The notion of writing more cybersecurity regulations is gaining traction following the Colonial Pipeline and JBS ransomware incidents, after decades of a largely hands-off approach to private sector-owned critical infrastructure.
Top Biden administration team picks have testified about how voluntary standards aren’t getting the job done, and some in Congress have indicated their patience is waning with letting industry go it alone.
Enter a proposal that some lawmakers and the Cyberspace Solarium Commission that they say strikes a middle ground between the new zeal for hard rules and the tradition of non-regulation in cyberspace: “systemically important critical infrastructure.”
Also known as SICI, it’s an idea that involves labeling hacking targets that are most likely to cause economic, public health or national security disruptions if attacked, then offering the owners of that infrastructure a mixture of government boons in exchange for meeting baseline cybersecurity standards.
But even as something of a compromise suggestion, it’s not going to be easy to win over industry. Some groups are already prepping to battle the SICI proposal. Turf battles in Congress, too, pose potential hurdles.
“It’s going to be a heavy fight,” said Frank Cilluffo, director of the McCrary Institute for Cyber & Critical Infrastructure Security and member of the Cyberspace Solarium Commission. “It’s going to be a heavy lift, but it’s the right thing to do.”
The commission pitches a collection of “benefits and burdens” for entities labeled “systemically important critical infrastructure.” The burdens include mandates that firms share threat information and meet certain yet-unwritten security standards. Companies that meet such standards would receive protections against lawsuits if they are affected by disruptive attacks, and those designated “SICI” would receive priority federal aid in such an event.
“This is an alternative to ‘big R’ regulation,” said Mark Montgomery, staff director of the commission.
In May, as a number of lawmakers publicly discussed the need to look at the SICI idea, a coalition of banking organizations wrote to Capitol Hill leaders expressing skepticism about some of the ideas.
“As one of the few critical infrastructure sectors that has complied with rigorous regulatory requirements for the security and resilience of its operations for over 20 years — including the cybersecurity practices of its vendors, suppliers, and business affiliates — the prospect of encouraging other sectors to improve their cybersecurity is a welcome proposition,” the letter reads.
“However, Commission recommendations that add new oversight from the Department of Homeland Security to set mandatory cybersecurity performance standards fail to recognize that the financial sector already has a complicated myriad of requirements through state and federal banking regulators,” wrote the American Bankers Association, Bank Policy Institute, Consumer Bankers Association, Financial Services Forum and Securities Industry and Financial Markets Association.
Others said they need more time to take a closer look at what’s on the table.
“The U.S. Chamber of Commerce shares the same objectives as policymakers regarding cybersecurity, especially when it comes to helping the business community defend against ransomware and other malicious activity,” Matthew Eggers, vice president of cybersecurity policy at the chamber’s cyber, intelligence and supply chain security division. “The so-called SICI legislation, which has not been released for public review, would regulate many private critical infrastructure entities, and the Chamber wants to assist its members and lawmakers to consider the legislation thoughtfully.”
The Information Technology Industry Council also is still reviewing a version of the idea.
“It is a pivotal time for cybersecurity policy in the United States and the Cyberspace Solarium Commission is an important advocate for advancing solutions that improve the U.S cyber posture,” said Mike Flynn, senior director of government affairs and counsel. “We share that priority and continue to engage with both the Commission and Congress on their recommendations.”
Montgomery, who also serves as the senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies think tank, said banks need to consider the bigger picture. Yes, the top institutions spend millions of dollars on cybersecurity, but there are thousands of other banks, he said.
Banks that already are well-protected aren’t likely to be affected by the new standards, Montgomery said, but there are other industries like wastewater plants and public health organizations that need to show considerable improvement.
Suzanne Spaulding, another Solarium commissioner, said she understands the industry skepticism.
“Industry is always nervous about the government, suggesting that they’re going to tell them how to do their job,” said Spaulding, senior adviser for homeland security and director of the Defending Democratic Institutions project at the Center for Strategic and International Studies think tank. “They also understand, I think, that increasingly, there’s going to be harsh criticism when functions that they enable for the American public are disrupted.”
Fuel shortages from the Colonial Pipeline hack and hikes in meat prices stemming from the JBS attack have put cybersecurity on the agenda of policymakers in a previously unheralded way, said Spaulding — constituents have complained to members of Congress at town halls.
State of play
One lawmaker who’s advocated for Congress to take up the SICI idea is New York Rep. John Katko, the top Republican on the House Homeland Security Committee. Earlier this month, he said there’s value in such a plan “if we do it right.” That involves, in part, transparency and collaboration with industry, said a committee Republican aide.
“Definitely I think there’s appetite across the Hill to address something like this,” said the aide.
That also might prove to be part of the problem with advancing the SICI idea. While the House and Senate homeland security panels are the likely starting places for any SICI legislation, other committees may lay claim to a piece of the congressional action. That could slow or ultimately sideline a bill.
“Committee jurisdiction is always going to be a challenge here,” said Cilluffo, director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security.
Commission member Rep. Jim Langevin, D-R.I., has advocated for hearings on SICI at the House Homeland Security Committee, on which he sits. A committee spokesperson didn’t answer whether the panel planned to hold any.
But some of the groundwork has already been laid, if Congress does take action. A 2013 executive order directed agencies to identify the critical infrastructure at greatest risk, something Spaulding helped work on when she was at DHS. And DHS’s Cybersecurity and Infrastructure Security Agency in 2019 debuted its initial list of “national critical functions” to prioritize for protection.