White House cements CISA’s role as national coordinator for security and resilience
In 2013, the Obama Administration rolled out “The Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience”, a forerunner to the Cybersecurity and Infrastructure Security Agency (CISA), created “to strengthen and maintain secure, functioning and resilient critical infrastructure.”
The directive was groundbreaking in 2013, noting the importance of the rising risk of cyberattacks against critical infrastructure. But as cyber risks are constantly shifting, every cybersecurity program needs to be re-evaluated, and CISA is no exception. That’s why, in April 2024, President Joe Biden signed a new directive that reinforced CISA’s role in protecting critical infrastructure from cyber threats.
This new National Security Memorandum (NSM) was long-awaited by the cybersecurity industry. While it firmly establishes CISA’s role in national security, it falls short in efforts to address changes in the critical infrastructure landscape over the past decade.
Why no updates to critical infrastructure industries?
In the original Obama-era document, sixteen industries are labeled as critical infrastructure, which work directly with different agencies and Cabinet-level departments labeled as Sector Risk Management Agencies (SRMA). These industries and SRMAs include Chemical, Critical Manufacturing and Emergency Services under the Department of Homeland Security, Food and Agriculture under the Department of Agriculture and Financial Services under the Department of Treasury.
In the Biden NSM, those sixteen industries remain intact, with nothing more added. That the NSM doesn’t include space or bioeconomy — two critical infrastructure industries recommended for inclusion by CISA — surprised many in the security sector.
Despite the role that space plays in telecommunication, internet services, satellites and GPS, government officials said it was left off the list because the space infrastructure is widely segmented and part of other sector agencies.
“There is no single agency in charge,” Sam Visner, Chair of the Board of Directors at the Space Information Sharing and Analysis Center and a fellow at the nonprofit Aerospace Corporation, was quoted as saying in CyberScoop.
While not included in the critical infrastructure security directive, the bioeconomy industry is the focus of a 2022 Executive Order and building a deeper understanding of the new technologies that form the industry.
CISA’s role cemented
Even though the industry list remains unchanged, CISA’s role has been more clearly defined. The NSM has deemed CISA as the “national coordinator for security and resilience” of the nation’s critical infrastructure and partnering agencies. CISA will now officially “leverage its statutory responsibility to lead the national effort to understand, manage and reduce risk to cyber and physical infrastructure by working across the interagency and further supporting the implementation of SRMA roles and responsibilities,” according to the agency’s website.
As part of its role, CISA will be responsible for assessing progress to improve security priorities and resiliency across the sixteen critical infrastructure agencies, as well as identifying threats and recommending measures to improve cybersecurity. CISA will support its partners across the government in the sharing of critical security information.
Security of the critical infrastructure has never been more important. With the increasing threats coming from nation-state actors, a rise in attacks directly against critical entities and the questions surrounding the impact of AI or cloud computing and other newer technologies on overall cybersecurity, it was time that directives around critical infrastructure were revised. The NSM, while admittedly falling short with the exclusion of the emerging role of crucial industries, offers a way to coordinate the varied subsections of the infrastructure and their governing agencies and should play an important role in securing the nation overall.
More from News
May 13, 2024
Debate rages over DMCA Section 1201 exemption for generative AI
3 min read – The Digital Millennium Copyright Act (DMCA) is a federal law that protects copyright holders from online theft. The DMCA covers music, movies, text and anything else under copyright. The DMCA also makes it illegal to hack technologies that copyright owners use to protect their works against infringement. These technologies can include encryption, password protection or other measures. These provisions are commonly referred to as the “Anti-Circumvention” provisions or “Section 1201”. Now, a fierce debate is brewing over whether to allow…
May 10, 2024
CISA Malware Next-Gen Analysis now available to public sector
2 min read – One of the main goals of the Cybersecurity and Infrastructure Security Agency (CISA) is to promote security collaboration across the public and private sectors. CISA firmly believes that partnerships and effective coordination are essential to maintaining critical infrastructure security and cyber resilience. In faithfulness to this mission, CISA is now offering the Malware Next-Generation Analysis program to businesses and other organizations. This service has been available to government and military workers since November 2023 but is now available to the…
May 8, 2024
Change Healthcare attack expected to exceed $1 billion in costs
3 min read – The impact of the recent Change Healthcare cyberattack is unprecedented — and so are the costs. Rick Pollack, President and CEO of the American Hospital Association, stated, “The Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. healthcare system in history.” In a recent earnings call, UnitedHealth Group, the parent company of Change Healthcare, speculated on the overall data breach costs. When all is said and done, the total tally may reach $1…
Topic updates
Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
This post was originally published on the 3rd party site mentioned in the title of this this site