A new bill would give the Cybersecurity and Infrastructure Security Agency (CISA) the power to identify certain foundational organizations as systemically important critical infrastructure (SICI) to further protect them from cyberattacks.
The Securing Systemically Important Critical Infrastructure Act, introduced by House Homeland Security Committee ranking member Rep. John Katko (R-NY) and Rep. Abigail Spanberger (D-VA), would establish a process to designate operations as SICI, require CISA to work with sector risk management agencies to establish the criteria to qualify as SICI and give SICI owners and operators access to prioritized cybersecurity services.
Specifically, here’s what the legislation does:
- Authorizes CISA to establish a transparent, stakeholder-driven process to designate systemically important critical infrastructure.
- Requires CISA to consult with sector risk management agencies (SRMAs) and stakeholders to establish a methodology and criteria to determine what critical infrastructure qualifies as SICI.
- Provides CISA with clear guidance and parameters for establishing SICI criteria.
- Requires CISA to provide SICI owners and operators the option to access prioritized cybersecurity services, including technical assistance and monitoring and detection programs; representation in CISA’s new Joint Cyber Defense Collaborative; and, fast tracked applications of SICI owners and operators for security clearances.
“To mitigate risks to our economic and national security going forward, we need a clear process for identifying which infrastructure constitutes systemically important critical infrastructure,” Katko said. “Disruption to this infrastructure, ranging from pipelines to software, could have an outsized impact on our homeland security. The owners and operators of SICI naturally demand deeper cyber risk management integration with the federal government,” he said.
Spanberger pointed to the impact of the Colonial Pipeline ransomware attack on families and businesses in her home state. “In our communities, we saw how critical infrastructure plays a fundamental role in our daily lives and in the day-to-day success of our regional economy,” she said. “Our bipartisan bill would help us identify the critical infrastructure that is particularly foundational and systemically important to our economy and national security, and it would help prioritize protecting these systemically important systems from the serious consequences cyberattacks can have on public safety and health, as well as on our supply chains.”
Such is the nation’s determination to safeguard critical infrastructure from cyberattacks that President Biden gave Russian President Vladimir Putin at their meeting in Geneva earlier this year a list of 16 critical infrastructure operations that are off limits to cyberattacks. Russia-linked operatives are suspected in a number of recent attacks on U.S. facilities.
The SICI measure comes amid a flurry of legislative activity in the wake of recent cyberattacks on U.S. critical infrastructure entities, including the Colonial Pipeline ransomware hijack, a lock down on JBS meat processor, the SolarWinds Orion supply chain cyber operation, the Kaseya incident and an extortion event on farm feed supplier New Cooperative.
For example, last week a newly introduced Senate bill would require critical infrastructure owners and operators to report a cyberattack within 72 hours. The Cyber Incident Reporting Act would also require federal contractors–including MSSPs, MSPs and managed detection and response (MDR) service providers–along with other organizations to report to CISA within 24 hours of making a ransom payment. A separate measure is forthcoming to update the Federal Information Security Modernization Act that requires federal agencies and contractors to report cyberattacks.
In August, legislators proposed the Sanction and Stop Ransomware Act to strengthen U.S. defenses against ransomware attacks on critical infrastructure operations and impose sanctions on foreign nations that harbor hackers. The bill would put ransomware in the same category as terrorism by sanctioning nations that back cyber attackers and require the President to impose sanctions consistent with those levied on nations that underwrite acts of terror.
In addition, President Biden in late July signed a National Security Memorandum under which the Department of Homeland Security, CISA and the National Institute of Standards and Technology will work together to develop cybersecurity performance goals for critical infrastructure. Also in July, among five cybersecurity bills passed by the house is the Cyber Exercise Act that would direct CISA to create a special cybersecurity program to test the nation’s critical infrastructure defenses to thwart attacks.