The Biden administration is updating the U.S. government’s blueprint for protecting the nation’s critical infrastructure from hackers, terrorists and natural disasters.
On Tuesday, President Joe Biden signed a national security memorandum revising a 2013 directive outlining how agencies, private companies and state and local governments work together to improve the security of hospitals, power plants, water facilities, schools and others critical infrastructure.
Biden’s memo, full of updates to Obama-era policy and new responsibilities for federal agencies, comes as the U.S. faces a range of serious threats to the computer systems and industrial facilities of everyday life. In addition to foreign government hackers and cybercriminals seeking to destabilize American society by crippling vital infrastructure, extremist groups and lone actors have plotted to sabotage these systems, and climate change is causing natural disasters that regularly overwhelm basic services.
However, the biggest danger in the near future is foreign cyber threats. “America faces an era of strategic competition in which state actors continue to target critical American infrastructure and tolerate or enable malicious activities by non-state actors,” Caitlin Durkovich, deputy homeland security adviser for resilience and response, told reporters during a briefing Monday.
The memorandum has three main objectives: to formalize the role of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as the lead agency responsible for protecting infrastructure from malicious actors and natural hazards; improve partnerships with the private sector through faster and more comprehensive information sharing; and lay the foundations for minimum cybersecurity requirements for sectors where they currently do not exist.
The regulatory push represents a dramatic shift from the government’s approach to protecting infrastructure a decade ago. After concluding that voluntary partnerships do not adequately reduce risks to essential services, the Biden administration has introduced new cyber rules the aviation, pipeline, railroad, shipping and medical device industries, and the Department of Health and Human Services is working on safety requirements for hospitals. Now the government plans to use the new memo to advance efforts to apply the rules to other sectors.
“It is important that we work together to establish baseline safety standards for the vital sectors on which the American way of life and our democracy depend,” Durkovich said.
The document tasks the government’s Sector Risk Management Agencies (SRMAs) – each of which oversees and assists one or more infrastructure sectors with cyber and physical security – to determine whether existing rules adequately address the vulnerabilities of their industries and, if so not to develop new rules. The memo includes a process to help agencies if they conclude they “lack the necessary tools or authority to ensure effective implementation of these requirements,” a senior administration official said during Monday’s briefing, according to the White House conditions spoke anonymously.
That process is intended to support agencies like the Environmental Protection Agency, which tried to impose cyber requirements for water systems in 2023 but abandoned that effort after a legal challenge from industry groups and Republican-led states.