Federal Cyber Oversight of Critical Infrastructure Is Failing, Report Warns
The system for managing cyber risk is fragmented and confusing, policy group says.
The system for managing cyber risk among U.S. critical infrastructure sectors is outdated, cumbersome and risks damaging private-sector cooperation, the successor group to a Congressional commission said in a report released Wednesday.
Federal agencies need more funding for cyber oversight and the role of the lead U.S. cyber-risk manager—the Cybersecurity and Infrastructure Security Agency—should be clarified, according to the report by the Cyberspace Solarium Commission 2.0. The 2013 policy that established the current cybersecurity response and governance system urgently needs to be revised, the report added.
“We are massively inconsistent across federal agencies in our performance as sector risk-management agencies, and across the sectors in their willingness to cooperate and participate,” Mark Montgomery, the executive director of the group and one of the report’s authors, said in a call with reporters.
Critical infrastructure in the U.S. is divided into 16 sectors, covering areas such as financial services, chemicals, the defense industrial base and energy companies, with a federal agency assigned to oversee cybersecurity risk management for each sector.
In practice, who is responsible for what is far less clear, said Annie Fixler, one of the report’s authors and director of the center on cyber innovation and technology at the Foundation for the Defense of Democracies, a national-security think tank.
The May 2021 ransomware strike on Colonial Pipeline shows how wires can quickly become crossed, Fixler said. In Congressional testimony, Colonial executives said they initially notified the Federal Bureau of Investigation of the attack because it is the government’s lead incident-response agency.
However, the Transportation Security Administration is the sector risk-management agency for pipelines, and CISA, which focuses on infrastructure protection, later learned of the attack from the FBI, Fixler said. The government eventually named the Energy Department as the lead U.S. agency for the federal response to the attack. During the incident, Colonial shut operations for six days, prompting panic buying that drove up gasoline prices.
“It really showed us how the current framework breaks down in a crisis,” Fixler said.
Colonial declined to comment. The FBI also declined to comment. The TSA didn’t immediately respond to requests for comment.
The current system was largely created by Presidential Policy Directive 21, an Obama-era document that set up sectors and assigned federal agencies to oversee them. The directive is now irrelevant, Montgomery said, pointing to cloud computing as an example of how technology development has outpaced policy.
The document was also written before CISA’s creation in 2018.
The Biden administration said in November it would rewrite the directive, with an estimated completion date of September 2023. The White House is working with federal agencies to delineate roles, according to a senior administration official. For example, an FBI or Secret Service field office might be the most appropriate starting point for a response, but CISA officials should be brought in along with other agencies where needed.
“That is certainly the flavor that we’re looking for in the White House, which is unity of effort,” the official said. “There’s so much work to be done that there’s no need for sharp elbows, because frankly everybody’s mission is essential.”
Montgomery said meeting such an aggressive deadline was unlikely if proper industry consultation takes place, which he added is critical to ensuring any revisions work better.
“Involving the private sector will slow things down, but also produce a product with buy-in, and I think that’s critical,” he said.
Changes should include clearly stating how CISA and agencies responsible for specific sectors interact, as many cyberattacks cut across industries, said Mary Brooks, one of the report’s authors.
“At this point, almost all incidents are cross-sector incidents. Everything is so interrelated and interconnected with many of the other sectors out there,” said Brooks, a public policy fellow at the Wilson Center current-affairs think tank.
A CISA spokesperson said the agency is participating in the rewriting process and working with other federal agencies to figure out the best way to proceed.
“We believe the rewrite will help clarify CISA’s role as this National Coordinator, as a SRMA to critical infrastructure sectors, and as a resource for our partners to help them assess, mitigate, and respond to threats,” the spokesperson said.
Corrections & Amplifications
The ransomware attack against Colonial Pipeline occurred in May 2021. An earlier version of this article incorrectly said the attack was in May 2020. (Corrected on June 7)
Written by: James Rundle, reporter, for The Wall Street Journal.