Presidential council recommends launching a Department of Water to confront cyberthreats, climate change
A presidential advisory council is calling for the creation of a Department of Water or an equivalent cabinet-level agency to deal with the looming water crisis and cybersecurity threats that could endanger treatment plants that serve millions of Americans.
The National Infrastructure Advisory Council, a group of 30 executives and leaders from the public and private sector that advises the president on infrastructure risks, approved the draft document that aimed at helping the largely publicly owned water sector.
“The NIAC concludes that successful mitigation of the risks water crises presents requires a coordinated effort among owners, operators, and local, Federal, and state government. The response must be nuanced, timely and intent on delivering results that strengthen the security and resilience of our nation’s critical infrastructure,” the report notes.
The report recommends that the administration create either a Department of Water or a cabinet-level equivalent. The report notes that there are seven executive agencies and three independent federal agencies with water-related oversight, although the number is not exhaustive of all the various federal and state-level agencies with water oversight. Nonetheless, the report calls for a National Water Strategy that would enable some level of coordination between all the interested parties.
“This fragmentation of responsibility at the federal level makes it difficult to ascertain the country’s water needs and strategically prepare the nation for a water-secure future,” the report notes.
The creation of a department would also include creating appropriate budget requirements and priorities needed to increase the resilience of water from physical and cyber threats. Additionally, the report calls for the department to develop a research and development program for cybersecurity among other topics such as new ways to eliminate so-called forever chemicals, or PFAS.
The report comes as the Environmental Protection Agency is in the midst of lawsuits brought on by Republican states against new regulations passed earlier this year. Those regulations require state water utilities to assess cybersecurity defenses through local sanitation inspections. The rule was quickly condemned by trade groups such as the American Water Works Association, which joined the lawsuit.
The NIAC report notes that the lawsuit “further supports the NIAC’s recommendation for a comprehensive water strategy and a Department of Water.”
“The main objection made by those states was that it would be too costly to suppliers who will then need to pass on the cost to consumers. In addition, their objection was a lack of staffing, training, and expertise to evaluate cybersecurity programs. These are precisely the issues the NIAC aims to address in our recommendation,” the report notes.
While the report focuses on water issues generally and not specific to digital threats — such as the catastrophic and ongoing risk of climate change — many of the issues within the industry have similarly adverse impacts on the cybersecurity of the sector. The general lack of resources and an expected overhaul of long-ignored infrastructure maintenance may mean that cybersecurity upgrades may face difficulties in getting funding approved — particularly if such investments also increase rate payments.
“Decades of chronic underfunding and underinvestment have impacted the condition, reliability, and resiliency of the nation’s critical water infrastructure. The great majority of Americans have the benefit of clean, inexpensive water on demand. But most of our water supply infrastructure is at or nearing the end of its design life. Extreme weather events prompt more frequent boil orders due to failure of stressed aged water infrastructure,” the report notes.
For instance, one such major issue is the lack of a strong workforce for the sector. The report notes that utilities are facing trouble finding and retaining workers — particularly in IT fields.
“Water utilities face challenges in recruiting, training, and retaining their workers. About one-third of the current water sector workforce will be eligible to retire in the next ten years. Technologies used in the water sector are becoming more advanced. New water quality regulations such as the limits on forever chemicals and threats such as cybersecurity compromises will require a more specialized workforce,” the report reads.
The report notes the council’s previous findings on cross-sector collaboration to protect critical infrastructure similarly noted that attracting IT talent is difficult when the core mission has little to do with software, particularly when publicly owned critical infrastructure operators can’t compete with private sector salaries. The last report the NIAC released called for mandatory cybersecurity rules for critical infrastructure organizations developed with industry input.
“Without additional investment in technologies routinely employed in other infrastructure and employees, water utilities will be hard pressed to find the skilled employees needed to meet their cybersecurity needs, additionally utilities must protect customer data and maintain secure control of all processes within their systems. This problem is exacerbated for the public sector, which must compete for talent with the private sector,” the report noted.
The water sector is among the most geographically disparate and is made up of more than 150,000 public water systems that largely serve communities of less than 3,300, the report notes. That means that most utilities have little to no available funds to keep up with basic maintenance of those systems — let alone invest in cybersecurity.
Workforce issues are similarly an issue within the broader cybersecurity sector. The Office of the National Cyber Director recently released a workforce and education strategy to address the shortage of some 400,000 unfilled jobs based on estimates from (ISC)², a nonprofit association of certified cyber workers.