A newly introduced bipartisan bill would direct the Cybersecurity and Infrastructure Security Agency (CISA) to create a special cyber program to test the nation’s critical infrastructure defenses to thwart cyber attacks.
The Cyber Exercise Act would also require CISA to assist state and local governments and private industry to assess the safety and security of critical infrastructure. The measure, which comes on the heels of the high profile, disabling Colonial Pipeline ransomware attack, amends the Homeland Security Act of 2002 that created the eponymous federal agency.
Specifically, the bill calls for the program to:
- Evaluate the National Cyber Incident Response Plan and other related plans.
- Simulate the “partial or complete incapacitation” of a government entity or critical infrastructure network.
- Develop post incident action reports and plans that can incorporate lessons learned into future operations.
The program will also include a set of model exercises that government or private industry can adapt for their particular needs.
Representative Elissa Slotkin (D-MI) is the Act’s primary sponsor. Co-sponsors of the legislation include Reps. Mike Gallagher (R-WI), Rep. Jim Langevin (D-RI), the chairman of the House Armed Services Committee cyber subcommittee, and Andrew Garbarino (R-NY), the ranking member of the House Homeland Security Committee cyber subcommittee.
Slotkin sent a letter last week to eight owners and operators of major oil, gas, and petroleum pipelines in Michigan, in which she urged them to make the changes necessary to “ensure the cybersecurity of pipelines” they operate across the state, particularly in light of the Colonial Pipeline cyber attack.
“The proactive shutdown of the pipeline, as a result of the attack, has led to one of the most significant cyber-driven disruptions of U.S. energy infrastructure in our history, and serves as a clear reminder of the importance of cybersecurity to our daily lives,” Slotkin wrote. “I am particularly interested in understanding any resulting changes to your security policies, response plans or exercises, practices for sharing cyber threat information with government and industry partners, and/or the structure of your IT and operational systems,” she said.
Slotkin said she is a “firm believer” that the federal government needs to do more to neutralize the threat to the nation’s critical infrastructure posed by hackers. “We have to make sure the federal government is working hand-in-glove with state and local authorities and private industry to deter these attacks and minimize their impact,” she said in a statement.
The legislation was introduced two days after President Biden signed an executive order intended to strengthen U.S. cybersecurity.