Governance, Risk and Compliance, Government Regulations, Asset Management

CISA director endorses prioritizing ‘systemically important’ critical infrastructure

A woman fills gas cans at a Speedway gas station on May 12, 2021, in Benson, N.C., due to gas shortages following the Colonial Pipeline ransomware attack. A bipartisan bill that would identify entities like Colonial Pipeline as “systemically important” critical infrastructure gained the support of CISA Director Jen Easterly. (Photo by ...

Two members of the House Homeland Security Committee introduced legislation earlier this month that would push the Cybersecurity and Infrastructure Security Agency to identify “systemically important” critical infrastructure that, if hacked or disrupted, could have cascading effects across American society.

The bill, from Reps. John Katko, R-N.Y., and Abigail Spanberger. D-Va., would empower the agency’s director to convene a group of federal and industry stakeholders to devise “objective criteria” to judge whether the compromise or disruption of an entity or element of critical infrastructure would lead to “debilitating effect on national security, economic security, public health or safety, or any combination thereof.”

While House Homeland Committee Chair Bennie Thompson’s name was conspicuously absent from the initial rollout, the idea will have a powerful supporter in CISA Director Jen Easterly, who said at an event hosted by the Center for Strategic and International Studies this week that she endorses the bill and is already working to incorporate some of the concepts into existing agency operations.

“I think this is hugely important, notwithstanding whether this ends up in legislation or not — and I certainly hope it does — and we are already thinking through the model,” said Easterly.

Under the bill, entities or industries flagged as systemically important would be moved to the head of the queue when it comes to accessing CISA resources, like technical assistance and voluntary continuous monitoring services.

Katko, who spoke at the same event, said the idea was spurred in part by frustration he felt in the wake of attacks like the Colonial Pipeline ransomware incident that many critical infrastructure companies that are responsible for essential, cross-cutting services to American society don’t seem to take cybersecurity seriously until after they’ve become the latest victim in the headlines.

“One of the things that really bothered me about the Colonial Pipeline attack is when the CEO came before [Congress] and told me all the things he did to harden the system after the fact and … we don’t want to have those discussions,” said Katko. “We want to have the discussions where we’re talking about hardening the systems assuming that you will be the next person to be attacked, the next entity to be attacked.”

CISA already has a body, the National Risk Management Center, that was explicitly designed to analyze weak points in American technical and physical infrastructure and guide prioritization around federal cybersecurity resources. In 2019 the center released a list of more than 100 “national critical functions” across all 16 critical infrastructure sectors, identifying services like internet routing access and connection, metals and materials production,  consumer banking and others that could have far-reaching consequences in American society if a major provider was hit by ransomware or hacked by foreign governments.

But Katko said there’s a need to go deeper than that to ensure the next Colonial Pipeline, JBS or Kaseya is proactively building up protections and resilience instead of waiting for an attacker or government regulators to force their hand.

“I really think this bill will set the tone for having that model whereby we look at these seemingly intractable problems in the cyber realm and don’t just say I, in Congress, have all the ideas; don’t just say I, CISA, have all the ideas; don’t just say I, in the private sector, have all the ideas. Work together, sit down, figure it out, tell us what you think is important and then let’s take the most important of the most important and really drill down to make them as safe as possible.”

Easterly said the NMRC is already “prototyping a variety of different approaches … to try and start identifying those entities that are in fact systemically critical.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.