Lawmakers are looking to boost the U.S. government's ability to safeguard from devastating cyberattacks on vital infrastructure sectors such as water supplies, electric utilities and pipeline operators.
The effort comes on the heels of a new law Congress passed as part of the fiscal 2022 omnibus spending bill that requires operators of critical infrastructure to report any cyberattacks they suffer to the Cybersecurity and Infrastructure Security Agency.
“How do we continue to mature the way the government engages with critical infrastructure – particularly those entities that are the most critical of the critical?” Rep. Yvette D. Clarke, D-N.Y., chairwoman of the subcommittee on Cybersecurity, Infrastructure Protection and Innovation of the House Homeland Security Committee said at a recent hearing.
“From where I'm sitting, one thing is clear, the U.S. desperately needs to revamp the playbook it uses for critical infrastructure cybersecurity,” to ensure that operators of infrastructure are taking timely action to shore up their defenses against crippling cyberattacks, Clarke said
CISA, which is part of the Department of Homeland Security, has designated 16 sectors, ranging from banks and financial institutions to hospitals and election systems, as critical. The agency works with private sector partners in each of these sectors to share intelligence and help them boost security measures.
In 2013, then-President Barack Obama issued an executive order to try to narrow the focus on a few vital sectors “where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economy security, or national security.”
But such efforts have not yielded results, Clarke said. “It's not enough to simply make a list of our most vital assets – we need to know how we're going to operationalize it,” she said.
Clarke, along with top Republicans on the panel including Reps. John Katko and Andrew Garbarino, both of New York, are aiming to draft legislation that would codify “systemically important critical infrastructure” sectors.
CISA and U.S. intelligence agencies then would be granted authority by Congress to provide greater assistance and intelligence sharing with such systemically important sectors. In turn, companies in those sectors would have to shoulder greater burdens in terms of security procedures and sharing information with agencies.
The goal is for companies to protect themselves with high-quality threat and intelligence information available while CISA and intelligence agencies gain a better understanding of attacks unfolding on private networks.
The lawmakers' approach was one of the key recommendations of the Solarium Commission — a bipartisan, bicameral panel of lawmakers and experts — that proposed several cybersecurity measures in its March 2020 report.
The commission also recommended that Congress require private companies to report attacks on their networks to government agencies — action that Congress recently took.
The next step is for Congress to identify the key sectors where a cyberattack would have the greatest national security implications, said Frank Ciluffo, director of Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security.
“The outcome we need to be working toward and if we can get to a rigorous and empirically based process to identify some of these systemically important critical infrastructure [sectors], then you can see the pieces coming together,” said Ciluffo, who previously served as a commissioner on the Solarium panel.
Lawmakers are realizing that among the 16 sectors designated as critical by CISA, not all operators have the same resources and capabilities.
Companies in the financial industry and operators of water facilities are both identified as critical but banks have far more resources and capabilities than operators of water plants.
“The financial services sector is well-resourced, regulated, and capable of actioning both classified and unclassified information,” Rep. Bennie Thompson, D-Miss., said in a statement. “In contrast, the water sector is under-resourced, largely unregulated, and would benefit from concise, properly contextualized security guidance.”
In 2021 a hacker gained access to a water treatment system in a Florida town and boosted levels of sodium hydroxide — otherwise known as lye — to dangerous levels before it was detected and reversed. That kind of attack has been growing in recent years as more and more control systems are operated through the internet and information on how to break into them is spreading online.
A representative of the water plant operators recently told Congress of the difficulty some companies face in boosting cybersecurity.
When CISA and other federal agencies provide cybersecurity alerts and guidance to companies in the 16 critical sectors, these advisories tend to be “highly technical” and “may be difficult to implement by entities that lack in-house cybersecurity expertise to enhance the effectiveness of information sharing,” Kevin Morely, manager of the American Water Works Association, told the House Homeland Security hearing last week.
Starting in late December, the water association had reached out to 58,000 water systems operators to share Russian cyber threat information provided by CISA, Morley said.
Morley said as many as 40,000 water systems are community-based organizations that each serve fewer than 3,300 people.
As a first step, Congress should identify a few key sectors whose security is vital and provide authorities to CISA and U.S. intelligence agencies so that the government can share high-quality threat information and intelligence with companies in those sectors, Ciluffo said.
In return companies should be encouraged to voluntarily step up their security measures, Ciluffo said. When an operator meets certain threshold of security measures that entity then would be entitled to receive a greater level of threat and intelligence information, he said.
Such an approach would be better than Congress mandating or forcing companies to comply with specified security measures, Ciluffo said.
Once such a system has been in place, Congress and the agencies can assess how it is working and then add more sectors to the process, and examine whether moving from voluntary to mandatory security measures makes sense, Ciluffo said.
“I don't think Congress should come in with sledgehammers” in designating vital sectors and prescribing security measures, Ciluffo said. “I think they should come in with scalpels” and improve as they learn more.