Whether at the national or local level, the core of advancing critical infrastructure security and resilience lies in adopting a risk management approach. This approach identifies which infrastructure and functions are most critical to secure and make resilient. Doing so protects communities and their populace, maintains national security, and facilitates economic competitiveness. To achieve effective risk management, it is essential to prioritize areas of risk: What is genuinely the most critical?
Among the enhancements in the 2013 National Infrastructure Protection Plan – now a decade old – was the articulation of four “Lifeline” functions as priorities: Communications, Energy, Transportation, and Water. According to the Cybersecurity and Infrastructure Security Agency, when something is a lifeline function it “means that their reliable operations are so critical that a disruption or loss of one of these functions will directly affect the security and resilience of critical infrastructure within and across numerous sectors.” What the NIPP put in place was the idea that these functions needed to be prioritized to enable overall critical infrastructure security and resilience across all 16 sectors.
The idea behind identifying these functions was to note that all critical infrastructure, to some extent, couldn’t operate securely and safely without lifeline functions working. There is a level of dependency and interdependency across critical risk management that required sector coordination and resilience planning. In 2017, FEMA took that concept a step further and introduced the idea of community lifelines as part of response operations. Community lifelines are functions that must be stabilized for communities to respond and recover from disaster. In addition to the four aforementioned functions, the lifelines include Safety and Security, Food and Shelter (and Hydration), Health and Medical, and Hazardous Materials.
Taken together, these two lists set an essential prioritization schema for emergency response and investment in infrastructure resilience. The safe functioning of the related infrastructure necessary to produce those functions enables community well-being and economic activity. Lifelines also provide a view of key protection targets in the face of armed or cyber conflict.
Looking back on that 2013 list with the benefit of 2023 perspective, however, what is notably missing from that list is Cloud Computing and Data Management, which has many of the same characteristics as lifeline functions and should now be recognized as such.
The reason that Cloud Computing and Data Management should be considered a lifeline function is because technology has changed. In work that I am involved in with the Carnegie Endowment of International Peace (Cloud Reassurance Project: Interim Report – Carnegie Endowment for International Peace), we cite that by the end of 2026 cloud services are projected to account for over two-thirds of all computing and storage infrastructure. In 2013, cloud computing was not yet in ubiquitous use across critical infrastructure, and data management was still largely thought of as a business-enabling requirement as opposed to a function enabler. Today, however, almost all critical infrastructure is dependent on the ability to use, manage, and store data to support technology-enabled decision-making. And this is largely done in the cloud.
At the same time, the hockey-stick growth of artificial intelligence has put a premium on the importance of data for automated operations and effective decision-making to support resilience. In short, when creating a list of the things that need to be available for communities and economies to function, Cloud Computing and Data Management are lifelines that belong on the list.
Why does expanding the list of lifeline functions matter for homeland security? I would argue that there are four primary reasons: 1) Immediate response prioritization, 2) Preparedness planning, 3) Expectation of service delivery, and 4) Security and Resilience prioritization.
Let’s unpack that. The first area is response prioritization, which generally means that in the face of incidents the response community (both cyber and physical) works to stabilize the lifeline functions through dedicated effort as part of the response. This includes enabling response workers to gain access to closed areas, prioritizing service restoration, and facilitating redundancy solutions (including regulatory waivers and technology rollovers). Cloud computing, which relies on complex IT infrastructure, physical data centers and supporting services (power and water, for example), should be prioritized. As part of that, any need to reorchestrate the logical flow of information and allow for backup operations should be supported by necessary policy and regulatory changes.
The second reason that lifeline functions matter is preparedness and contingency planning. The failure or degradation of lifeline functions is a scenario that all communities and businesses need to account for – and it needs to be imagined at a regional scale. As part of that, exercises (such as the Electricity Sector “GridEx”) need to be conducted to develop restoration, failover, and zero-availability plans. Operating without lifelines is a challenge, but exercises and plans need to test what feasible alternatives exist and for how long.
A third reason to declare Cloud Computing and Data Management a lifeline function is that it supports a discussion of what is realistic in terms of service delivery and the loss of availability. Setting these assumptions and developing contracted, incentivized, and, if necessary, regulatory approaches to ensure this availability standard is an important element of critical infrastructure resilience.
Finally, there is the basic question of prioritization of efforts to keep the most critical things secure and resilient. Security is generally achieved through a layered approach to critical target protection, and resilience is achieved through additional investment. The infrastructure that enables Cloud Computing and Data Management has to be prioritized with those needs in mind, particularly as it relates to cybersecurity.
The administration is continuing its efforts to update Presidential Policy Directive 21, which sets the national policy for critical infrastructure security and resilience. In doing so, calling out the importance of Cloud Computing and Data Management as a lifeline function is an important step.
