Slicing through Biden’s NSM-22 amidst ongoing need to shore up critical infrastructure security and resilience

The recent National Security Memorandum 22 (NSM-22), signed by U.S. President Joe Biden, prioritizes bolstering the security and resilience of the nation’s critical infrastructure. The memorandum also serves to modernize and supersede a previous presidential policy document, the 2013 Presidential Policy Directive 21 (PPD-21), issued by former President Barack Obama, which focused on critical infrastructure protection. NSM-22 designates the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to lead a coordinated, whole-of-government effort to manage risks across 16 critical infrastructure sectors. 

Addressing modern threats, such as cyberattacks and climate change, and underscoring the importance of federal and international collaboration, the NSM-22 has sparked discussions on its efficacy and potential shortcomings. While space and cloud assets are becoming increasingly crucial, a significant gap exists in designating these sectors as critical infrastructure. While cloud infrastructure is essential for digital services, urgent attention is needed in addressing the space domain. 

The space arena is becoming more contested, with adversaries acknowledging the strategic significance of space-based capabilities and actively pursuing methods to disrupt or restrict access in the swiftly evolving frontier. From communication and navigation to surveillance and weather forecasting, space systems support a diverse array of essential civil and military activities, underscoring the importance of safeguarding them for economic and national security purposes.

The NSM-22 comes as the U.S. pointed to the evolving risks to critical infrastructure, as nation-state adversaries have demonstrated a growing willingness to use cyber capabilities to compromise and hold at risk critical infrastructure systems and assets with no inherent espionage value, in order to further their broader strategic objectives. Such disruptions could support or enable an adversary’s strategic objectives outside of the cyber domain and pose challenges for risk management within and across critical infrastructure sectors.

Industrial Cyber consulted industrial cybersecurity experts to gather their key insights from the NSM-22. They delved into how these measures can enhance the critical infrastructure sector’s overall cybersecurity posture and resilience.

Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies (FDD), told Industrial Cyber that the NSM does a good job spelling out the importance of risk management to improving the security of national critical infrastructures. “Specifically, it fleshes out the responsibilities of Sector Risk Management Agencies – federal agencies that serve as partners to the private sector. This is appropriate but comes more than three years after Congress passed a law assigning SRMAs these same broad tasks,” he added. 

Montgomery noted that the document is also a long overdue federal acknowledgment that CISA is the National Coordinator for critical infrastructure security and resilience, meaning that CISA will ensure SRMAs are fulfilling their responsibilities and will identify cross-sector risks.

Marco (Marc) Ayala, president of the Houston InfraGard Members Alliance, stated that the NSM has minimal impact on day-to-day operations and the private sector. “Any guidance within the NSM necessitates policy adjustments with relevant regulatory bodies, which is a time-consuming process. It’s premature to determine whether the Policy Principal Objectives will enhance resilience. Both CISA and the respective Sector Risk Management Agencies (SRMAs) work within their mandated authorities. Whether modifications to these authorities are necessary to achieve the objectives remains uncertain,” he added. 

“The NSM advocates for a risk-based approach, yet the Department of Homeland Security (DHS) lacks a unified risk model for comparative analysis within its domain or across federal departments. Implementing a risk-based approach also involves assessing interdependencies,” Ayala told Industrial Cyber. “Gathering the data needed to understand physical security interdependencies among critical infrastructure assets would require years with current resources, not to mention potential challenges in compelling partners to share information.” 

Ayala pointed out that understanding cyber interdependencies would be even more complex and would likely necessitate additional regulatory powers to compel cooperation from infrastructure partners. “Additionally, in my view, the Software Bill of Materials (SBOMs) would require formalization.”

Risk assessments must consider all threats and hazards, likelihood, vulnerabilities, and consequences, including shocks and stressors — as well as the scope and scale of dependencies within and across critical infrastructure sectors, immediate and long-term consequences, and cascading effects, Gerry Kennedy, CEO at Observatory Strategic Management, told Industrial Cyber. “Owners and operators are uniquely positioned to manage risks to their individual operations and assets, including their interdependencies with other entities and sectors,” he added.

“In order to improve our Information Technology and Operational Technology security and resilience we need to admit the owner-operators have an inherent bias by the fact that ‘It belongs to them!’” Kennedy mentioned. “We have to have the bias taken seriously and the insurance industry has been well positioned to handle the bias because we third party verify as a trade. However, our cumulative performances have been weak. We can directly report, educate, and enforce these directives by incorporating them into our business rules.”  

He added, “We can ‘throttle’ coverages to ensure compliance both contractually and extra-contractually to manage supply chain ‘third party risks’ that are not addressed in this directive.”

The executives shed light on the identified shortcomings in the NSM’s strategy for tackling cybersecurity threats to critical infrastructure. They assess whether these principles are comprehensive enough to effectively counter the increasing wave of cybersecurity threats and attacks, as the nation endeavors to fortify the security and resilience of its critical infrastructure.

Even though the vast majority of critical infrastructure is owned and operated by the private sector, Montgomery said that there is too little discussion in the NSM of the private sector’s role in the assessment and decision-making to ensure the security and resilience of that infrastructure.

“The NSM also draws the shocking conclusion that despite significant technological advances over the past decade, U.S. critical infrastructure sectors have not changed,” according to Montgomery. “There is still no ‘space systems’ sector despite a CISA report two years ago recognizing that commercial space systems likely fit the definition of critical infrastructure. As a result of this failure, the United States will continue to have disjointed approaches to space access and security that ignore the exponential growth in private sector space presence.”

Montgomery added that the NSM also fails to recognize cloud service providers and cloud computing as a critical infrastructure despite every other federal strategy, executive order, and even the recent Cyber Security Review Board report on the Chinese breach of Microsoft highlighting the critical role that cloud plays in U.S. security and prosperity and its ubiquity across critical infrastructure.

Ayala pointed out that the Goldwater-Nichols Act of 1986 mandated ‘Jointness’ within the Department of Defense. “Comparable legislation is necessary to drive substantive change that transcends administrations and dismantles interagency barriers hindering meaningful progress. Without legislation accompanying a unified risk model, the likelihood of substantial, measurable change remains minimal,” he added.

Kennedy said that the shortcomings are evident and accountability is the keynote.  

“The failures of reporting are vast and we have robbed ourselves of actual data by the aggregation of the events which would have allowed us a development of an early warning system, what we called a Cyber Radar,” Kennedy observed. “Again the insurance industry was poised to perform this task and frankly still can be done. This is tantamount to a cyber Manhattan Project that requires accountability which is being weakened by legal actions to minimize accountability. There are no ‘Hall Passes’ in this fight.”

The executives analyze the differences between the latest measures and previous Executive Orders and security directives. They also look into whether these measures are adequate to truly impact the safeguarding of critical infrastructure and the enhancement of resilience this time around.

Montgomery outlined that the NSM rightly shifts the government’s focus towards risk management and the need to identify, prioritize, and mitigate risk in each sector and on a cross-sector basis. “As a result, both the national critical infrastructure plan and the individual sector-specific plans will take a stronger risk-based approach to cybersecurity and resilience. As part of this risk-based approach, the NSM also acknowledges that there are ‘systemically important entities,’ assets so critical to U.S. national or economic security that they must be preemptively protected,” he added.

“Once more, it’s premature to make a definitive assessment,” according to Ayala. “There’s a need for agencies to modify their policies, followed by the implementation of these policy changes, which will eventually undergo review by the GAO or another relevant body.”

Kennedy said that honestly, “when these directives are put out you immediately look to the political bias. We don’t have the luxury of political bias so time will tell as to how this plays out. We sent the Treasury Department our cyber assessments about just the transportation sector and frankly, we were correct, these assessments are not pretty,  but they are downright ugly when they come true and apathy was the rule of the day,” he added.

The executives assess the effectiveness of the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) in fulfilling their responsibilities as defined in the NSM. They also examine whether these agencies possess the necessary resources in terms of techniques, expertise, and personnel to meet the demands of the current cybersecurity landscape.

CISA has the building blocks to be an effective cyber defense agency, Montgomery said. “Over the past few years, Congress has doubled its budget and provided the agency with many of the needed authorities. CISA cannot afford, however, to take its foot off the gas. It needs steady budget increases to ensure it has the technical expertise and knowledgeable staff to lead on critical infrastructure resilience,” he added.

“Elsewhere in the federal government, however, the Biden administration is failing to put its money where its mouth is on critical infrastructure cybersecurity,” Montgomery highlighted. “The president’s budget allocates far too little funding to SRMAs like the departments of Health and Human Services, Agriculture, and Education and the United States Coast Guard, to secure the critical infrastructure services that Americans rely on every day.”

Ayala assessed that overcoming the lack or absence of a model, the authority to mandate data collection, and the manpower needed for collection and analysis poses significant challenges. “CISA and SRMAs are unable to address the current shortage of cyber personnel. Additional staff would be necessary to assume these added duties. Interdependency data collection is not a one-time task; rather, it requires continuous effort,” he added.

Kennedy said that they definitely have the skills and resources as for the staff they have plenty. “‘Do they have the right staff?’ is the question. The key here is the creation of a community inside the box, but more importantly outside the box. Too many ‘Yes Men/Woman is very bad!’”

The executives delve into potential shifts in strategy or policy direction within the NSM compared to previous administrations’ approaches to critical infrastructure security. They also explore expert evaluations of the NSM’s effectiveness in fortifying the security and resilience of critical infrastructure against cyber threats.

Montgomery mentioned that one of the most important and least discussed components of what the NSM does is to improve the way the Intelligence Community works with the private sector. “The NSM quietly acknowledges that the Cyberspace Solarium Commission was right four years ago when it urged that the intelligence community leverage sector expertise to inform intelligence collection and analysis.” 

He added that the NSM directs improved coordination between the intelligence community, CISA as the National Coordinator, the SRMAs, and critical infrastructure owners and operators themselves. “A shared understanding of the threat landscape is the first step towards effective, collaborative defense.”

“Following 9/11, physical security efforts have been organized into separate channels,” Ayala identified. “While this memo may not enact sweeping changes, it underscores the ongoing pursuit of improvements, akin to the spirit of Goldwater-Nichols. The recently established Office of the National Cyber Director aims to enhance coordination in cyber policy across government entities. However, it faces challenges in this endeavor, as evidenced by the Deputy National Security Advisor’s prominent role in shaping proposed cyber regulations for the private sector,” he added.

“The notable shifts and strategy are afforded by the fact, that we have more of a perspective than prior administrations had,” Kennedy assessed. “The adversaries are more publicly known, and that has been a tremendous advantage as we’ve been able to mentally categorize the risk based upon the threat vectors that have manifested by the skills of the bad actors. This is exactly why reporting is so critical so we can further gain detail and skill subsets of those bad actors to do predictive modeling.”

He emphasized that the effectiveness of the NSM can be evaluated through a concept known as ‘mapment.’

“We currently map not only the threat actor but the actions of those that are affected by the cyber events. We map their responses, reaction times, levels of initial disclosures followed up by the inevitable revisions caused by the fears of reporting,” Kennedy explained. “If we see a level of transparency and communication improve you will see a financial impact in the claims paid by the insurance industry. Lastly, we need a 201-day amnesty to ‘backfill’ the rampant failures of reporting. This would be a wonderful opportunity to gain back time lost.”