Examining critical infrastructure definitions and priorities

In a time where bipartisanship is in short order, cyber strategy remains an area of general agreement across party lines. This strategy includes building more robust cyber defenses, establishing mechanisms for the private sector to collaborate with the government, and prioritizing addressing cyber vulnerabilities that, if exploited, would have cascading impacts on critical functions of society. Those aims come together in a call to prioritize protecting criticalinfrastructure from cyber attacks as one of the principal aims of cyber defense.

One of the common pillars across multiple National Cybersecurity Strategies, signed by presidents from both parties, is that we must defend critical infrastructure and strive to make attacking it off-limits to our adversaries. The 2024 Republican Party Platform, which has seemingly served as a roadmap for the early days of the Trump administration, asserted that “Republicans will use all tools of National Power to protect our Nation’s Critical Infrastructure and Industrial Base from malicious cyber actors. This will be a National Priority, and we will both raise the Security Standards for our Critical Systems and Networks and defend them against bad actors.”

That was a more direct articulation – or at least used more capital letters – of the first pillar of the most recent National Cybersecurity Strategy, published in March 2023 by the Biden administration, which was to “defend critical infrastructure. ” The Biden strategy followed on from the first Trump National Security Strategy in 2017 which emphasized the importance of secure and resilient critical infrastructure in the “Cyber Era. ” A reading of previous strategies, as well as recommendations from “blue-ribbon” commissions and think-tank papers, including work we have done at the McCrary Institute and the Cyberspace Solarium Commission, would identify similar language.

The point is clear: critical infrastructure must be amongst the top national priorities for cybersecurity. Yet, amidst those calls for focus and prioritization, an inconvenient truth exists: There is not a consistent and well-understood understanding of the businesses, systems, and assets that constitute what critical infrastructure is and how broadly the term should be applied. Moreover, it is easy to see that in the last thirty years, the United States has broadened the use of that term, diminishing the ability for eGective prioritization. This fundamentally weakens the strategic value of the very idea of deeming anything as “critical infrastructure.”

The statutory definition of critical infrastructure is “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” From that definition, policy documents have typically defined critical infrastructure as systems, assets, and networks within a sector structure. While that has had a useful eGect of providing general parameters, it does not function eGectively in narrowing what is critical and what is not. For example, Education is considered a critical nfrastructure subsector. Does that make every school critical infrastructure? What about the Commercial Facilities sector, where there are hundreds of thousands of buildings for which the term could apply? How do you define critical infrastructure in the context of an IT sector with tens of thousands of hardware and software providers that could be considered critical?