Lawmakers introduce bill to identify and protect critical groups from cyber threats

House Homeland Security Committee ranking member John Katko (R-N.Y.) and Rep. Abigail Spanberger (D-Va.) on Tuesday introduced legislation to help the federal government identify and further protect certain critical groups from cyberattacks. 

The Securing Systemically Important Critical Infrastructure Act would authorize the Cybersecurity and Infrastructure Security Agency (CISA) to establish a process to designate groups as systemically important critical infrastructure (SICI). 

CISA would be required to work with sector risk management agencies to establish the criteria around what organizations qualify as SICI, and ensure CISA gives owners and operators of these key groups access to priority cybersecurity programs. 

“In recent months, we have collaborated extensively with industry to codify a transparent, well-understood, stakeholder-involved process for identifying SICI,” Katko said in a statement Tuesday. “Our goal is to understand the single points of failure and layers of systemic risk in our economy, because if everything is critical, nothing is.”

The legislation was introduced following multiple major cyber incidents over the past year that have drawn the attention of members of Congress on both sides of the aisle. 

These incidents have included ransomware attacks on companies including Colonial Pipeline and meat producer JBS USA, attacks that disrupted critical supply chains, and the SolarWinds hack in December that allowed Russian government-linked hackers to compromise numerous federal agencies. 

In response, multiple pieces of legislation have been rolled out in the House and Senate, including a bipartisan bill passed by the House last month as part of its version of the 2022 National Defense Authorization Act (NDAA) that would require CISA to establish requirements for some critical infrastructure owners and operators to report cybersecurity incidents. It bans CISA from requiring these groups to report incidents earlier than 72 hours after they occurred.

Katko noted that the bill included in the NDAA, which he and other bipartisan leaders of the House Homeland Security Committee sponsored, is “complementary” to the legislation introduced Tuesday. 

“Over the past year, we’ve seen the devastating real-world impacts of sophisticated cyber attacks on our nation’s critical infrastructure,” Katko said. “To mitigate risks to our economic and national security going forward, we need a clear process for identifying which infrastructure constitutes systemically important critical infrastructure.

“Disruption to this infrastructure – ranging from pipelines to software – could have an outsized impact on our homeland security,” he added. “The owners and operators of SICI naturally demand deeper cyber risk management integration with the federal government.”

Spanberger pointed to the negative impact of Colonial Pipeline on her state of Virginia in emphasizing the need to pass the legislation, with the attack on the Pipeline temporarily compromising the supply chain that provides 45 percent of the East Coast’s fuel. 

“In our communities, we saw how critical infrastructure — such as the Colonial Pipeline — plays a fundamental role in our daily lives and in the day-to-day success of our regional economy,” Spanberger said in a statement. “As we look to protect the American people from future threats and keep our economy competitive, I am proud to join my colleague, Ranking Member Katko, in introducing this timely legislation.”

President Biden has already taken steps around this issue, giving Russian President Vladimir Putin a list of 16 critical infrastructure entities that were off-limits to cyberattacks during their meeting in Geneva earlier this year. 

Both the Senate Homeland Security and Governmental Affairs Committee and the Senate Intelligence Committee have rolled out bipartisan legislation in recent weeks to require federal agencies and certain key private groups to report cyberattacks within varying time frames, with recent attacks revealing the weakness of the U.S. being without a federal reporting standard. 

A House Homeland Security Committee aide told reporters prior to the bill’s introduction Tuesday that the committee’s subcommittee on cybersecurity, infrastructure protection and innovation would hold a roundtable later this week involving the legislation.

“I think that is a really good opportunity for us all to work the project off the same sheet of music, essentially,” the committee aide said of the upcoming event.  

While there was the potential that the new legislation could be included in the 2022 NDAA, the committee aide stressed that the annual defense bill was not “the last train leaving the station.”

“I think there will be numerous opportunities to get it done, both in the coming months but also throughout the rest of the year,” the aide said.