Background Press Call on the National Security Memorandum on Critical Infrastructure

Via Teleconference

MODERATOR: Thank you. And thank you, everyone, for joining today's call this afternoon to preview the upcoming National Security Memorandum on Critical Infrastructure. On today's call, we have Caitlin Durkovich, Deputy Assistant to the President and Deputy Homeland Security Advisor for Resilience and Response and Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency.

Just a few remarks at the top. Opening remarks from our two speakers here will be on the record. The following Q&A portion of the call will be on background and speakers will then be attributed at "senior administration officials." The call will also be held under embargo until 10:00 a.m. Eastern tomorrow morning. And by participating in today's call, you are agreeing to these ground rules.

I will now turn the call over to Caitlin to kick us off.

MS. DURKOVICH: Thank you very much, Michael. And good afternoon, everyone.

Tomorrow, President Biden will sign a national security memorandum or NSM to enhance the security and resilience of U.S. critical infrastructure from the rapidly evolving threat environment.

This is part of what we refer to as our all-hazards approach to the resilience of the nation. This new policy will replace a decade-old presidential policy document on critical infrastructure protection that was issued during the Obama administration and launch a whole-of-government effort to protect U.S. critical infrastructure against all current and future hazards, including climate change and threats from nation-state actors.

As background, the effort to draft this new policy began over a year ago and the process has included significant input from the private sector; our state, local, Tribal, and territorial partners; and other stakeholders and critical infrastructure experts from across the country.

The NSM takes several important new actions. First, it empowers the Department of Homeland Security to lead a whole-of-government effort to secure U.S. critical infrastructure with the Cybersecurity and Infrastructure Security Agency acting as the national coordinator for the security and resilience of U.S. critical infrastructure.

As part of this new responsibility, the Secretary of Homeland Security will be required to submit to the President a biennial National Risk Management Plan that summarizes U.S. government efforts to mitigate risks to the nation's critical infrastructure.

Second, it directs the U.S. intelligence community, consistent with the goals outlined in the 2023 National Intelligence Strategy, to collect, produce, and share intelligence and information with the owners and operators of critical infrastructure. The NSM recognizes private sector owners and operators of critical infrastructure are often our first line of defense against adversaries who target the nation's most critical assets and systems.

Third, it reaffirms the designation of 16 critical infrastructure sectors and specifies which federal departments or agencies are responsible for managing risks within each of those sectors.

Fourth, it elevates the importance of minimum security and resilience requirements within and across critical infrastructure sectors consistent with the National Cyber Strategy, which recognizes the limits of a voluntary approach to risk management in the current threat environment. It is important that we work together to set baseline security standards for the lifeline sectors on which the American way of life and our democracy depends.

The policy is particularly relevant today, given continued disruptive ransomware attacks, cyberattacks on U.S. water systems by our adversaries, and the frequent and repeated testimony of the FBI Director and other senior administration officials who have sounded the alarm about the ways our critical infrastructure is being targeted by our adversaries.

I'm joined on the call today by [senior administration official], who -- in addition to being an essential partner in drafting the policy, along with Director Easterly and her team -- can answer more questions about these cyberattacks.

Let me conclude by underscoring that America faces an era of strategic competition where state actors will continue to target American critical infrastructure and tolerate or enable malicious activity conducted by non-state actors.

In the event of crisis or conflict, we know that America's adversaries may attempt to compromise our critical infrastructure to undermine the will of the American public and impede the projection of U.S. military power abroad. Resilience, particularly for our most sensitive assets and systems, is the cornerstone of homeland defense and security.

And with that, I have the pleasure of turning it over to my colleague, Director Easterly, to talk more about the role of the Cybersecurity and Infrastructure Security Agency in this effort.

Jen, over to you.

MS. EASTERLY: Fantastic. Thanks so much, Caitlin. And good afternoon, everybody. I am really pleased to be there -- to be here today. It is a very important moment for our nation's critical infrastructure.

As Caitlin alluded to, the threat environment has changed significantly since PPD-21 was issued in 2013, shifting from counterterrorism to strategic competition, advances in technology like artificial intelligence, and malicious cyber activity from nation-state actors.

And in addition, since that period of time in 2013, the USG has significantly invested in critical infrastructure to include the establishment of CISA, the Cybersecurity and Infrastructure Security Agency.

So, this NSM really builds on important work that has been happening across the government and, in particular, CISA and agencies, working with industry undertaking a partnership to ensure that we can understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day.

For CISA, the NSM means three things. First, CISA's role as national coordinator, which really reinforces what was in the CISA statute of 2018. And this responsibility requires CISA to coordinate that national effort to secure and protect critical infrastructure by coordinating with the sector risk management agencies with relevant departments and agencies, the private sector, state and local partners to reduce risk at scale.

And in this role, CISA develops guidance and provides risk assessments, cross-sector risk analysis, information sharing, and capacity building for government partners and for critical infrastructure owners and operators across the nation.

Second, CISA serves as an SRMA itself, providing institutional knowledge and specialized expertise for the eight critical infrastructure sectors and one subsector -- and that includes chemical, commercial facilities, critical manufacturing, emergency services, information technology, communication, dams, nuclear, and then, of course, the election subsector. And in this role, we support sector risk management, assess sector risk, and we share information on physical and cyber threats.

Finally, CISA will continue to support the work of our partners across the USG by leveraging existing relationships and processes and networks to share critical information and guidance and then provide additional guidance and resources to aid sector risk management agencies in the execution of the roles and responsibilities in the new NSM.

And I'll say the good news is that the work that is being directed in the NSM is underway. We've already reestablished the Federal Senior Leadership Council, known as the FSLC, and made impressive strides through robust collaborations across the interagency.

And so, that is a heavy lift, but work is already being done to define, modernize, and protect our critical infrastructure sectors.

In addition, as part of our role as national coordinator, we've already provided guidance and templates to sector risk management agencies to use in creating sector risk assessments and sector-specific risk management plans. And these are a resource for SRMAs to meet the requirements laid out in the NSM.

And then, finally, in our role as national coordinator, we've began the work to establish systemically important entities -- that critical infrastructure, which is prioritized based on the potential for disruption or malfunction to cause nationally significant and cascading negative impacts to national security and economic security or public health and safety. That SIE list will inform prioritization of federal activities, including risk mitigation efforts and other operational resources to non-federal entities.

So, we are very excited to see this NSM hit the street. And we look forward to our role as the national coordinator for critical infrastructure resilience and security and emphasizing that in all the work that we do.

Thank you.

MODERATOR: Thank you, Director Easterly.

We will now move on to the Q&A portion. As a reminder, this portion of the call will be on background and attributed to "senior administration officials."

We also have two other speakers on the line for this portion, [senior administration official] and [senior administration official].

And again, everyone will be attributed as "senior administration official."

Moderator [Operator], I think we're ready to open it up for Q&A. And then I'll just ask if you could just go to the first questioner when -- when they ask their question. Thank you.

Q: Hey. Thank you all for holding this.

I just wanted to clarify. You said this reaffirms the current 16 critical infrastructure sectors. Does that mean that the status quo -- like, that no new infrastructure sectors were added? And if so, did -- in crafting this, were there deliberations or considerations to add new critical infrastructure sectors, like space?

Thank you.

SENIOR ADMINISTRATION OFFICIAL: David, it's [senior administration official]. Thank you very much for that question. And I'll take the first part of it, which is: Yes, it, again, reaffirms the 16 critical infrastructure sectors. There are no changes.

I'm going to turn it over to [senior administration official] to let her kind of talk about the process that was undertaken to do the evaluation and to make the recommendations that the current structure remain the same.

So, [senior administration official].

SENIOR ADMINISTRATION OFFICIAL: Yeah, absolutely.

Some will remember that in the FY 2021 NDAA, Congress essentially asked us to establish a process to regularly review and modify critical infrastructure, the sector structure at least every five years.

And we undertook that process through and produced a report: the 9002(b) Report. And then, based on the findings in that report, we worked with the Federal Senior Leadership Council to look at and revalidate both the sectors themselves, as well as the Sector Risk Management Agency.

And so, over a period of about the last year, we worked extensively and consultatively with all of those sector risk management agencies, and we ended with validating the 16 sectors and the sector risk management agencies.

So, a lot of work went into it, but I think the takeaway is that the processes that had been developed over the past decade to articulate those critical infrastructure sectors were sound processes, and we'll continue to use that Federal Senior Leadership Council as the central coordinating body as we look to implement all the tasks in the national security memorandum.

Q: Hi. I wanted to see if you could elaborate more on (inaudible) entities and how you are addressing the Section 9 entities that were originally in the PPD-21 NSM back in 2013.

SENIOR ADMINISTRATION OFFICIAL: Yeah, I'm happy to take that, [senior administration official], if you like.

So, as you'll see --

SENIOR ADMINISTRATION OFFICIAL: Yeah.

SENIOR ADMINISTRATION OFFICIAL: As you'll see in the NSM, part of our role is to establish the systemically important entities, and I mentioned the specific role. So, we've actually been working on that over the past several years, since the Cyberspace Solarium Commission had written a report on what they called "SICI" -- systemically important critical infrastructure.

So, this will, in effect, replace what were the Section 9 entities. And we were very deliberate about working with the SMRAs to ensure that we were highlighting those entities across all of the sectors that are most critical to national security, economic security, and public health or safety in particular that could cause significant and cascading negative impacts.

So, that list is about -- it's less than 500 entities, but -- and we've been working to and we're finalizing revalidating that with industry as well. And similar to the Section 9 list, we, of course, are not going to make that public.

However, we're working very closely with SRMAs and industry to ensure that those particular entities are -- we're working closely with them to ensure they have the resources necessary to manage risk.

And I think the last thing I'd mentioned is Caitlin highlighted the importance of minimum standards for security. So, we'll be looking at those entities, in particular, with an eye towards the importance of establishing minimum cybersecurity standards.

MODERATOR: I think we're ready to go to the next question.

Q: Thank you. Jason Miller, Federal News Network. Quick question. You mentioned the sharing of information. One of the big challenges has been with critical infrastructure over the years is sharing classified or sensitive but unclassified information because of security clearance challenges. What does the national security memorandum or what are you doing to address that ongoing issue to get enough people with enough information enough security clearances so they can actually act on it or has that been relatively solved over last few years?

SENIOR ADMINISTRATION OFFICIAL: I'm happy to start. And certainly, [senior administration official], please jump in. Thanks for the question, Jason.

So, as you probably know, we run the private sector clearance program for the government, so we work to get private-sector entities their clearances, and we have a pretty robust process to ensure that, if necessary, we can get private-sector partners cleared in.

I would say a couple of things, however. Kudos to the intelligence community. And we saw this around the Russian full-scale invasion of Ukraine. A lot of the information that critical infrastructure owners and operators needed to understand the threat and to take urgent action to improve the security and resilience of their infrastructure from potential retaliatory attacks by the Russian government, some of that information was helpfully declassified, which I know that the IC is looking to make sure that if the information can be safely declassified, then it is.

I would also say that during that same period of time, and we have replicated that model with the serious threats from Chinese cyber actors known as Volt Typhoon, we have held extensive briefings at various levels of classifications with cleared sector personnel to ensure that they are aware that we're aware, in 2022, of the Russian threat and are aware now of the serious Chinese threats to our critical infrastructure, specifically pre-positioning to disrupt or destroy critical infrastructure in the event of a major crisis.

So, I think this administration has made significant strides both in clearing people in, in declassifying information as necessary, and then also in providing classified briefings to ensure that critical infrastructure owners and operators are prepared for the full range of (inaudible) threats.

SENIOR ADMINISTRATION OFFICIAL: This is [senior administration official].

OPERATOR: Next we'll --

SENIOR ADMINISTRATION OFFICIAL: Thank you.

OPERATOR: Pardon me.

SENIOR ADMINISTRATION OFFICIAL: I would just add that specifically in the NSM, there are some tasks to the ODNI specifically, that it works with the entire intelligence community to provide the President with an intelligence assessment on critical infrastructure within 180 days. And, of course, that -- we will work to share that with the owner and operator community, but also to provide the President with a report on information in an intelligence sharing.

And as part of that, ODNI is to work with CISA and the sector risk management agencies to develop a system for streamlining and coordinating outreach to and engagement with the owners and operators of infrastructure by developing policy, procedure, and guidance on these topics.

And I think as [senior administration official] alluded to, we have a lot of instructive emerging practices and lessons learned from what has happened in the first three years of this administration that, as we work to develop those policies and procedures, will be accounted for really, again, with the goal of making sure that those that are managing the risk to critical infrastructure and are on the frontlines have the intelligence and the information that they need to know to make investments, to invest in mitigation actions so we can adequately ensure the security and the resilience of these critical assets and systems.

Q: Hi. Thank you for doing this. Can you just describe a bit more exactly what is changing for CISA? It did sound like some of those things that CISA is already doing. Is this just kind of like reaffirming like as a national coordinator, SRMA, the eight sectors, and the system of important critical -- SIE actually, not -- not (inaudible).

And additionally, can you also -- are you calling for new standards? Or is there like -- is this another call for new standards or is this like a move to actually set, you know, standards across the line for critical infrastructure? Can you go over that as well, please? Thank you.

SENIOR ADMINISTRATION OFFICIAL: Yeah, I'll take the first one and then I'll turn it to [senior administration official] to talk about what the NSM calls for. And, Christian, as you know, the statute that established CISA in 2018 tasked us to manage -- to lead a national effort to secure critical infrastructure, but the presidential policy directive that was created in 2013 didn't mention anything about CISA's role because we weren't created yet.

So, in some sense, this does reinforce our statutory role, but extremely important that it lays out in presidential policy the specific roles that we have as both a national coordinator in terms of managing cross-sector risk to those 16 sectors, CISA's role as an SRMA, and then what we will -- the mechanisms that we will use -- for example, the FSLC, which was reinvigorated about a year and a half ago as a coordinating body to allow us to better manage risk across the various critical infrastructure sectors through the sector risk management agencies.

So, I think this helps to reinforce the statutory role we have. It reinforces the authorities that we have and, I think, really puts a spotlight on the fact that as critical infrastructure has evolved -- given the highly interdependent, highly connected, highly digitized, and, frankly, highly vulnerable nature of the critical infrastructure that Americans rely on every hour of every day -- having a coordinating element to really manage that cross-sector risk and drive down that cross-sector risk, I think it's incredibly important to the security of the nation.

I'll turn it to [senior administration official].

SENIOR ADMINISTRATION OFFICIAL: Thanks, [senior administration official]. And -- again, and I think underscoring the importance of CISA as the national coordinator for critical infrastructure security and resilience, it also underscores that SRMAs will serve as the day-to-day federal interface for their designated critical infrastructure sector and conduct that sector-specific risk management and resilience activity.

And, of course, as you mentioned, CISA is the SRMA (inaudible) sectors, but distinguishing CISA's role as national coordinator and then as the sector risk management agency for eight sectors.

Related to your question about new regulation. At the end of the day, the NSM is directing the Sector Risk Management Agencies to assess whether current and existing minimum requirements sufficiently address the vulnerabilities in their sectors.

These requirements are going to be developed or need to be developed in close coordination with the owners and operators of that infrastructure to ensure they are appropriate and proportionate to the vulnerability.

If an SRMA feels that it does not have the tools or authorities necessary to ensure effective implementation of those requirements, we have built in a process to help the SRMA be able to hold the sector accountable and, if need be, develop those minimum requirements.

Q: Thank you. Very helpful. Appreciate it.

Q: So, I do have a question about the 9002(b) Report. And one thing that it said was that there was, quote, "an opportunity to designate a space sector and a bio-economy sector depending on a review process." Unquote.

You talked a little bit about that report, [senior administration official], but I'm wondering if you can expand on why the review process did not end up finding that there was a need for those particular sectors, because they were called out in the report that CISA produced.

SENIOR ADMINISTRATION OFFICIAL: Yeah, absolutely. Thanks for the question. So, we did, in fact, highlight, as you said, in 9002(b) Report. As I mentioned, we had a pretty extensive process where we worked with the various sector risk management agencies to determine whether, in fact, space or bio-economy should become new sectors.

Ultimately, with respect to space, in particular, because space is really a part of so many different sectors, it did not, at this time, make sense to break space out as a separate sector. We're going to continue to manage space as a sector through a working group that we're a co-chair of. But -- and similarly, with bio-economy, the members of the FSLC did not think it needed to be called out as a separate sector.

However, through the FSLC, if there are significant changes, we will take a look to see if a formal designation as a sector or as a subsector makes sense going forward. And we won't need to wait for that statutory five years to make that assessment if there's a need or requirement. Just given what's happening across the landscape, we can make that judgment earlier.

MODERATOR: All right. Thank you so much. I'm just going to turn it quickly over to [senior administration official] for some closing remarks here.

SENIOR ADMINISTRATION OFFICIAL: Again, thank you. First of all, [senior administration official], thank you for joining us. Thank you for your partnership. And thank all of those who have joined us today to learn more about the policy.

This is a very important milestone for this administration. Again, it is the culmination of over a year of work, both convening the interagency and those federal agencies that are responsible for working with the private sector to help manage risks but others in academia and across the critical infrastructure sector.

Given the dynamic and complex risk environment, I very much feel that this policy prepares us for the next decade -- what the President calls a decisive decade -- and what lies out on the horizon and the acknowledgment that both more must be done to protect assets and that works with sectors but equally important look across sectors and work to understand those dependencies and interdependencies where there might be vulnerabilities and to shore up those vulnerabilities.

So, this is a very exciting moment. As somebody who worked on PPD 21, to have an opportunity to work on the evolution of that policy and to be able to have the President sign out what you will see tomorrow is very exciting.

So, thank you all. And we'll follow up as needed.

MODERATOR: Great. Thank you, [senior administration official]. Thank you, [senior administration official]. And thank you all for joining us today. (Inaudible) follow-up questions, feel free to reach out to myself and the NSC press team, and we will get back to you. Thank you very much.

SENIOR ADMINISTRATION OFFICIAL: Thanks so much.