The Cybersecurity and Infrastructure Security Agency has begun working to map out the U.S. critical infrastructure that, if hacked, could result in serious consequences for national security and economic interests, CISA Director Jen Easterly said Friday.
Labeling such infrastructure is the subject of a proposal of the Cyberspace Solarium Commission, a congressional committee, which recommended identifying “systemically important critical infrastructure,” or SICI. Lawmakers have introduced SICI legislation in recent months, but Easterly said her Department of Homeland Security agency is proceeding ahead with or without a bill.
“Notwithstanding whether this ends up in legislation or not, and I certainly hope it does, we are already thinking through the model,” she said at an event hosted by the Center for Strategic and International Studies. “We’re in a state now where a critical infrastructure is much more vulnerable than it should be. And frankly, that’s what I worry about most every day.”
CISA is dubbing the effort, rather than SICI, “primary systemically important entities.” The criteria will be based on a preexisting method the agency has used to examine critical infrastructure, and how risk is intertwined.
“We’re prototyping a variety of different approaches in our National Risk Management Center, ” Easterly said, “to try and start identifying those entities that are in fact systemically important, and we’re doing it based on economic centrality, network centrality and logical dominance in the national critical functions.”
There are limits to what CISA can do on its own, however. While the agency might be able to begin categorizing infrastructure without Congress, legislation would need to address another facet of the Solarium proposal: imposing a mix of federal “benefits and burdens” for companies that receive the label, such as meeting required baseline security standards or receiving liability protections.
New York Rep. John Katko, the top Republican on the House Homeland Security Committee, has proposed one such bill, which excludes burdens for any critical infrastructure owners in favor of starting the labeling and prioritizing CISA services for owners and operators.
House Homeland Security Committee Democrats have signaled some support for Katko’s SICI legislation, although Katko lamented that panel leadership left it off a recent markup session.
“I think that what John is doing through his legislation really distills us to the elements that we must, must, must focus on in order to build out a robust protocol to address what we know are the constant bombardment of our critical infrastructure,” Rep. Yvette Clarke, D-N.Y., who chairs the panel’s cybersecurity subcommittee, said in October.
CISA’s ideal budget
Easterly agreed with Katko’s assertion that CISA needs a bigger budget. The agency sits at $2 billion now, although some policymakers are pushing for increases. Katko said CISA needs to be a $5 billion agency.
“Maybe it’s a $5 billion agency,” Easterly said. “As we are a very young agency and as we are transforming, we are making sure that we are putting all the processes in place so that we can absorb that funding and we can spend it responsibly and effectively.”
In particular, CISA is looking to spend money to hire key personnel, such as its corps of state cybersecurity coordinators, cybersecurity advisers for the private sector and specialists in vulnerability management, threat hunting and incident response.
“We are in the midst of doing a force structure assessment, sort of a ‘troops to task,'” Easterly said.