The House has passed a package of five bipartisan bills that would support state and local governments’ cybersecurity needs, expand incident remediation capabilities and fortify critical infrastructure cyber defenses.
The legislative milestones, which may influence how MSSPs, MSPs and MDR (managed detection and response) service providers tackle cybersecurity engagements, include:
1. The State and Local Cybersecurity Improvement Act establishes a $500 million grant program, up from the $400 million approved by the House last year. It aims to help lower-level government agencies erect digital barriers to cyber attacks. The measure, sponsored by Rep. Yvette Clark (D-NY), who chairs the House Homeland Security Committee's cybersecurity panel, was first introduced in late 2020 but failed to receive a vote in the Senate.
2. The Cybersecurity Vulnerability Remediation Act, sponsored by Rep. Sheila Jackson Lee (D-TX), adds remediation of cybersecurity vulnerabilities to the Department of Homeland Security’s (DHS) responsibilities. The bill previously passed the House in 2019 but did not receive a vote in the Senate.
3. The Cyber Exercise Act would direct the Cybersecurity and Infrastructure Security Agency (CISA) to create a special cybersecurity program to test the nation’s critical infrastructure defenses to thwart attacks. The measure would require CISA to assist state and local governments and private industry to assess the safety and security of critical infrastructure. The bill’s primary sponsor is Rep. Elissa Slotkin (D-MI).
4. The Cyber Sense Act would require the Department of Energy to test the cybersecurity of products and technologies intended for use in the bulk-power system. The measure’s primary sponsors are Reps. Bob Latta (R-OH) and Jerry McNerney (D-CA). The bill would require the Energy department to establish a program to test the cybersecurity of products tagged for use in the bulk power system.
5. The DHS Industrial Control Systems Capabilities Enhancement Act gives CISA the responsibility to maintain capabilities to identify threats to industrial control systems. House Homeland Security Committee ranking member John Katko (R-NY) is the primary sponsor of the legislation.
Bonus: The House also passed Katko’s Domains Critical to Homeland Security Act aimed at addressing vulnerabilities in U.S. supply chains.
“We must continue bolstering CISA’s authorities to defend our federal networks and the nation’s critical infrastructure from cyber threats,” Katko said. “Already this year, the nation has confronted numerous major attempts to compromise federal and private sector networks.”
U.S. Energy Grid Security
The bundle of legislation came immediately following the House’s approval of two bills designed to protect the nation’s energy grid, both of which the lower chamber passed last year. The Energy Emergency Leadership Act, backed by Bobby Rush (D-IL) and Rep. Tim Walberg (R-MI), would ensure a Senate-confirmed, assistant secretary-level head of the Energy Department’s energy emergency and cybersecurity missions to oversee the nation’s power grid.
The Enhancing Grid Security Through Public-Private Partnerships Act, sponsored by Bob Latta (R-OH) and Rep. Jerry McNerney (D-CA), would direct the Department of Energy to facilitate and encourage public-private partnerships to address security risks facing electric utilities.
While the Senate has proven to be a Congressional graveyard for House passed cybersecurity legislation in the last few years, the straps have somewhat loosened largely owing to the series of destructive ransomware attacks that have hit critical infrastructure, prompting some recalcitrant lawmakers to reconsider their positions.
MSP Software and IT Service Providers Under the Microscope
Among the attacks that U.S. lawmakers have been watching closely: The Kaseya VSA cyberattack on July 2, 2021. The REvil Ransomware attack extended ransomware to roughly 50 MSPs and 1,500 downstream customers, and also caused thousands of MSPs to lose remote monitoring and management (RMM) capabilities for more than a week.
Ahead of the Kaseya VSA attack, President Biden in May 2021 issued a cybersecurity executive order that included updated guidance for IT service providers.