Two members of the House Homeland Security Committee introduced legislation earlier this month that would push the Cybersecurity and Infrastructure Security Agency to identify “systemically important” critical infrastructure that, if hacked or disrupted, could have cascading effects across American society.
The bill, from Reps. John Katko, R-N.Y., and Abigail Spanberger. D-Va., would empower the agency’s director to convene a group of federal and industry stakeholders to devise “objective criteria” to judge whether the compromise or disruption of an entity or element of critical infrastructure would lead to “debilitating effect on national security, economic security, public health or safety, or any combination thereof.”
While House Homeland Committee Chair Bennie Thompson’s name was conspicuously absent from the initial rollout, the idea will have a powerful supporter in CISA Director Jen Easterly, who said at an event hosted by the Center for Strategic and International Studies this week that she endorses the bill and is already working to incorporate some of the concepts into existing agency operations.
“I think this is hugely important, notwithstanding whether this ends up in legislation or not — and I certainly hope it does — and we are already thinking through the model,” said Easterly.
Under the bill, entities or industries flagged as systemically important would be moved to the head of the queue when it comes to accessing CISA resources, like technical assistance and voluntary continuous monitoring services.
Katko, who spoke at the same event, said the idea was spurred in part by frustration he felt in the wake of attacks like the Colonial Pipeline ransomware incident that many critical infrastructure companies that are responsible for essential, cross-cutting services to American society don’t seem to take cybersecurity seriously until after they’ve become the latest victim in the headlines.
“One of the things that really bothered me about the Colonial Pipeline attack is when the CEO came before [Congress] and told me all the things he did to harden the system after the fact and … we don’t want to have those discussions,” said Katko. “We want to have the discussions where we’re talking about hardening the systems assuming that you will be the next person to be attacked, the next entity to be attacked.”
CISA already has a body, the National Risk Management Center, that was explicitly designed to analyze weak points in American technical and physical infrastructure and guide prioritization around federal cybersecurity resources. In 2019 the center released a list of more than 100 “national critical functions” across all 16 critical infrastructure sectors, identifying services like internet routing access and connection, metals and materials production, consumer banking and others that could have far-reaching consequences in American society if a major provider was hit by ransomware or hacked by foreign governments.
But Katko said there’s a need to go deeper than that to ensure the next Colonial Pipeline, JBS or Kaseya is proactively building up protections and resilience instead of waiting for an attacker or government regulators to force their hand.
“I really think this bill will set the tone for having that model whereby we look at these seemingly intractable problems in the cyber realm and don’t just say I, in Congress, have all the ideas; don’t just say I, CISA, have all the ideas; don’t just say I, in the private sector, have all the ideas. Work together, sit down, figure it out, tell us what you think is important and then let’s take the most important of the most important and really drill down to make them as safe as possible.”
Easterly said the NMRC is already “prototyping a variety of different approaches … to try and start identifying those entities that are in fact systemically critical.”