A decade-old directive from the White House on public-private collaboration for the protection of critical infrastructure is outdated and incapable of meeting today’s demands, according to a June 6 report by the Cyberspace Solarium Commission 2.0. (CSC 2.0).
CSC 2.0 is a non-profit that succeeded the congressionally chartered Cyberspace Solarium Commission.
The report – entitled Revising Public-Private Collaboration to Protect U.S. Critical Infrastructure – argues for an overhaul of how these partnerships form and which agencies lead risk mitigation efforts.
At a high level, CSC says that the overarching concept underlying the government’s critical infrastructure protection system – balancing regulation, incentivization, and collaboration – remains the best method to coordinate between the public and private sectors. But it suggested numerous changes to government policies to improve the outcome of those efforts.
“The policy underpinning this public-private sector relationship has become outdated and incapable of meeting today’s demands,” the report says. “[There are] flaws in both the design and implementation of public-private collaboration policy,” it says, adding, “these flaws are amplified by discrepancies in the structure, resourcing and capabilities of [Sector Risk Management Agencies] SRMAs.”
The Biden Administration is currently revamping the 2013 Presidential Policy Directive 21 (PPD-21), which identified the 16 critical infrastructure sectors that require more Federal protection from both digital and physical damage.
According to the report, the White House has taken several good steps to strengthen Federal digital security, including issuing multiple executive orders and creating the Office of the National Cyber Director (NCD). Yet, this “incremental approach” has failed to deliver “the necessary improvements to SRMA performance, especially as both physical and cyber threats to the country’s critical infrastructure continue to escalate,” the report states.
The report recommends that as the administration begins the review of the PPD-21, it should focus specifically on improving the relationship between the public and private sectors by making the government a better partner to industry and through both voluntary partnerships and regulation, as noted in the new National Cybersecurity Strategy issued by the NCD earlier this year.
The report also flags what it sees as other challenges to the current set-up, including:
- Strategy and policy documents governing critical infrastructure that have become stale;
- Inadequate systems for designating sectors as critical and for mitigating cross-sector risks are inadequate;
- The inability of the Cybersecurity and Infrastructure Security Agency to fulfill its responsibilities because it does not receive the interagency support necessary to act effectively as the national risk manager; and
- Voluntary security relationships that are not delivering the necessary results.
The report outlines several recommendations the administration should consider as it works to revamp the PPD-21, with half focused on the rewrite and the other half on the implementation of the revised document.