Protecting America’s Critical Infrastructure: Who is ultimately responsible?

One of the most pressing questions facing our nation is who is truly responsible for protecting America’s critical infrastructure? Is it the government’s job alone? Should the private sector carry the weight? Or is the answer found in a dynamic, symbiotic partnership between the two?

Let’s explore how our current infrastructure protection model was born from the aftermath of 9/11, how it has evolved over the past two decades, and where it must go to address the fast-moving, multidimensional threats that now confront our most essential systems. This issue is especially relevant to senior leaders in energy, maritime, and chemical industries—sectors that sit at the core of national resilience and economic security.

Since the tragic events of September 11, 2001, the U.S. government and private sector have invested billions of dollars to enhance the security of our nation and the critical infrastructure supporting the American way of life. One of the government's first steps was the creation of the Department of Homeland Security (“DHS”) through the Homeland Security Act of 2002. This law consolidated 22 federal agencies into a single cabinet-level department, marking the largest U.S. government reorganization since the establishment of the Department of Defense in 1947.

Over the years, numerous policies and presidential directives have aimed to improve both internal coordination among federal agencies and external collaboration with the private sector. Among the most significant was Presidential Policy Directive 21 (“PPD-21”), issued by President Obama in 2013. PPD-21 was designed to strengthen the security and resilience of the United States' critical infrastructure against all hazards—whether physical, cyber, natural, or man-made.

PPD-21 had several key goals: advancing a national unity of effort in protecting infrastructure, clarifying roles and responsibilities across DHS, Sector-Specific Agencies, and the private sector, improving information sharing to enhance situational awareness and threat response, and promoting resilience—not just protection. It was a modernized approach, aiming to ensure infrastructure could withstand, adapt to, and quickly recover from disruptions, while bridging the gap between cyber and physical risk management.

Fast forward to 2024: President Biden issued National Security Memorandum 22 (“NSM-22”), replacing PPD-21. NSM-22 builds upon the foundation of its predecessor but goes further in several key areas. First, it designates DHS to lead a whole-of-government effort to secure critical infrastructure, with the Cybersecurity and Infrastructure Security Agency (“CISA”) serving as the National Coordinator for Security and Resilience. Second, it emphasizes enforceable minimum security and resilience standards across all sectors. Third, it tasks DHS with producing a National Risk Management Plan every two years. Fourth, it directs CISA to maintain a confidential list of systemically important critical infrastructure entities. And fifth, it mandates improved collaboration between the Intelligence Community and infrastructure stakeholders to ensure timely, actionable information sharing.

Since their inception, DHS and CISA have significantly improved interagency coordination and information sharing to maintain situational awareness across a wide spectrum of threats. However, questions remain about how effectively these agencies have integrated the private sector into the national effort to protect critical infrastructure.

Despite the lack of a definitive study, it is widely cited that approximately 85% of the nation's critical infrastructure is owned and operated by the private sector. For C-suite leaders in oil and gas, maritime, and chemical sectors—industries that form the backbone of national critical functions—this statistic underscores a hard truth: you are on the front lines. Yet, too often, the information flow from government to industry is inconsistent or delayed. One-way communication, primarily from industry to government, remains the norm. That model is outdated.

DHS and CISA have made undeniable progress. CISA, in particular, has improved the speed at which it declassifies and distributes cyberthreat intelligence, including Indicators of Compromise—sometimes within days of their discovery. But in today’s fast-moving threat environment, that’s not enough. What we need is a real-time, bidirectional, operationalized flow of information that allows companies to respond with precision and speed.

This leads to core strategic questions: Who is responsible for protecting our critical infrastructure? If the burden lies solely with the federal government, then the current approach may be justifiable. But if your sector—which owns and operates the bulk of these assets—shares that responsibility, then being kept out of the real-time loop until a threat is imminent is unacceptable. This model must evolve.

With over 23 years of experience working in government and alongside critical infrastructure partners, I can say with certainty: infrastructure protection is a shared responsibility. But that begs the question—how should that responsibility be executed, and who pays for it? Industry already contributes via structures like Information Sharing and Analysis Centers, which are critical, but not universally accessible. Many smaller firms or underfunded facilities see these as "pay-to-play" and are left out of the broader resilience conversation.

In sectors where the consequences of disruption could be catastrophic—this presents an urgent call to rethink how public-private partnerships work. It’s time to re-imagine engagement, ensure equitable access to threat intelligence, and establish a true operational partnership between government and industry.

In conclusion, critical infrastructure is more secure and resilient today than it was before 9/11.However, our adversaries have evolved, so we must evolve faster. The 9/11 Commission warned us: “We believe the 9/11 attacks revealed four kinds of failures: in imagination, policy, capabilities, and management. The most important failure was one of imagination.”

Let’s not fail again. Let’s innovate boldly. Let’s out-think, out-prepare, and outpace the threats. Let’s flip the script—before someone else writes the ending for us.

About the Author

Julio R. Gonzalez

This article marks the first in a three-part series focused on one of the most pressing questions facing our nation.