President Joe Biden on Tuesday updated a more than decade-old policy to protect U.S. critical infrastructure sectors like energy and financial services from foreign attacks as public officials continue to sound the alarm on Chinese cyberthreats.
Biden’s new policy is largely a rewrite of the Obama administration’s rule to safeguard U.S. critical infrastructure called the Presidential Policy Directive, or PPD-21, which was published in 2013.
The effort to redraft that Obama-era infrastructure policy began over a year ago, in part to modernize it and keep up with hackers who have benefited from over a decade of technological advancement.
“The threat environment has changed significantly since PPD-21 was issued in 2013, shifting from counterterrorism to strategic competition, advances in technology like artificial intelligence and malicious cyberactivity from nation-state actors,” a senior administration official said on a Monday call with reporters.
At its core, Biden’s updated policy lays out which federal agencies are responsible for which duties in the complex network of government agencies with the responsibility to protect U.S. infrastructure.
“The policy is particularly relevant today, given continued disruptive ransomware attacks, cyberattacks on U.S. water systems by our adversaries,” a senior administration official said.
FBI Director Christopher Wray has repeatedly warned the public and members of Congress of the imminent threat posed by Chinese hackers targeting the U.S. electrical grid, water plants, transportation systems and more. In January, Wray announced that the FBI had neutralized a Chinese hacking group called “Volt Typhoon” targeting hundreds of home and office routers.
Despite Biden’s attempts to ease U.S.-China relations, tensions between the two superpowers remain in flux, especially given ongoing geopolitical chaos.
The Biden administration has warned China not to help Russia in its invasion of Ukraine, or else the U.S. would be ready to act with sanctions. And as China regularly hints at its intention to reclaim the self-governing island of Taiwan, the U.S. has continued to send Taiwan military aid.
As U.S-China relations seesaw, security officials are on high alert for Chinese cyberattacks.
“We’re aware now of the serious Chinese threat to our critical infrastructure, specifically prepositioning to disrupt or destroy critical infrastructure in the event of a major crisis,” a senior administration official said.
The memo Biden signed on Tuesday directs the Department of Homeland Security to lead the government-wide effort to mitigate such security risks, alongside the Cybersecurity and Infrastructure Security Agency, or CISA. The DHS secretary will produce a biennial report for the president on those risk efforts.
The new policy also instructs U.S. intelligence agencies to declassify relevant information for private sector owners and operators within infrastructure industries like transportation, water and energy that are vulnerable to attacks.
It also aimed to codify CISA’s role in the government security network since the agency was established in 2018, five years after the publication of PPD-21.
“The presidential policy directive that was created in 2013 didn’t mention anything about CISA’s role because we weren’t created yet,” a senior administration official said. “So in some sense, this does reinforce our statutory role, but extremely important that it lays out in presidential policy the specific roles that we have.”