Earlier this month, President Biden announced his intention for the administration to “review and revise, as appropriate” the nation’s foundational policy on critical infrastructure, Presidential Policy Directive 21 (PPD 21). This is a seminal moment in homeland security as presidential policy has long been a driver of the nation’s approach to critical infrastructure, which most significantly defines the fundamental relationship between – and within – government and industry to manage risk. And it is a welcome move.
PPD 21, itself, is the third major iteration of executive branch critical infrastructure policy. In 1998, following the Oklahoma City bombing and the rise of the Internet, President Clinton established the importance of the issue through Presidential Decision Directive via PDD-63 on “critical infrastructure protection,” which established much of the modern U.S. framework for government-industry coordination and information sharing on threats and vulnerabilities. President Bush updated that with a terrorism-centric policy on critical infrastructure protection via Homeland Security Policy 7 i(HSPD 7) in 2003, which established the idea of intelligence and vulnerability-driven risk management coordination led by the Department of Homeland Security (DHS). And President Obama replaced HSPD 7 with an all-hazard approach in PPD 21 in 2013 with the amended focus from critical infrastructure “protection” to “security and resilience” and the recognition that there was a need to balance “left-“ and “right-of boom” activities to support safe functioning of critical infrastructure.
I led the interagency Integrated Task Force that was charged with implementing PPD 21 along with the companion piece of administration policy, Executive Order 13636 on critical infrastructure cybersecurity. Together, these two policies have proven to be enduring statements that served the nation well. It is, however, time for PPD 21 not just to be reviewed, but to be revised.
The explanation of why a policy update is needed can be found in the introduction to the National Infrastructure Protection Plan, which contemplates that the nation’s plan for securing critical infrastructure should change when the shift in the policy, operational, and risk environment for critical infrastructure demand it. We are at that stage and it is time to update PPD 21 because the relevant changes related to critical infrastructure have been sufficiently significant to demand a new policy framework.
More specifically, the risk to critical infrastructure has changed in the last 10 years largely because it is now driven from adversarial nation-state actions that threaten U.S. critical infrastructure in an attempt to weaken America’s national and economic security; the operational environment has changed because of the ubiquity of digital technology and data in enabling critical infrastructure functionality; and the policy environment has changed because of the welcome bipartisan recognition that, for America to be strong, there needs to be a focus on strengthening America’s critical infrastructure and the associated industrial base. It is not that those elements were not perceived in 2013, but they were not at the forefront of policymakers during the development of PPD 21. Now, however, they need to be and the United States needs a robust critical infrastructure security and resilience policy that is designed for this era of strategic risk and strategic competition.
So, if the time has come for a change, which seems to be the administration consensus, what changes should be included in the policy? Let me offer five recommendations that are at the top of my list which I hope the Biden administration will consider. Specifically:
- The new presidential policy should establish the idea that it is the administration’s policy to not just manage risk but to reduce risk to critical infrastructure. The National Critical Function (NCF) set (https://www.cisa.gov/national-critical-functions-set) established by the National Risk Management Center (NRMC) within CISA provides the lexicon and model for measuring risk to critical infrastructure and investment should be made to build out that framework and measure the security and resilience of critical functions currently and make explicit the goal of national policy is to enhance those NCFs. (As part of this, the set of 55 NCFs originally established in 2019 should be incrementally modified based on lessons learned.)
- The new presidential policy should be made more risk-based and oriented to the idea that the national imperative is to focus first and foremost on the security and resilience of the country’s most systemically important critical infrastructure. Current policy does not delineate between infrastructure that is loosely defined as critical and that which is systemically important, which has the effect of limiting attention to things that are most critical. Setting the explanation for prioritization based on systemic criticality would be a welcome change from the Executive Branch.
- As part of that, the new presidential policy should revisit and rationalize the current structure of 16 critical infrastructure sectors to a more reasonable set of national priorities. Operationalizing 16 critical infrastructure sectors has proven to be unwieldy and there is reason to think that a smaller set of more evenly sized sectors would be an improvement. To that end, I offer the following sector structure based on a review of critical functions: Banking and Finance, Communications, Critical Manufacturing (to include research and development), Defense and Space Industrial Base, Energy, Food and Agriculture, Government Services (to replace Government Facilities and include election infrastructure), Health and Public Health, Information Technology, Transportation, Water and Wastewater. This broadens the definition of a few of the current sectors and subsumes four sectors into the above: chemical, dams, emergency services, and nuclear. It also acknowledges that “commercial facilities” are too diffuse to truly be thought of as critical infrastructure.This also allows a much more balanced approach to the assignment of Sector Risk Management Agencies (SRMA) where DHS is now the default SRMA for a diffuse set of industries. In doing so, adding the Department of Commerce as a new SRMA would be a nice addition to match the policy overlap of security and innovation.
- The new presidential policy should make clear the intended relationship between the SRMAs and associated regulators. Agencies such as the Federal Communications Commission, the Federal Energy Regulatory Commission, the Securities and Exchange Commission and the Election Administration Commission all have key authorities that can elevate the reliability of critical infrastructure which can drive security and resilience outcomes. Currently, however, PPD 21 doesn’t offer a sustained path for collaboration between SRMAs and the independent regulators and the process for coordination is largely ad hoc. An affirmative statement of how regulation plays into achieving critical infrastructure risk reduction is needed and a structural solution for enduring collaboration across executive branch agencies and independent regulators is needed. This should be done by making regulatory harmonization a core policy goal of the Executive Branch.
- The new presidential policy should explicitly reiterate the policy objective of bridging national security, economic security, science and technology policy, and emergency management into a cohesive set of national outcomes. Stovepipes across mission sets must be broken for effective risk governance.
The final question that the review of PPD 21 has to grapple with is how to orchestrate the policy. A critical open question is how to properly balance the role of the Secretary of Homeland Security as the “national coordinator” for critical infrastructure with coordinating bodies that operate within the Executive Office of the President (specifically the National Security Council and the Office of the National Cyber Director). The DHS Secretary has delegated the coordinator role to the Cybersecurity and Infrastructure Security Agency (CISA) and its predecessors (the National Protection and Programs Directorate and the Office of Infrastructure Protection). This has created interagency friction and unclear lines of responsibility across CISA where the agency has a key policy implementation coordination role, as well as one related to critical infrastructure security operational coordination (and operational support nationally), while also serving as a standalone Sector Risk Management Agency for half of the critical infrastructure sectors. The three distinct roles have caused pressure on the priorities across CISA and have been executed inconsistently.
The new policy has three options to address that: The first would be to take the coordination role outside of a department and place it in White House; the second would be to name the CISA director as matter of policy to be the coordinator and empower parts of CISA to explicitly serve as the National Coordinator staff (this could be a role that could be taken on by a properly resourced NRMC); and, the third would be to have the secretary’s coordination role be played by a DHS headquarters element while the CISA director leads operations.
My inclination, undoubtedly biased by my past experience, is that the second is the best option. I know that there is hesitancy for the Executive Branch to micro-manage agency responsibilities but CISA’s structure and consistency is inextricably linked to the success of PPD 21 and presidential policy which makes clear the importance of a structural solution for national coordination is needed.
As the Biden administration enters its third year the timing is perfect for this policy review and update. Measuring what has worked and what hasn’t over the last 25 years will be important but so too is an affirmative statement that the security and resilience of critical infrastructure demands updates to government structure to better synchronize the levers of national power to support critical infrastructure owners and operators.