U.S. Secretary of Homeland Security Alejandro N. Mayorkas has released strategic guidance to bolster critical infrastructure security and resilience. Originating from President Joe Biden’s National Security Memorandum (NSM-22), this directive instructs federal agencies, critical infrastructure owners, and other stakeholders to focus on specific risk areas. Additionally, it outlines priorities for the 2024-2025 national critical infrastructure risk management cycle defined in NSM-22. This comprehensive effort, planned for the next two years, is designed to safeguard the critical infrastructure systems essential to everyday American life.
The priority areas set down in the strategic guidance are addressing cyber and other threats posed by the People’s Republic of China (PRC); managing evolving risks and opportunities presented by artificial intelligence and other emerging technologies; identifying and mitigating supply chain vulnerabilities; incorporating climate risks into sector resilience efforts; and addressing the growing dependency of critical infrastructure on space systems and assets.
The director of the Cybersecurity and Infrastructure Security Agency (CISA), as the national coordinator of critical infrastructure security and resilience efforts, will drive sector-specific risk assessments and management plans by (or for) Sector Risk Management Agencies (SRMAs) and other important partners that address the outlined priority risk areas and adopt the identified risk mitigation activities, culminating in the National Infrastructure Risk Management Plan.
“From the banking system to the electric grid, from healthcare to our nation’s water systems and more, we depend on the reliable functioning of our critical infrastructure as a matter of national security, economic security, and public safety,” Mayorkas said in a media statement. “The threats facing our critical infrastructure demand a whole of society response and the priorities set forth in this memo will guide that work. I look forward to continuing our work with partners at all levels of government and the private sector to better ensure the safety of all Americans.”
“Through close collaboration with our partners, CISA and the Department are working towards safer and more secure critical infrastructure to ensure the functioning of government, the delivery of essential services, and the protection of the American people,” said CISA Director Jen Easterly.
The 2024 Homeland Security Threat Assessment expects domestic and foreign adversaries will likely continue to target the nation’s critical infrastructure, in part because they perceive targeting these sectors would be detrimental to U.S. industries and the American way of life. From attacks aimed at disrupting services to espionage focused on gaining access to networks and stealing sensitive information, these hackers are constantly adapting their techniques to gain access and potentially compromise these entities.
Mayorkas emphasizes in the document the need to build upon existing public-private partnership models and strive for meaningful operational collaboration. “In so doing, efforts of the critical infrastructure community should prioritize the following five priority risk areas. While these priorities vary in complexity and familiarity and will require different levels of engagement across the various sectors, SRMAs should address these risks as part of their efforts to implement NSM-22, including through engagement, bi-directional information sharing, and enhanced collaboration with industry through existing Information Sharing and Analysis Centers (ISACs), Sector Coordinating Councils (SCCs), and Government Coordinating Councils (GCCs),” it added.
To address cyber and other threats posed by the PRC, the DHS will collaborate with government and private sector partners to develop plans and capabilities to manage the consequences of complex incidents involving critical infrastructure, including a National Security Emergency Plan and updated National Cyber Incident Response Plan, and to strengthen intelligence and information sharing across the community. Capacity-building efforts to address the PRC threat will increase the security and resilience of our infrastructure against other state and non-state sponsored actors.
On managing the evolving risks and opportunities presented by Artificial Intelligence (Al) and other emerging technologies, Mayorkas said that the DHS “must continue to proactively address AI as a transformative and general-purpose technology and consider the implications of other emerging technologies on critical infrastructure.”
Also, the guidance noted that SRMAs and critical infrastructure owners and operators should integrate relevant risk assessments and DHS guidance into their sector-specific risk assessments and sector-specific risk management plans to address risks from AI and other emerging technologies. “While we must look to mitigate new risks, we must also recognize that new AI-enabled systems and other emerging technologies will also provide new tools to help mitigate threats to critical infrastructure. SRMAs should identify, and where possible pilot or deploy, AI and other technology-informed risk mitigation tools to increase the security and resilience of critical infrastructure against other threats considering the National Institute of Standards and Technology (NIST) AI Risk Management Framework and relevant DHS guidance.”
Mayorkas also highlights the importance of increasing visibility into shared international systemic risks to identify and mitigate supply chain vulnerabilities. This enhanced understanding is crucial for managing and reducing risks to U.S. critical infrastructure, including the implications of reliance on state-owned enterprises and suppliers from foreign adversaries. The resilience of the nation’s civilian and military supply chains is a matter of national and homeland security.
It also references Executive Order 14017 on America’s Supply Chains, which initiated the process of rebuilding and revitalizing resilient American supply chains. “DHS established the Supply Chain Resilience Center to lead and coordinate the Department’s effort to assess and mitigate potential supply chain disruptions. DHS will work with SRMAs, other relevant Federal agencies, critical infrastructure owners and operators, and other experts to identify goods, services, or components most vulnerable to supply chain disruption and seek to mitigate the effects of supply chain disruptions for essential systems.”
Technology has advanced to the point that access to space-based services, like the Global Positioning System (GPS) and satellite communications, is taken for granted across critical infrastructure. While these services are efficient and beneficial, dependence on space systems can introduce risk. Russia’s cyberattacks in 2022 against commercial satellite communications networks as part of its invasion of Ukraine illustrate the importance of protecting such infrastructure from malicious adversaries. Space debris also poses a potential risk to critical space systems and assets.
Mayorkas highlighted that while there is no designated space critical infrastructure sector, the National Space Policy and the United States Space Priorities Framework articulate the U.S. government’s responsibility for protecting and securing space-related systems and assets. “SRMAs and critical infrastructure partners should prioritize assessing their reliance on space systems and assets and the potential cascading impacts on their sector if disruptions were to occur. DHS, in coordination with SRMAs and relevant private sector partners, will expand efforts of the Space Systems Critical Infrastructure Working Group to prioritize and mitigate space-related risks to critical infrastructure,” it added.
As the National Coordinator for the security and resilience of critical infrastructure, the CISA director will drive efforts by SRMAs, other federal departments and agencies, owners and operators, and others in the critical infrastructure community to address these priority risks and adopt priority risk mitigation activities on my behalf including through the Federal Senior Leadership Council and appropriate SCCs and GCCs.
The priorities outlined by Mayorkas in the DHS document will be incorporated into the National Infrastructure Risk Management Plan, replacing the 2013 National Infrastructure Protection Plan. These priorities will be specifically included in each sector-specific risk assessment and integrated into all sector-specific risk management plans. Additional guidance on the content and format for the sector-specific risk assessments and sector-specific risk management plans will be provided by the National Coordinator under separate cover.
“Under NSM-22, building secure and resilient critical infrastructure is a shared responsibility,” Mayorkas said in the document. “I invite all SRMAs, other Federal and SLTT entities, and private sector partners to join in this concerted effort managing prioritized risks and mitigations to effectively protect our critical infrastructure and national security.”
Earlier this week, the DHS announced that it is advancing maritime cybersecurity in the Indo-Pacific through collaboration with the Indonesian Government, supported by programs from the U.S. Department of State International Narcotics and Law Enforcement and the U.S. Department of Defense Threat Reduction Agency. This agreement, which bolsters the Comprehensive Strategic Partnership, aims to strengthen cybersecurity defenses and protect maritime critical infrastructure from cyber threats and attacks. Additionally, it focuses on enhancing the security and resilience of the international maritime transportation system.