In the complex landscape of national cybersecurity, the protection of critical infrastructure stands as a paramount concern. With Kristi Noem’s confirmation as the Secretary of the Department of Homeland Security (DHS) in President Donald Trump’s second term, there is a renewed focus on how cybersecurity policies, particularly those concerning critical infrastructure, might evolve. Noem’s approach, informed by her tenure as South Dakota’s Governor and her views expressed during her Senate confirmation hearings, suggests a redirection towards a more streamlined, mission-focused strategy for the Cybersecurity and Infrastructure Security Agency (CISA), which is housed within DHS.
CISA’s Role in Critical Infrastructure Protection
CISA was established to safeguard the nation’s critical infrastructure against cyber threats, a role it has been fulfilling since its inception in 2018. Critical infrastructure includes sectors like energy, finance, transportation, healthcare, and government facilities, all of which are increasingly reliant on digital systems. Noem’s vision for CISA involves refocusing its efforts to ensure that it primarily deals with cybersecurity threats rather than broader issues like misinformation, which she has argued diverts resources from its core mission.
This refocusing could mean several things for the protection of critical infrastructure:
- Enhanced Technical Support: Noem has advocated for CISA to provide more robust technical expertise to federal agencies, state governments, and private companies. This could involve direct consulting, cybersecurity assessments, and the provision of tools tailored to protect critical infrastructure from cyber threats.
- Coordinated Cyber Policy: Under her leadership, there could be a stronger emphasis on disseminating actionable threat intelligence and best practices. This would aim to create a unified front across different sectors to preempt cyberattacks before they disrupt essential services.
- Public-Private Synergy: Noem has highlighted the importance of leveraging private-public partnerships, suggesting that CISA should work more closely with industry leaders to fortify defenses. Given the private sector’s significant role in managing much of the nation’s critical infrastructure, this collaboration could lead to more dynamic and responsive cybersecurity strategies.
Kevin Gallagher, President of Panurgy IT Solutions, has emphasized the critical nature of such partnerships: “Cloud backup has protections that mitigate risks like that — and more so today than five years ago. It’s important to have a backup in order to do that. If you get breached, you want to do away with whatever was a result of that attack and get back to business.”
CMMC Compliance and Critical Infrastructure
One of the pivotal aspects of cybersecurity in the defense sector, which can be extrapolated to broader critical infrastructure protection, is the Cybersecurity Maturity Model Certification (CMMC). Although initially developed for Department of Defense (DoD) contractors, CMMC’s principles of cybersecurity hygiene and maturity can serve as a model for protecting other types of critical infrastructure:
- CMMC as a Benchmark: CMMC establishes a tiered approach to cybersecurity compliance, which could be adapted for other sectors. Noem might push for similar frameworks where critical infrastructure providers must demonstrate cybersecurity maturity at different levels based on their role and the sensitivity of the data they handle.
- Pathfinder Assessment by DHS: Before Noem’s appointment, DHS had already started looking into a compliance regime similar to CMMC for its contractors. With Noem at the helm, this initiative might be accelerated, ensuring that all DHS-related critical infrastructure, from border security to national emergency response teams, adheres to stringent cybersecurity standards.
- Integration into DHS Policy: The integration of CMMC-like compliance into broader DHS policies could mean that cybersecurity prerequisites become a standard part of contracting and operations within sectors like transportation security or emergency management, where cyber-resilience is crucial.
Challenges and Considerations
While Noem’s approach sounds promising, several challenges and considerations must be addressed:
- Balancing Security with Accessibility: Ensuring that cybersecurity measures do not overly restrict access to critical services or hamper emergency responses is a delicate balance. Overly stringent policies might lead to operational inefficiencies or even public backlash if perceived as overreaching.
- Resource Allocation: Shifting CISA’s focus back to core cybersecurity duties will require careful management of resources. There’s a risk that in trying to be “more effective, smaller, and more nimble,” as Noem suggested during her hearing, CISA might lose capacity for comprehensive threat analysis or response readiness.
- Interagency Coordination: Protecting critical infrastructure isn’t solely a CISA task; it involves coordination with other agencies like the FBI, CIA, and NSA. Noem’s strategy must ensure seamless integration and information sharing to prevent any gaps in the national defense against cyber threats.
- Private Sector Buy-In: While private-public partnerships are crucial, ensuring that private entities are willing to invest in the security measures required by new standards or frameworks akin to CMMC could be challenging. The cost of compliance might deter smaller organizations, potentially leaving vulnerabilities in the infrastructure chain.
Looking Forward
Noem’s leadership at DHS could mark a significant shift in how the U.S. approaches the cybersecurity of its critical infrastructure. By potentially adopting or adapting frameworks like CMMC, she aims for a scenario where every component of the nation’s critical services is not just reactive but also proactively secure against cyber threats. This involves not only policy changes but also cultural shifts within organizations to prioritize cybersecurity at every level of operation.
However, the success of these initiatives will hinge on several factors:
- Legislative Support: Any significant change in policy direction will require Congressional backing, especially concerning budgetary allocations and legal mandates for compliance.
- Industry Engagement: Continuous dialogue with industries to tailor cybersecurity requirements that are both effective and feasible will be vital.
- Education and Awareness: Increasing public and sector-specific awareness about cybersecurity’s importance in maintaining national resilience against cyber threats.
- Adaptive Strategies: Given the ever-evolving nature of cyber threats, strategies must remain adaptive, with mechanisms for regular review and update of security standards.
In conclusion, Kristi Noem’s approach to protecting critical infrastructure through a more focused CISA and possibly through CMMC-like compliance models represents a strategic pivot towards a more secure national cybersecurity posture. However, the execution of these plans will demand a nuanced understanding of both the technological landscape and the socio-political environment in which these policies will be implemented.
