“We are massively inconsistent across federal agencies in our performance as sector risk-management agencies, and across the sectors in their willingness to cooperate and participate,”

Mark Montgomery,

the executive director of the group and one of the report’s authors, said in a call with reporters.

Critical infrastructure in the U.S. is divided into 16 sectors, covering areas such as financial services, chemicals, the defense industrial base and energy companies, with a federal agency assigned to oversee cybersecurity risk management for each sector. 

In practice, who is responsible for what is far less clear, said Annie Fixler, one of the report’s authors and director of the center on cyber innovation and technology at the Foundation for the Defense of Democracies, a national-security think tank. 

The May 2020 ransomware strike on Colonial Pipeline shows how wires can quickly become crossed, Fixler said. In Congressional testimony, Colonial executives said they initially notified the Federal Bureau of Investigation of the attack because it is the government’s lead incident-response agency. 

However, the Transportation Security Administration is the sector risk management agency for pipelines, and CISA, which focuses on infrastructure protection, later learned of the attack from the FBI, Fixler said. The government eventually named the Energy Department as the lead U.S. agency for the federal response to the attack. During the incident, Colonial shut operations for six days, prompting panic buying that drove up gasoline prices.

“It really showed us how the current framework breaks down in a crisis,” Fixler said. 

Colonial declined to comment. CISA, the TSA and the FBI didn’t immediately respond to requests for comment.

The current system was largely created by Presidential Policy Directive 21, an Obama era document that set up sectors and assigned federal agencies to oversee them. The directive is now irrelevant, Montgomery said, pointing to cloud computing as an example of how technology development has outpaced policy.

The document was also written before CISA’s creation in 2018.

The Biden administration said in November it would rewrite the directive, with an estimated completion date of September 2023. Montgomery said meeting such an aggressive deadline was unlikely if proper industry consultation takes place, which he added is critical to ensuring any revisions work better.

“Involving the private sector will slow things down, but also produce a product with buy-in, and I think that’s critical,” he said.

Changes should include clearly stating how CISA and agencies responsible for specific sectors interact, as many cyberattacks cut across industries, said Mary Brooks, one of the report’s authors.

“At this point, almost all incidents are cross-sector incidents. Everything is so interrelated and interconnected with many of the other sectors out there,” said Brooks, a public policy fellow at the Wilson Center current-affairs think tank.

Write to James Rundle at james.rundle@wsj.com