The Biden administration is updating the US government’s plan to protect the country’s most critical infrastructure from hackers, terrorists and natural disasters.
On Tuesday, President Joe Biden will sign a national security memorandum that reforms a 2013 directive which describes how agencies work together, with private companies, and with state and local governments to improve the safety of hospitals, power plants, water facilities, schools, and others critical infrastructure.
Biden memorandum, which is packed with updates to the Obama-era directive and new appropriations for federal agencies, comes at a time when the United States faces a number of serious threats to the computer systems and industrial equipment that support daily life. In addition to foreign government hackers and cybercriminals seeking to destabilize American society by crippling vital infrastructure, extremist groups and lone actors have conspired to sabotage these systems, and climate change is fueling natural disasters that regularly overwhelm basic services.
But foreign cyber threats are becoming more important as a danger in the near future. “The United States faces an era of strategic competition, in which state actors will continue to attack American critical infrastructure and tolerate or enable malicious activities carried out by non-state actors,” Caitlin Durkovich, deputy national security adviser for the US, told reporters. resilience and response, during a briefing on Monday.
The memorandum has three main purposes: formalize the role of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as the lead agency charged with protecting infrastructure from bad actors and natural hazards; improve partnerships with the private sector through faster and more comprehensive information exchange; and lay the foundation for minimum cybersecurity requirements for sectors that currently lack them.
The regulatory push represents a dramatic shift from the government’s approach to infrastructure protection a decade ago. The Biden administration, concluding that voluntary partnerships did not sufficiently reduce risks to essential services, has applied new cyber rules to the aviation, pipeline, railway, maritimeand medical device industries, and the Department of Health and Human Services is working on safety requirements for hospitals. Now, the administration plans to use the new memo to boost efforts to apply rules to other sectors.
“It is important that we work together to establish basic safety standards for the vital sectors on which the American way of life and our democracy depend,” Durkovich says.
The document instructs the government “Sector Risk Management Agencies”, or SRMA, each of which monitors and assists one or more infrastructure sectors with physical and cybersecurity security, determine whether existing rules adequately address the vulnerabilities of their industries and, if not, develop new rules. The memo includes a process to help agencies if they conclude they lack “the tools or authorities necessary to ensure effective implementation of those requirements,” a senior administration official said during Monday’s briefing, speaking anonymously according to the terms of the White House.
That process is designed to support agencies like the Environmental Protection Agency, which attempted to issue cyber requirements for water systems in 2023, but abandoned the effort after a legal challenge by industry groups and Republican-led states.