This simply cannot be the norm. We must do better.
The federal government and private sector must arrive at a new “social contract” of shared responsibility to secure our country’s cyberspace where both parties have shared, mutual responsibilities. The federal government must be assured that the private companies who own and operate critical systems and assets are doing their utmost to protect them. Likewise, private companies must be assured that the federal government is doing all it can to assist them. This means the federal government must offer up authorities and resources to both defend against and respond to significant cyber-incidents. Building this trust through collaboration is essential to defending America’s critical infrastructure.
This year, Congress has the ability to enact further proposals to close the gap between critical infrastructure providers and the federal government in addressing cyberattacks. Of these proposals, the concept of “systemically important critical infrastructure,” (SICI) is the most important.
Under this law, the Department of Homeland Security would designate a system or asset as “systemically important critical infrastructure” if its disruption is likely to cause widespread damage to the national security, economic security, or public health and safety of the United States. This could include the interruption of critical services, such as water or power, or the disruption of hospitals or financial systems. It would also include systems and assets whose disruption would undermine key national security or defense capabilities or lead to the widespread compromise of critical technologies or devices across the cyber landscape. Companies that own or operate these systems would gain additional “benefits” from the government, such as intelligence and liability protections, and assume additional “burdens,” such as incident reporting and security certification requirements.
SICI legislation would offer three main benefits prior to, and in the event of, a cyberattack. First, to prevent attacks and incidents, SICI entities would receive relevant threat intelligence collected on foreign actors and tailored to the risk profile of the company. Second, in the event of an attack, on one entity, the Secretary of Homeland Security would share relevant information with other companies operating critical infrastructure while protecting the victim company’s information. Finally, in the event that a company has made a good faith effort to comply with SICI performance standards, they would be provided safe harbor and be insulated from liability for damage caused by an attack on their systems.
But with those protections will come mutually agreed upon expectations. Under the legislation, private companies that are listed as managing SICI-designated entities would be required to meet a set of “performance standards” designed by the Department of Homeland Security and the National Institute of Standards and Technology (NIST).These standards — which would include third-party assessments — are designed to ensure that the owners and operators of these entities are doing at least the minimum required to ensure the security of their assets.
This is not a one-size-fits-all solution, nor is it an additional layer of bureaucracy — it recognizes that not all companies are the same size, criticality, or maturity and many face existing regulations. The law takes into account these realities, ensuring that there is no undue burden in the pursuit of accountability.
Today, no such set of standards or benefits exist. Instead, there is a patchwork of sector-specific federal and state regulations, some of which — like those pertaining to the financial services and electricity sectors — largely meet muster, while others — like those in the water sector — do not. As a result, some companies would exceed any potential standard while a number of others would have work to do.
For companies whose current practices exceed SICI standards, the government would reward their cybersecurity investments with concrete legal liability protections. For the critical infrastructure providers that do not meet these standards, it ensures they would integrate cybersecurity into their decision making. Consequently, SICI legislation would work hand-in-hand with America’s critical infrastructure providers to establish mutual accountability and collaboration in a way not previously possible.
Americans depend on uninterrupted access to basic amenities like water, energy, and fuel to do the work necessary to keep this country running. The private sector and the federal government must collaborate under a truly joined effort to protect valuable assets. Codifying cybersecurity standards for the most critical infrastructure and improving public-private relations in cybersecurity are an essential step toward ensuring that work can be done. In an era where malicious actors and adversarial states are attacking our infrastructure with record intensity, Congress must not fail to deliver on common sense reforms which would secure the systems on which we all rely.