Rep. Mike Gallagher (R-WI) and Rep. Abigail Spanberger (D-VA) have introduced a bipartisan bill intended to fortify the defense of critical infrastructure sectors from cyber attackers.
Under the National Risk Management Act of 2023, the Secretary of Homeland Security would be required to establish a National Risk Management Cycle in consultation with Sector Risk Management Agencies, critical infrastructure owners and operators, the Assistant to the President for National Security Affairs, the Assistant to the President for Homeland Security, and the National Cyber Director.
The recurring process would identify risks to critical infrastructure and the associated likelihoods, vulnerabilities, and consequences of each identified risk, the bill's sponsors said.
Key Elements: National Risk Management Act of 2023
Here are some key elements of the measure:
- Within six months of the bill’s passage, the Secretary is tasked with submitting a report to the President, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee of Homeland Security of the House, on the risks of cybersecurity threats and physical threats based on the recurring process of national risk management.
- No later than one year after the Secretary delivers the report, the President is to deliver to Congress, Homeland Security and Congressional Homeland Security committees a national critical infrastructure resilience strategy to address the risks to the nation.
- Not later than one year after the President delivers the report and each subsequent year, the Secretary will update various security committees and agencies on national risk management process activities and the amounts and timeline for funding to address cybersecurity and physical threats.
The Why: Lawmakers Explain Bill's Importance
Gallagher called the bill’s tenets basic hygiene.
“Establishing a National Risk Management Cycle is basic cyber security hygiene and a common-sense step we can take to ensure our businesses and critical infrastructure are hard targets,” Gallagher said.
Spanberger said the threats to critical infrastructure are “not hypothetical,” pointing in particular to the Colonial Pipeline attack in May, 2021.
“The threats to our national security are increasingly complex,” she said. “Families, businesses, and communities across our country are vulnerable to sophisticated cyber threats, destabilizing attacks on our critical infrastructure, and foreign interference.
“Virginians know that these threats are not hypothetical — thousands of our neighbors have experienced the consequences of susceptible critical infrastructure, such as during the Colonial Pipeline attack."