A leading congressional voice on cybersecurity is seeking to amend the annual defense policy legislation to include cyber protections for the nation’s most vital critical infrastructure.
Rhode Island Democrat Jim Langevin — who chairs the House Armed Services panel’s cyber subcommittee and served on the Cyberspace Solarium Commission — has drafted an amendment to match the commission’s recommendation to boost defenses for “systemically important critical infrastructure (SICI).”
The amendment ties the definition of the term to infrastructure key to “national critical functions,” for which the federal government says disruption “would have a debilitating effect on security, national economic security, national public health or safety.”
After identifying and designating such infrastructure, the director of the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency and the national cyber director would establish reporting requirements for their owners and operators on things such as their critical assets and supply chain risk management practices; for the government to share threat intelligence with them; and for the agencies study performance-based security goals for them to reach, among other steps.
“Recognizing that private sector entities now stand on the front lines of the cyber battlefield, the federal government must identify and actively partner with those systemically important entities whose core functions are of national consequence to the United States,” Langevin said in a statement to CyberScoop.
“After all, these entities are particular focal points of leverage to our adversaries — if any one of them falls victim to a cyberattack, the entire country is in store for a very bad day. Creating a partnership wherein systemically important entities receive greater support from the federal government to defend their networks, without overburdensome regulation, will enhance our nation’s collective security,” he said.
CISA has already begun identifying what it instead calls “primarily systemically important critical infrastructure,” without awaiting possible legislation. New York Rep. John Katko, the top Republican on the House Homeland Security Committee, has introduced his own SICI bill, but it doesn’t require SICI owners and operators to take any steps — it focuses only on offering government assistance to them.
Both Langevin and Katko have focused on cyber in their careers and are leaving Capitol Hill, which means getting some version of SICI legislation across the finish line could be among their last cyber hurrahs.
The original Cyberspace Solarium Commission proposal drew criticism from a group of banking organizations.
“Commission recommendations that add new oversight from the Department of Homeland Security to set mandatory cybersecurity performance standards fail to recognize that the financial sector already has a complicated myriad of requirements through state and federal banking regulators,” they wrote. “New proposals for cybersecurity must recognize existing legal and regulatory requirements to ensure front-line cyber defenders can continue to focus on security threats rather than growing reporting and compliance requirements.”
The Langevin amendment, which is subject to change dependent on ongoing negotiations, doesn’t mandate performance standards, beyond ordering a study of the notion. The amendment also says that if a SICI owner or operator already is obligated to meet reporting requirements via other federal agencies, they wouldn’t have to send any additional reports to CISA.
The amendment would limit the number of designations to a total of 200. After four years, the DHS secretary could increase that number by 150%. Entities also could appeal to be removed form the SICI list.
That amendment doesn’t represent Langevin’s only cybersecurity plans for the fiscal 2023 defense authorization measure. He also plans to offer an amendment creating an Office of Cyber Statistics within CISA. The Solarium commission originally proposed placing it in the Commerce Department, but industry has indicated it prefers placing it in CISA.
The office would gather and analyze information on cyber incidents and cybercrime and compile it in such a way that “will serve as a continuous and comparable national indication of the prevalence, rates, extent, distribution, and attributes of all relevant cyber incidents.” It would publish anonymized data as CISA deems appropriate.
The text of that amendment is also subject to change.
Suzanne Smalley contributed to this story.