Former Acting National Cyber Director (NCD) Kemba Walden said on Thursday that the current sector-by-sector assignment of critical infrastructure areas by U.S. regulators is handicapping the Federal government and hindering nationwide cyber resilience.
The 16 critical infrastructure sectors were identified under the Obama administration in 2013, and the Cybersecurity and Infrastructure Security Agency (CISA) was established under President Trump in 2018 to manage the risks to these sectors.
The 16 critical infrastructure sectors are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, the economy, public health, and safety.
“I think the assignment of critical infrastructure sectors is almost handicapping us, because our digital infrastructure doesn’t operate that way,” Walden – who now serves as president of Paladin Global Institute – said during the Conference on Cyber Regulation and Harmonization co-hosted by Columbia University and New York State on Nov. 14.
“Financial services is dependent upon transportation [which] is dependent upon energy. We don’t have a critical infrastructure assigned for social media companies or for satellite systems,” she said. “It’s almost a hindrance to think of it in terms of sector by sector. I think we have to evolve, and there’s still more work to be done where it is more about the maturity and the resilience of enterprise or of small businesses.”
She continued, adding, “All that’s to say is, when you start thinking about it in terms of resilience and the business proposition – that your resilience is going to enhance your business productivity – then that’s where you see a lot of innovation. And I think that’s how we have to continue to evolve.”
Resilience was a key buzz word in the Biden administration’s March 2023 National Cybersecurity Strategy, which Walden helped execute and implement until her departure six months later in November. One main focus of the strategy is the 16 critical infrastructure sectors.
While some of the 16 sectors, such as financial services or oil and natural gas, are subject to cybersecurity regulations, many others are not. The National Cybersecurity Strategy called for implementing new requirements for critical infrastructure, but those efforts have faced difficulties.
During day one of the Conference on Cyber Regulation and Harmonization on Nov. 13, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger called on the Trump administration to continue President Biden’s work of implementing minimum cyber regulations across all critical infrastructure sectors, including establishing a comprehensive minimum cybersecurity requirements framework for critical infrastructure companies.
Walden said that the Federal government and intelligence community have recently been very outspoken about where the nation’s biggest threats are – in China, Russia, North Korea, and Iran. She said that instead, Feds need to be focused on resiliency.
“I would argue that there are other countries outside of those four that we should be concerned about, so we need to focus more on resilience of processes,” she said. “We need to focus more on making sure that … people are able to receive healthcare, for example, that’s important. So, I really see us shifting our thinking, and it’s going to take some time.”
“We have to stop thinking about this as an add-on or as a stop gap, but as something that is actually going to achieve an [return on investment], not just for enterprises and how they operate, but to be able to deliver services to people to individuals,” Walden said.
“I think when we get there, we are less concerned about the specific nation-state actor and more concerned about when someone tries to attack one of the most powerful countries in the world, how quickly are we going to bounce back? How quickly are we going to figure it out and close our vulnerabilities? I think that’s the more appropriate direction to go,” she said.
