U.S. critical infrastructure is under threat, yet for most policymakers it is not the urgent focus that it should be.
The divide between desire and action is pronounced in the Biden administration’s budget proposal for fiscal 2025. The April 2024 release of White House National Security Memorandum 22 (NSM 22) on critical infrastructure security is the first major doctrine on the subject since 2013. The memo does an excellent job of affirming the country’s commitment to security, but in the $7.3 trillion federal budget proposal for the coming year policymakers have largely sidelined critical infrastructure security.
NSM 22 solidifies the role of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) as the national coordinator in securing infrastructure. The memo additionally notes the many other federal agencies that occasionally delve into infrastructure security, granting them “shared responsibility,” as they are often involved in incident response and recovery. However, CISA’s singular mission calls for it to be more than a coordinator and closer to a leader, and the CISA budget figures for 2025 ought to reflect that need.
How the CISA budget breaks down
CISA is divided into six individual divisions with separate infrastructure-related missions, such as the Cybersecurity Division and the Infrastructure Security Division. Examining CISA’s proposed 2025 budget, the Cybersecurity Division alone accounts for more than half the Agency’s funding at about $1.7 billion.
The other half is divided among the other five divisions: $254 million for integrated operations, $187 million for infrastructure security, $139 million for risk management, $130 million for emergency communications and $98 million for stakeholder engagement. The budget also includes an additional $115 million for the cyber incident reporting program. While the tally related to securing infrastructure for CISA is certainly considerable, it is dwarfed by the Department of Defense’s proposed $849.8 billion budget.
Examining the three categories of hazards –natural, accidental and deliberate — the risk is considerable and widespread.
Natural disasters have become all too common, and their impacts are outpacing our ability to withstand. August 2023 brought wildfires to the island of Maui resulting in over 2,000 destroyed acres, recovery costs surpassing $5 billion and long-term displacement of thousands.
The U.S. military is often impacted by natural disasters. In 2024, a military base in the Marshall Islands was devastated by waves so strong most personnel had to be evacuated. Those who were not evacuated suffered minor injuries, and the facilities sustained widespread damage. This incident is reminiscent of Hurricane Michael in 2020, which devastated Florida’s Tyndall Air Force Base, damaging 95 percent of its physical infrastructure and costing $5 billion in aircraft repairs.
Among accidental impacts, the U.S. is still enduring the effects of the collapse in March of the Baltimore Francis Scott Key Bridge, which may cost upwards of $2 billion and 18 months recovery time. The immediate response called for a U.S. Coast Guard command center, and Army Corps of Engineers. Lost revenue from diverted shipping delays could tally over $6 billion per month.
Deliberate hazards are just as deadly.
The Yemeni Houthi militia with its attacks on global shipping in the Red Sea is causing serious supply chain disruptions, despite U.S. led counter strikes. The Houthi’s attacks have impacted global shipping “enough to force factory shutdowns particularly in the automotive sector” while disrupting nearly $1 trillion in annual merchandise, according to a recent World Economic Forum report.
The Houthi terrorists have also destroyed Red Sea-based undersea telecommunications cables The terrorists cut three such cables in March, disrupting 25% of the internet traffic of that region.
Hackers are continually exploiting U.S. cyber vulnerabilities. In April 2024, hackers allegedly aligned with Russia broke into the network controlling a water facility in Muleshoe, Texas. The hackers managed to cause an overflow for over 30 minutes before the facility operator could shut it down. While the damage may have been minor, the implication for domestic water systems is concerning.
The National Oceaniac and Atmospheric Administration (NOAA) is predicting that the 2024 hurricane season will be above average with as many as 25 named storms across the U.S. Atlantic basin. NOAA is also predicting that this summer will be among the hottest, meaning higher likelihood of wildfires, as well as increased stress on the energy sector causing multiple power outages.
Pointing all this out is not meant to advocate that government throw money at the problem, but rather to highlight that these threats are growing and that the challenge to monitor and control them is not getting easier.
NSM 22 sets the stage to correct some of the gaps, but there is a long way to go. A good first step is for the Biden administration and Congress to empower CISA clearly and definitively as the federal government’s lead on cyber security and infrastructure security and to fund it appropriately.
