to help apply pressure to owner/operators in their sector to raise their baselines for security. Others, like the Department of Energy (DoE), need to rely on other agencies to do so or use other, more incentive-based programs to achieve these objectives. Second, SRMAs may bring a different balance of resources and substantive sector knowledge to the table. As an example, CISA—which serves as the SRMA for several sectors—may bring far more resources and manpower to the table than another single agency but may lack the deep sector knowledge and partnerships of an organization like DoE.”

Will Loomis, Associate Director, Digital Forensics Research Lab, Cyber Statecraft Initiative, Atlantic Council

Where are some of the biggest existing fault lines in the relationship between CISA and the SRMAs? How might any future revision to PPD-21 better address these?

“Current PPD-21 guidance is based on the model of the 16 critical infrastructure sectors where roles and responsibilities fall under the designated leads for each sector. This model works well when it comes to directing congressional funding to a particular agency or knowing which agency leads the response to an incident in a specific sector.

In reality, significant challenges to the security and safety of the nation’s critical infrastructure are typically complex, multi-faceted events that are rarely limited to just one sector. This holds true for both a single, catastrophic incident and the simple, daily work necessary to mitigate risks. Actions in both situations depend on and have impacts well outside a single sector.

PPD-21 guidance is purposely not prescriptive, which leaves certain elements open to interpretation when it comes to the SRMA’s primacy compared to CISA. Additionally, current guidance does not account for an agency’s capability to fulfill its SRMA responsibilities. The expertise and capabilities of some SRMAs are generally agreed to be more mature than others. I experienced firsthand the friction between different views and capabilities created during my time at CISA as part of the COVID Task Force. Disagreements on roles and responsibilities during the response to ransomware at a hospital or regarding the security of information systems in portions of the vaccine supply chain induced unnecessary challenges during an already difficult national pandemic.

I am not advocating for more detail on roles and responsibilities, since no amount of guidance could cover every situation and account for the differences in each agency’s expertise and capabilities. I do think a different approach where PPD-21 guidance has an increased focus towards national functions and an emphasis on greater collaboration and integration would better serve the ability of federal agencies to fulfill their missions.”

Steve Luczynski, Senior Manager – Critical Infrastructure Security, Accenture Federal Services

What responsibilities should SRMAs be investing in to be better operational partners for the private sector?

“SRMAs should look to prioritize those assets most significant to national security, begin processes to analyze risk, and ultimately buy down that risk utilizing experts within those sectors and cross training them in cyber. It’s time we refocus on nationally critical assets vs. trying to be everything to every asset, almost like a helpdesk approach to critical infrastructure protection. This includes clearly defining roles for state and local entities, as well setting objectives for performance.  Finally, the government should cross train the private sector in a common language for coordination, like Incident Command System to work together better on a day-to-day basis, as well as during response and recovery from cyber events.” 

Megan Samford, Non-Resident Senior Fellow, Cyber Statecraft Initiative, Atlantic Council; VP & Chief Product Security Officer – Energy Management, Schneider Electric

How should any future revision of PPD-21 think holistically about SRMA capabilities?

“In a perfect world there would be a dedicated cybersecurity SME at the federal level for each critical infrastructure sector, either within each SRMA or at CISA as a main technical liaison. In lieu of this reality, with the ‘near-future’ capabilities, SRMAs’ cybersecurity maturity and mandates should capture the entire supply chain—security management of suppliers, enterprise content management, development environment, products and services, upstream supply chain, operational technology (OT), and downstream supply chain—aligned to the CISA Cybersecurity Performance Goals as a baseline. As the SRMAs designate required tools and capabilities at the asset owner level, they should continue vendor-neutral evaluations of designated and required tools and capabilities. These agencies should represent the boots on the ground approach to the reframing sections above. SRMAs also need to identify the level of cybersecurity and risk management that asset owners can afford to own vs. what government can reasonably subsidize and augment. I don’t believe this can be effectively done without addressing the point above. Lastly, SRMAs should reevaluate the definition and efficacy of information sharing capabilities within each sector, as information sharing ≠ situational awareness ≠ incident prevention.

Regardless of commonalities, no two attacks on OT/industrial control systems (ICS) are ever the exact same, making automated response and remediation difficult. Unfortunately, this reality means that every operation and facility must wait to see another organization victimized before there can be shared signatures, detections, and fully-baked intelligence for threat hunting to ensue. In terms of the threat landscape, there is no way to standardize and correlate threat and vulnerability research produced from competitive market leaders. Information sharing lacks trust and verification, has been siloed into sector-specific, private sector, or government agency-specific mechanisms—creating single sources of information without much consensus. This is a major roadblock for efficacy across SRMAs and their situational awareness/strategic planning.”

Danielle Jablanski, Non-Resident Senior Fellow, Cyber Statecraft Initiative, Atlantic Council; OT Cybersecurity Strategist, Nozomi Networks

How can the US government address risks associated with cross-sector interdependencies in the naturally siloed SRMA model?

“When addressing cyber risks to critical infrastructure, the US government—and industry—need to reframe thinking around jurisdiction and impact. The SRMA model hinges on federal agencies, which creates a governance gap and cognitive blind spot for interdependence. In the same way that the National Security Council drives the interagency process, the US government needs a coordinating body to prioritize and manage the competing and corollary agencies. Whether that is CISA or ONCD, one office must take the strategic, systemic view of critical infrastructure.”

Munish Walter-Puri, Senior Director of Critical Infrastructure, Exiger

In any future policy, how could the US government preserve the ability to regularly adjust the boundaries of critical infrastructure classifications or sectors?

Presidential Policy Directive 21 identified 16 critical infrastructure sectors and their associated sector-specific agencies (now called SRMAs) and called upon the Secretary of Homeland Security to “periodically evaluate the need for and approve changes to critical infrastructure sectors” and to “consult with the Assistant to the President for Homeland Security and Counterterrorism before changing a critical infrastructure sector or a designated [SRMA] for that sector.” Since the issuance of PPD-21, changes to the Homeland Security Act have required a reassessment of the current sector structure and SRMA designations at least every five years. The National Defense Authorization Act for Fiscal Year 2021 required the Secretary of Homeland Security to evaluate the sectors and SRMA designations and provide recommendations for revisions to the President. In fulfillment of this mandate, the Department of Homeland Security delivered a report to Congress and the President, assessing that the absence of a statutory basis for the definition of a “sector” has “created a challenge in clarifying and building criteria for clarifying and rationalizing the sector structure.” The report cites the National Infrastructure Protection Plan as the origin of the current operating definition of a “sector”: “[A] logical collection of assets, systems, or networks that provide a common function to the economy, government, or society.”

In evaluating critical infrastructure sector classifications or structure, the federal government should minimize the overall number of sectors to allow for productive engagement to accomplish specific efforts. Focusing on creating structures to enable cross-sector engagement scoped around specific risk management concerns prioritizes the work to be performed with flexibility and who needs to be there to support it. The current statutory requirement to regularly evaluate sector classifications would be sufficient provided the federal government creates a mechanism to convene critical infrastructure owners and operators independent of sector designations. In its September 2022 recommendations to the Director of the Cybersecurity and Infrastructure Security Agency (CISA), the Cybersecurity Advisory Committee Subcommittee on Systemic Risk recommended that CISA “[scope] its national resilience efforts around focus areas like national security, health and human safety, and economic prosperity” with the goal of enabling CISA “to use resources and personnel more efficiently to prioritize the appropriate [National Critical Functions]–and [systemically important entities]–and orient national resilience programming within each scope.” Within each of these focus areas, CISA, in its role as the national coordinator of sector risk management agencies, should periodically assess the challenges facing critical infrastructure owners and operators and identify workstreams to organize relevant entities that measurably contribute to the risk management effort. For example, under the broad focus area of national security, CISA might organize a cross-sector effort to address small unmanned aerial system surveillance of critical infrastructure sites, an issue for which the White House has organized a task force. These assessments should align with the cadence that the Homeland Security Act requires for reassessments of the sector/SRMA designations or in conjunction with the five-year term granted to the CISA Director. The federal government should also ensure that there is a mechanism for leadership of both the Sector Coordinating Councils and Government Coordinating Councils that provides decision-making authority for workstreams as the risk landscape evolves and new challenges arise.”

Jeffrey Baumgartner, Vice President, National Security and Resilience, Berkshire Hathaway Energy

The Atlantic Council’s Cyber Statecraft Initiative, part of the Atlantic Council Technology Programs, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

Related Experts: Will Loomis, Danielle Jablanski, and Megan Samford