U.S. government policies designed to protect critical infrastructure against hackers are woefully outdated and inadequate to safeguard sectors such as water and transportation against cyberthreats, according an influential congressionally mandated group of experts.
Furthermore, the Cybersecurity and Infrastructure Security Agency — the key agency inside the Department of Homeland Security responsible for helping defend critical infrastructure — is not set up to quickly and effectively facilitate rapid response to cyberattacks on the most sensitive systems, according to CSC 2.0, which is a continuation of the Cyberspace Solarium Commission that Congress established in 2019.
In a lengthy and detailed report released Wednesday, the commission pointed to the 2021 Colonial Pipeline ransomware attack, which crippled gas deliveries across the country, as a key example of how current policies and government agencies aren’t optimized for the nature of today’s threats.
“This incident illustrates the challenges faced by the national critical infrastructure system in a moment of crisis and the limits of the public-private partnership model that the government has tried to cultivate,” the group said.
The White House and many government officials have acknowledged there needs to be a different approach to protecting U.S. critical infrastructure. In November, the Biden administration announced it is in the process of rewriting presidential policy directive 21, which established in 2013 for how federal agencies engage with private critical infrastructure owners and operators.
The threat landscape has drastically changed over the past decade. Ransomware attacks have become a scourge for both the federal and private sector with criminals holding critical infrastructure in the U.S. hostage and Russian and Chinese hackers increasingly targeting sensitive U.S. networks.
Meanwhile, the full scope of cyberattacks in the U.S. remains a large question mark as most organizations do not have to notify anyone that they were the victim of a cyberattack. Recently passed legislation would require certain critical infrastructure owners and operators to report cyberattacks to CISA, but the agency is still in the rule-making process.
PPD-21 outlines the 16 critical infrastructure sectors — such as dams, chemicals hospitals and emergency services — as well as the agencies that are the federal go-to for support of incident management and mitigating vulnerabilities. But while the document outlines the overall responsibilities for federal departments such as DHS, it lacks guidance on how to carry out key cybersecurity responsibilities.
“Why is it so important to update this? It’s a 2013 era policy. It’s outdated. The security environment has shifted substantially over the past decade. Technologies have evolved, the risk environment has evolved. And as policies and regulations have evolved with those risks, it’s been done very frequently in an ad hoc way and not really in a systemic or holistic manner,” Mary Brooks, a public policy fellow at the Wilson Center and co-author of the report, said during a briefing on the report earlier this week.
The report comes amid major policy updates on federal cybersecurity such as the release of the Biden administration’s National Cybersecurity Strategy, a forthcoming strategy implementation plan and other documents such as a cybersecurity workforce strategy.
A strategy intended for a different time
The inadequacies in the current framework for critical infrastructure date back years and are “not the fault of this administration,” said report co-author Mark Montgomery, senior director of the Foundation for Defense of Democracy’s Center on Cyber and Technology Innovation and former executive director of the Cyberspace Solarium Commission.
“This stretches back to the original setting up of all this in 2000 during the end of the twilight of the Clinton administration, but we are massively inconsistent across federal agencies in our performance as SRMA’s and across the sectors in their willingness to cooperate and participate,” he said.
PPD-21 has only been updated once since 2013 when officials added responsibilities to the sector-specific agencies in charge of those 16 critical infrastructure sectors. The Cyberspace Solarium Commission issued a recommendation that ultimately was signed into law in the 2021 defense bill that elevated those agencies to Sector Risk Management Agencies.
But while agencies were given new responsibilities, not all SRMA’s are up to the task, the CSC 2.0 report notes. Some agencies such as the Energy Department are largely known as among the most well-resourced and mature when it comes to collaboration with the private sector. Others, however, such as the Transportation Security Administration or the Environmental Protection Agency have either historically struggled or face many of the same issues as the private companies they are supposed to help protect: a lack of resources from funds to employees.
“While owners and operators bear some responsibility for the sector’s poor cybersecurity, an underlying cause is weak leadership and poor resourcing of the SRMA, for which both the EPA and Congress are to blame. Over the past 20 years, the EPA has not been organized or resourced to identify and support the sector’s cybersecurity needs,” the report reads.
The EPA’s efforts to issue cybersecurity standards using existing authorities has long been a point of contention with the private sector. Three states are suing EPA for the rule that they claim exceeded the agency’s authorities and two water trade associations have joined in as intervenor status. Furthermore, the EPA’s congressional request for a $25 million cybersecurity grant program for fiscal year 2023 was rejected by lawmakers, the report notes.
The gaps in the existing federal framework to protect critical infrastructure cybersecurity perhaps best exemplified in the Colonial Pipeline ransomware attack. While the incident was the largest to hit the energy sector, the federal government also had its own crisis of communication during the incident, the report notes.
Once Colonial Pipeline alerted the FBI about the attack, CISA should be informed since it’s the agency responsible for responding to these kinds of incidents and offering technical assistance and mitigation. But that didn’t happen, according to CSC 2.0. Neither Colonial Pipeline nor the FBI notified CISA, the Transportation Security Administration or the Transportation Department for hours.
“The whole process, the whole episode, really showed how the seams and the overlaps within the current framework means just the whole thing is poorly suited to speed and crisis response,” said Annie Fixler, director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, one of the co-authors of the CSC 2.0 report.
But while Colonial highlighted the gaps in one area, the report notes that this isn’t an isolated incident. Federal agencies’ guidance for their sectors is not always easily available and it’s not clear how responsibilities are divided among the SRMA’s, the co-SRMA’s where multiple agencies are in charge of different portions of a sector, and CISA. The end result is a “complex and inconsistent web of responsibilities” the report notes.
Other strategy documents like the National Infrastructure Protection Plan, which outlines how government and critical infrastructure collaborate, hasn’t been updated since 2013, either. Sector specific plans that are statements of purpose identifying key assets, risks, and threats have similarly not been updated since 2015 even though the initial releases were little more than “cut and paste” versions of a template with little highlighting key differences.
CISA’s priorities and effectiveness
CISA, meanwhile, has its own share of issues as the national risk management agency, according to the CSC 2.0 report. “CISA is not, in many cases, serving as the leader that most interviewees said was needed to realize the full potential of the SRMA framework,” the authors note, going on to say that the agency has seemingly prioritized cybersecurity at the expense of physical security. DHS has warned that violent domestic extremist pose among the largest threats inside the U.S. and there has been a marked rise of physical attacks against substations and critical infrastructure in recent years.
Additionally, the report notes, CISA is not able to fulfill it’s responsibilities as “it does not receive the inter-agency support necessary to act effectively as the national risk manager.”
The report does offer a dozen recommendations for the administration to consider as they’re revamping PPD-21. For instance, it recommends that a new version of the policy identifies strategic changes such as improving the focus on resilience — keeping systems running when a breach happens — instead of just cyber defense.
The report also recommends that the government update responsibilities for key strategy documents and ensure accountability through clearly defined roles and expectations. Additionally, clarify CISA’s roles as the national risk management agency as well as the agency’s “ability to compel minimum security standards and to convene or require collaboration or engagement” such as information sharing.
The authors recommend that the updated PPD-21 document identify critical infrastructure sub-sectors and detail how additional sectors will be added or removed from the list of 16. Additional resources for agencies responsible for the sectors will likely be needed to properly serve various industries, the report notes. “Not all sectors need the same amount of support. Not all SRMAs need the same budgets. But all SRMAs should have sufficient resources to meet the needs of their sector,” it says.
CISA should have more “consistent organization roles and responsibilities, as well as clear operational doctrine, for its [national risk management agency] role,” which may include reviewing responsibilities so that the agency doesn’t have too wide of a remit. “CISA also must have the appropriate taskings to implement its authorities to update all policy documents and instruct SRMAs to update their SSPs,” the report notes.
Critical infrastructure is undergoing rapid transformation with the increase in digitization and interconnectivity, creating a complex web of risks that are not fully understood. As such, the White House should organize more collaboration to understand systemic and cross-sector threats, the report notes. And, among the many other recommendations from the CSC 2.0, industries need a single point of contact in the government when the next Colonial Pipeline attack happens.