In an effort to better protect critical infrastructure, House representatives and Federal cybersecurity officials spoke today about how to most effectively identify the nation’s most systemically important critical infrastructure.
Such a list of entities, and where current efforts stand, was the topic of a House Cybersecurity, Infrastructure Protection, and Innovation Subcommittee Hearing today.
“Fortunately, we know that Congress can still come together to tackle big challenges, subcommittee chair Yvette Clarke, D-N.Y., opened. “Most recently, enacted Cyber Incident Reporting legislation as proof of that.”
“My goal today is to get testimony that will help us answer the question, What’s next?” Clarke continued. “How do we continue to mature the way the government engages with critical infrastructure, particularly those entities that are the most critical of the critical or – as the cyber solarium commission put it – our systemically important critical infrastructure?”
The hearing called Eric Goldstein, Executive Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA); Robert Knake, deputy national cyber director for strategy and budget and acting principal deputy national cyber director in the Office of the National Cyber Director (ONCD); and Tina Won Sherman, director of homeland security and justice at the Government Accountability Office (GAO) to answer Clarke’s questions.
“[CISA’s] core goal is ensuring the continuity and resilience of national critical functions,” Goldstein said in his opening statement. “For this reason, at CISA, we are focused on identifying these systemically important entities or SIE’s as we call them, which, if degraded, would cause debilitating systemic or cascading impacts to national critical functions.”
“We are engaged today in a rigorous effort to identify these entities understand how they support national critical functions and think creatively about how we can work collaboratively to build our operational collaboration and support these entities to reasonably assure the continuity of national critical functions under all conditions,” Goldstein added.
Lawmakers have introduced various efforts to identify such systemically important critical infrastructure, including a legislative attempt by House Homeland Security Committee ranking member John Katko, R-N.Y., introduced last October. However, to date, no such legislation has been enacted.
Answering a line of questioning by Clarke, Goldstein said that even if they were to designate the nation’s SIEs today, CISA does not currently have the authority to compel the organizations to share information about the security measures they have in place, their vendors or supply chains, or their relative security risks or vulnerabilities.
While CISA doesn’t have the ability to compel such collaboration, Knake took time to credit the levels of success and collaboration that current public-private partnerships, like CISA’s Joint Cyber Defense Collaborative (JCDC), have already led to.
“I think we really need to recognize how far we have actually come, particularly, in the last few years,” Knake said in his opening statement. “We’ve gone from a partnership that was fundamentally about having meetings between public policy officials and companies, and public policy officials and organizations, to one in which we have operational collaboration that in some cases is side-by-side, shoulder-to-shoulder.”
“Even more importantly, [operational collaboration] has been virtualized, so that people at large companies – these systemically important entities – can engage with the private sector, with the government and can do it in real-time from where they are,” Knake added. “This is a massive leap that the JCDC has really enabled over the last year, and we’re really seeing the benefits of that maturation as we confront the Russians.”
Sherman also emphasized the role that such collaborations play in protecting SIEs but also added that the current voluntary nature of such collaboration poses a challenge to protecting the nation’s critical infrastructure.
“Protecting the assets, systems, and networks that underpin our daily lives is a pressing and monumental task,” Sherman said. “We must safeguard not only our oil and gas pipelines are water and food manufacturing facilities, but also our cell towers and satellites are financial and health institutions and more from cyber and other attacks that occur almost daily.”
“One of the repeated themes that cuts across this work is the continued need to improve collaboration between the government and the private sector,” Sherman added. “The diffuse and voluntary nature of the critical infrastructure landscape continues to pose a range of challenges to this community from implementing security standards and effectively analyzing risks to sharing threat-related information and providing timely support and guidance to stakeholders.”
While the goal of the hearing was not to come to a consensus on exactly how to protect SIEs and how to legislate their protection, both witnesses and lawmakers agreed on the need to at least start by identifying SIEs and creating a list that can adapt and change. Such a list is needed because, as Katko R-N.Y., put it, “if all critical infrastructure is systemically important, then nothing is.”