President Biden is directing U.S. spy agencies to more proactively share intelligence with the private companies handling critical American infrastructure, to guard against risks from foreign adversaries like China and Russia, or criminal groups and hackers.
The new directive is part of a national security memorandum on Critical Infrastructure Security and Resilience that Biden issued on Tuesday. The memo serves to update guidance first introduced in 2013 during the Obama administration, identifying new security procedures for 16 critical infrastructure sectors to guard against natural disasters and man-made threats.
“The policy is particularly relevant today, given continued disruptive ransomware attacks, cyber-attacks on US water systems by our adversaries and their frequent and repeated testimony of the FBI director and other senior administration officials who have sounded the alarm about the ways our critical infrastructure is being targeted by our adversaries,” Caitlin Durkovich, Biden’s deputy Homeland Security Advisor for Resilience and Response, said in a call with reporters previewing the memo.
The Biden administration, drawing on lessons from its warning about Russia’s full-scale invasion of Ukraine, said they are tasking intelligence agencies to lean into declassifying information to share with the private sector, or share information with private companies with the proper clearance, to better guard against security threats.
“I know that the IC [intelligence community] is looking to make sure that if the information can be safely declassified, then it is,” said Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency.
Easterly said that the IC declassified potential retaliatory attacks by the Russian government to share with critical infrastructure owners and operators leading up to Russia’s full-scale invasion of Ukraine in Feb. 2022.
She said that work is becoming more urgent with “serious” threats from the People’s Republic of China. The Biden administration warned in February that Chinese cyber actors are pre-positioning themselves in U.S. critical infrastructure to launch potential cyber attacks, in an operation named Volt Typhoon.
“We have held extensive briefings at various levels of classifications with cleared sector personnel to ensure that they are aware, that we’re aware — in 2022 of the Russian threat — and are aware now of the serious Chinese threats to our critical infrastructure,” Easterly said.
“Specifically pre-positioning to disrupt or destroy critical infrastructure in the event of a major crisis.”
The memo also tasks the Department of Homeland Security with overarching responsibility for coordination among the different federal agencies, directing DHS to submit to the president a biennial “national risk management plan” summarizing the work on mitigating risks to the nation’s critical infrastructure.
Also, the memo seeks to codify and require minimum security and resilience requirements for critical infrastructure entities that earlier were only voluntary.
“Voluntary approaches to enhance critical infrastructure security and resilience have meaningfully mitigated risk over the past decade, but more must be done to ensure the Nation’s critical infrastructure is secure and resilient against all threats and hazards,” the memo reads.
“The Federal Government must focus on increasing the adoption of requirements that address sector, national, and cross-sector risks to critical infrastructure.”
The memo also reaffirms the 16 critical infrastructure sectors, identifying which government agencies should be liaising with which sectors.
“This is part of what we refer to as our all hazards approach to the resilience of the nation,” said Durkovich.