The Cybersecurity & Infrastructure Security Agency identifies 16 critical infrastructure sectors. Each of these sectors is an attractive target for cyberattacks. Protecting critical infrastructure is vital to national security, but the United States government cannot do it alone. The private sector owns more than 80% of the country’s energy infrastructure, according to CISA. Securing critical infrastructure requires effective collaboration between the public and the private sectors.
CSC 2.0, the successor to the Cyberspace Solarium Commission (CSC) created by the John S. McCain National Defense Authorization Act for Fiscal Year 2019, has released a new report that identifies weaknesses in public-private collaboration and maps out recommendations for revamping that relationship to safeguard critical infrastructure.
Examining Public-Private Collaboration
The government has spent decades resourcing agencies and establishing ways to work with the private sector to protect critical infrastructure. Miguel Clarke, GRC and cybersecurity lead at managed detection and response company Armor Cybersecurity and a former special agent in the FBI’s cybersecurity division, points to CISA’s creation, the investigative capabilities of the FBI and Secret Service, and policies that facilitate information sharing. “In effect, we are only as good as we are now because of government leadership,” he says. “However, what has gotten us here will not get us ‘there.’ The partnership needs to shift focus, moving from risk management to resilience.”
While the CSC 2.0 report recognizes the efforts to foster a strong public-private relationship, it describes how the policy behind this collaboration is outdated and inadequate. “In short, the strategic policy documents governing public-private collaboration are stale, having not been updated for a decade, and the implementation of the collaboration has not been sufficiently organized, resourced, and focused,” says Annie Fixler, a co-author of the report and director of the Center on Cyber and Technology Innovation at the nonpartisan think tank Foundation for Defense of Democracies.
In 2021, a breach took Colonial Pipeline’s systems offline for several days. The CSC 2.0 report highlights this incident as a prime example of shortcomings of public-private collaboration. It points to a breakdown in government information sharing; during incident response “information appears to have been siloed within government agencies,” according to the report.
Each critical infrastructure sector has a Sector Risk Management Agency (SRMA), which is responsible for collaborating with the public sector. The CSC 2.0 report calls out inconsistent performance across these agencies. The Colonial Pipeline incident demonstrated that “at least some elements of the SRMA framework are not optimized for crisis response,” according to the report.
Lastly, the report highlighted the insufficiency of collaboration and partnerships prior to the Colonial Pipeline crisis. “At the time of the incident, Colonial Pipeline had no regulatory requirement to inform the government of a cyber breach, nor was the company required to meet specific cybersecurity standards,” according to the report.
The report identifies a total of 10 shortcomings and challenges standing in the way of public-private collaboration. It “draws on public reporting, including assessments by the Government Accountability Office, the Cyberspace Solarium Commission, CISA’s Cybersecurity Advisory Committee, and CISA’s own assessment of the performance of federal agencies as sector risk management agencies (as ordered by the FY2021 National Defense Authorization Act.),” Fixler explains. “We also conducted numerous interviews with current and former government officials and industry experts.”
Recommendations for Improvement
The Presidential Policy Directive 21 (PPD-21), put in place in 2013, created a framework for protecting critical infrastructure. The Biden Administration is rewriting PPD-12, and the CSC 2.0 report offers guidance on making the framework more effective.
“The recommendations fall into two categories: how to update the strategic policy document and how to improve implementation of public-private collaboration,” says Fixler.
When it comes to rewriting PPD-12, the report calls for changes like more clarity around roles and responsibilities, more guidance on the organization and operation of SRMAs, and the facilitation of accountability. To improve implementation and resourcing efforts, its recommendations include strengthening CISA’s capabilities, resourcing SRMAs, improving information-sharing, and ensuring effective response to emergencies.
What will it take to implement the recommended changes?
Clarke views the recommendations as a good start, but believes commitment is needed to drive meaningful change. “Every role involved in the disaster/critical incident response needs to be committed to the resilience of the critical asset(s), even if it sacrifices short-term agency or corporate goals,” he says. “This would require a level of agility that few (if any) federal agencies possess.”
The private sector could bring agility and innovation to the renewed focus on collaboration. “We understand the motivations and weapons being deployed by the threat actors. Private companies can pivot quickly to build defense recommendations,” says Betsy Soehren-Jones, COO of supply chain risk management cybersecurity company Fortress Information Security. “Government’s standard operating procedures sometimes prevent this type of agility and speed of response.”
Adequate resourcing will be vital, but there is not a one-size-fits-all approach across critical infrastructure. “Resourcing for critical infrastructure continues to be a complex challenge, particularly for sectors that have a limited ability to increase their rates to cover additional cybersecurity costs,” says Ilona Cohen, chief legal and policy officer at security platform and hacker program HackerOne and former general counsel of the White House Office of Management and Budget.
Fixler acknowledges the unique needs of each critical infrastructure sector on the government side. “Not all sector risk management agencies will need to request the same resource levels in the president’s annual budget request, but Congress will need to appropriate sufficient funding to each agency as is required for that agency to effectively execute the responsibilities that they have,” she says.
The scope and timeline of the new PPD-12 are not solidified, but the benefits of reimagining the public-private relationship and empowering that change are evident. “Let me count the ways it helps us all to be more secure and resilient. Speed, agility, efficiency, transparency — to name a few. Collaboration is the key. It is the foundation for any successful national cybersecurity endeavor,” Soehren-Jones says.