Last month ended with a major change in global infrastructure regulation. Indeed, with the National Security Memorandum on Critical Infrastructure, the Biden Administration replaced over a decade of critical infrastructure policy with the stroke of a pen.
What’s the new policy all about? Read on to find out.
National Security Memorandum on Critical Infrastructure replaces over a decade of policy
Well, on 30 April, the Biden Administration signed the National Security Memorandum (NSM), intended to secure and enhance the resilience of U.S. critical infrastructure.
The last major policy move on this front was over ten years ago. That was when the Obama Administration first established national policy on critical infrastructure security and resilience.
National Security Memorandum on Critical Infrastructure highlights deteriorating resilience and security picture
Much has changed in the intervening years.
Most significantly, the security and resilience picture for critical infrastructure has become perilous, with industry investment in protective security management technology failing to keep up.
Industry reporting from earlier this year revealed a 30% year-on-year increase (2022 to 2023) in attacks on the world’s critical infrastructure.
If the numbers alone don’t seem impressive, they average out to 13 cyber attacks suffered every second in 2023. And U.S. assets are coming under the heaviest attack.
What’s more, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) recently released an advisory warning critical infrastructure operators about China's ongoing hacking interests.
According to the advisory, a China-backed hacking group had been exploiting vulnerabilities in routers, firewalls, and VPNs to target water, transportation, energy, and communications systems across the country, relying heavily on stolen administrator credentials.
The group had even been seen controlling some victims' video security camera systems, a level of access that could have allowed the group to disrupt critical energy and water controls.
What the National Security Memorandum on Critical Infrastructure does
Out of this context comes the major announcement last month. But what does the National Security Memorandum on Critical Infrastructure actually do?
The new policy:
- Reaffirms the designation of 16 critical infrastructure sectors and a federal department or agency as the Sector Risk Management Agency (SRMA) for each sector. SRMAs will manage the day-to-day relationships and sector-specific expertise to lead risk management and coordination within the designated sectors.
- Formally codifies CISA as the national coordinator for Critical Infrastructure cybersecurity efforts across the government and private sector.
- Taps Department of Homeland Security (DHS) to lead the whole-of-government effort to secure U.S. critical infrastructure.
- Introduces a new class of critical infrastructure entity, i.e., systemically important entities. These will be entities deemed by the National Coordinator to own, operate, or otherwise control critical infrastructure that is prioritized based on the potential for its disruption or malfunction to cause nationally significant and cascading negative impacts to national security (including national defense and continuity of Government), national economic security, or national public health or safety.
So, what does it all mean? The new move by the Biden Administration acknowledges the reality on the ground. And that is that critical infrastructure assets are vulnerable and getting more vulnerable by the day.
The policy, therefore, shows that government regulators are becoming increasingly serious about protecting the nation’s essential assets. Asset owners and operators, for their part, will have to respond, doubling their risk management efforts.
One place to start is investing in security management software to identify and understand risks to critical infrastructure and implement effective governance and oversight processes. What capabilities to look for? Download our Critical Infrastructure Software Buyer’s Guide to find out.