Responsibility for critical infrastructure security shifts

Precisely who is responsible for securing critical infrastructure is about to shift following the signing of an executive order by President Trump.

The order directs Assistant to the President for National Security Affairs (APNSA), a position now held by Michael Waltz, to review how to shift more responsibility for securing critical infrastructure to the state and local governments as part of a formal National Resilience Strategy that will be defined within 90 days of the signing of the executive order on March 19th.

Within 180 days of the signing on the order, the APNSA, in coordination with the Director of the Office of Science and Technology Policy and other heads of relevant agencies, is also directed to review all critical infrastructure policies and recommend any revisions, recissions, and replacements needed to achieve a more resilient posture. At the core of that transition is a shift toward a more “risk-informed approach versus what the president described as the current “all hazards: approach. Specifically, the order excludes any current policies relating to purported “misinformation,” “disinformation,” or “malinformation” or so-called “cognitive infrastructure.” That latter phrase includes artificial intelligence (AI) in keeping with previous orders to accelerate adoption of these technologies by reducing regulations.

Within 240 days of the date of the executive order, the APNSA, in coordination with the heads of relevant agencies are also directed to review all national preparedness and response policies and recommend the revisions, recissions, and replacements necessary to reformulate the process and metrics for Federal responsibility as part of the effort to move away from the current all-hazards approach.

Finally, within 240 days of the signing of the executive order, the APNSA, in coordination with the Director of the Office of Management and Budget and the heads of relevant agencies, is directed to coordinate the development of a National Risk Register to identify, articulate, and quantify risks to the U.S. national infrastructure, related systems, and their users.

In effect, the Trump administration has decided much like many organizations already have, to prioritize some cybersecurity risks over others. There is, of course, still plenty of vigorous debate over not just what constitutes a threat to critical infrastructure but also what infrastructure might actually qualify to be considered critical. The one thing that is certain is that a massive amount of change is about to be implemented in a relatively short amount of time. The probability adversaries during that time will launch cyberattacks designed to, for example, cripple critical infrastructure located in cities and towns that have limited financial resources has never been greater.

Organizations, therefore, should plan accordingly. While a cyberattack might be launched directly at an organization, the so-called blast radius of a cyberattack aimed at, for example, power lines, water systems or a gas pipeline could impact everyone in a region for weeks on end. Organizations of all sizes would therefore be well-advised to review their disaster recovery plans accordingly. After all, given how dependent organizations are on a vast array of interconnected systems, most of the playbooks that organizations may have previously created were never designed to cope with a cyberattack against critical infrastructure that most local governments may never be really prepared to handle.