Legislators aim to shore up critical infrastructure cyber defense

Members of Congress introduced several bills geared toward identifying critical infrastructure and requiring certain organizations to report cyber incidents in a timely manner.
By Kat Jercich
03:24 PM

Sen. Rob Portman

Photo: Rob Portman, Gage Skidmore/Flickr, licensed under CC BY-SA 2.0

Members of Congress have introduced several bills aimed at bolstering the nation's cybersecurity when it comes to critical infrastructure – and requiring victims to report quickly when incidents do occur.  

Identifying critical infrastructure  

On Tuesday, Rep. John Katko, R-N.Y., and Rep. Abigail Spanberger, D-Va., put forward legislation that would designate systemically important critical infrastructure.

A disruption to such infrastructure, the bill says, would have a "debilitating effect on national security, economic security, public health or safety, or any combination thereof."  

"Over the past year, we’ve seen the devastating real-world impacts of sophisticated cyber attacks on our nation’s critical infrastructure,” said Katko in a statement.  

"To mitigate risks to our economic and national security going forward, we need a clear process for identifying which infrastructure constitutes systemically important critical infrastructure. Disruption to this infrastructure – ranging from pipelines to software – could have an outsized impact on our homeland security," he added.   

"The owners and operators of SICI naturally demand deeper cyber risk management integration with the federal government," he said.  

"Our bipartisan bill would help us identify the critical infrastructure that is particularly foundational and systemically important to our economy and national security, and it would help prioritize protecting these systemically important systems from the serious consequences cyberattacks can have on public safety and health, as well as on our supply chains," said Spanberger.

The bill, "the Securing Systemically Important Critical Infrastructure Act," also directs the Cybersecurity and Infrastructure Security Agency to prioritize meaningful benefits to critical infrastructure owners and operators without any additional burden.   

The benefits include the option to take part in prioritized cybersecurity services, such as:

  • Front of the line access for CISA’s key cybersecurity programs.
  • Prioritized representation in CISA’s newly established Joint Cyber Defense Collaborative.
  • Prioritized applications of SICI owners and operators for security clearances, as appropriate.

As reported by CyberScoop, this is a departure from the recommendation of the Cyberspace Solarium Commission, which recommends that owners and operators also shoulder burdens such as mandatory security standards and reporting of cyberattacks.

Mandating incident reports  

Speaking of cyber incident reporting, legislators have floated a number of bills aimed at putting a timer on breach notifications.  

On Monday, Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio, introduced a bill to update the Federal Information Security Modernization Act. The new bill would require civilian agencies to report all cyberattacks to CISA and major incidents to Congress within five days.   

It also:  

  • Provides additional authorities to CISA to ensure they are the lead agency for responding to incidents and breaches on federal civilian networks.
  • Codifies aspects of President Biden’s Executive Order on Improving the Nation’s Cybersecurity to enforce higher level security protections for federal information systems and their sensitive data.
  • Requires the Office of Management and Budget to develop guidance for federal agencies to use so they can efficiently allocate the cybersecurity resources they need to protect their networks.

"This bipartisan bill will help secure our federal networks, update cyber incident reporting requirements for federal agencies and contractors to ensure they are quickly sharing information, and prevent hackers from infiltrating agency networks to steal sensitive data and compromise national security," said Peters.  

The bill follows legislation introduced in both the House and the Senate that would require certain critical infrastructure organizations to report incidents to CISA.

The Senate bill would mandate notification within 24 hours of discovery, while the House legislation directs CISA to establish its own specifics in a rule.

"As our nation continues to be faced with more frequent and increasingly sophisticated cyberattacks, authorizing mandatory cyber incident reporting is a key cybersecurity and national security priority,” said Rep. Bennie Thompson, who cosponsored the House bill.   

"Once enacted, CISA will be on the path to getting the information it needs to identify malicious cyber campaigns early, gain a greater understanding of the cyber threat landscape, and be a better security partner to its critical infrastructure partners," he said.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.