An amendment that includes cyber protections to defend “systemically important” critical infrastructure — such as large energy utilities, telecom providers and major financial institutions — won adoption in the U.S. House of Representatives Thursday.
The legislation is an outgrowth of the wo rk of the Cyberspace Solarium Commission, which originally recommended a model similar to that envisioned in the bill. It mandates that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) designate infrastructure needed for “national critical functions,” with operators at designated entities required to report to CISA the national cyber director on their management of cyber risk.
Designation will require organizations to disclose risk management strategies for critical assets and supply chain; share and receive threat intelligence with the government; and allow federal agencies to examine operations and assess performance-based security goals.
Rhode Island Democrat Jim Langevin — a longtime congressional leader on cyber issues who will retire later this year — proposed the language as an amendment to the National Defense Authorization Act. The House approved it by voice vote.
The amendment’s passage “will improve our ability to protect Americans against malicious hackers, and give the private sector the support they need to defend their networks,” Langevin said in a prepared statement.
The legislation limits the number of designations to a total of 200 but allows the Department of Homeland Security to raise that number by 150% after four years. Designated entities will have the ability to appeal for removal from the list.
The U.S. Chamber of Commerce criticized the amendment as written and sent a letter to all House members Wednesday, noting that many businesses’ “core policy goals” are not acknowledged, including legal liability protections and national preemption of state cybersecurity and protection laws.
he legislation’s passage will better protect Americans from devastating cyberattacks, according to Mark Montgomery, the former head of the Solarium Commission, which Congress established in 2019 to develop a plan to defend the U.S. in cyberspace. Montgomery said the commission’s recommendations for ensuring the government and businesses collaborate on cybersecurity have not been as successful as he would like. He called the legislation passed Thursday an important first step.
“Because of their importance to national security, economic viability, public health and safety, [these entities] are most vulnerable to malicious action or adversary cyber attack,” said Montgomery, who now runs the Center on Cyber and Technology Innovation at the think tank the Foundation for Defense of Democracies. “We need to build the ligature of public-private collaboration and we have not achieved some of our major goals there.”