The current policy designed to protect the nation’s critical infrastructure sectors against escalating cyber risk is years outdated and requires a significant overhaul, according to a report released Thursday by the Cyberspace Solarium Commission 2.0.
The report outlines significant flaws in the design and implementation of the policy, including efforts by the government to collaborate with private sector partners and the designation of sector risk management agencies over their respective industrial bases.
“The federal government has to organize those sector risk management agencies, make sure they’re building the right relationships with the private sector and that they have all the private authorities they need, and the proper resources to do the tasks,” said Mark Montgomery, senior director at the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies and a co-author of the report.
The report suggests a major rewrite of the Obama-era Presidential Policy Directive 21, which outlined how federal agencies worked to maintain the digital and physical security of critical infrastructure providers. The CSC is also calling for additional changes that strengthen the role of the Cybersecurity and Infrastructure Security Agency to better coordinate federal response to critical infrastructure threats.
The report comes at a critical time for the Biden administration, which has begun a historic effort to overhaul the nation’s cybersecurity posture following the state-linked supply chain attack against SolarWinds and the Colonial Pipeline ransomware attack.
Following the Colonial attack, the Transportation Security Agency launched a series of measures to bolster the resilience of pipelines after the May 2021 attack caused a major disruption of fuel supplies to the southern and eastern parts of the U.S.
Just last week, key administration officials addressed the critical infrastructure security plans during a forum backed by the Center for Strategic and International Studies.
Among the major concerns raised in the report is the current system doesn’t clearly designate responsibilities for responding to a cyber incident, and therefore multiple agencies can overwhelm a company with the same set of questions in response to an attack.
As federal authorities press forward with efforts to boost cyber resilience and speed incident reporting for critical infrastructure providers, administration officials during the CSIS forum emphasized their desire to streamline the regulatory burden and minimize the amount of duplicative processes in terms of the federal agency response to attacks.
“In the context of an incident, I think there’s a brass tacks need for the federal government to have its agencies talking amongst themselves on the backend, so that we are not burdening a victim company with multiple knocks on the door asking duplicative questions,” Rob Silvers, under secretary of Homeland Security for strategy, policy and plans, said during the forum.